Pay pal form post Modify payment amount while submitting - security

I have a used Paypal Html form post for my eCommerce site.
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post" target='_new' id='paypalForm'>
<input name="currency_code" type="hidden" value="<?php echo "EUR"; ?>" />
<input name="shipping" type="hidden" value="<?php echo "00.00"; ?>" />
<input name="tax" type="hidden" value="00.20" />
<input name="return" type="hidden" value="<?php echo "http://www.web.com/login.php"; ?>" />
<input name="cancel_return" type="hidden" value="<?php echo "http://www.web.com/cancel.php"; ?>" />
<input name="notify_url" type="hidden" value="<?php echo "http://www.web.com/ipn.php"; ?>" />
<input name="cmd" type="hidden" value="_xclick" />
<input name="business" type="hidden" value="<?php echo "XXXXXXXXXXX"; ?>" />
<input name="item_name" type="hidden" value="camp" />
<input name="no_note" type="hidden" value="1" />
<input name="lc" type="hidden" value="EN" />
<input name="bn" type="hidden" value="PP-BuyNowBF" />
<input name="amount" type="hidden" value="100" />
</form>
And the Javascript
var form = $("form");
form.submit();
I have found that by triggering a form submit function in console, I am able to update the amount that is passed to the Paypal payment process. So, Anyone can do the same right. Is there a secure way to do the payment process using form post in Paypal

Yes, instead of using plain text button (like the one used in your example), use hosted button.
When you use hosted button all the information is store on PayPal side. You just need to pass hosted button id in form.
See if the following link helps:
https://developer.paypal.com/docs/classic/paypal-payments-standard/integration-guide/buy_now_step_1/

Related

How to print the third instance of an attribute using Cheerio JS

There is 3 instances of 'authenticity_token' in this html:
<form class="edit_checkout" action="/942252/checkouts/624527ae778897e534d917b52af2eb28" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="patch" /><input type="hidden" name="authenticity_token" value="5vK3h2ocwaKm0hZ+AH3HAtnffe9l7hQHIMDfrMPusFhxtSV6IbLBfWOnBboOBysF7NyDPQ7GNxdfcWUPOk5WSQ==" />
<form class="edit_checkout" action="/942252/checkouts/624527ae778897e534d917b52af2eb28" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="patch" /><input type="hidden" name="authenticity_token" value="Fkw7j/Wv0Xxhna1aWNh8FsZhNnXz4zu0vFuTV0q9WJ6BC6lyvgHRo6Tovp5WopAR82LIp5jLGKTD6in0sx2+jw==" />
<form class="edit_checkout" data-payment-form="" action="/942252/checkouts/624527ae778897e534d917b52af2eb28" accept-charset="UTF-8" method="post"><input type="hidden" name="_method" value="patch" /><input type="hidden" name="authenticity_token" value="Bs1PNacx4rK5TJcl+VDO+RXnR69DixOH+osJ/yxuQQeRit3I7J/ibXw5hOH3KiL+IOS5fSijMJeFOrNc1c6nFg==" />
The actual token (the value I want) is the value attribute and in this case I want the 3rd instance of 'authenticity_token'.
All 3 instances start with <form class="edit_checkout" but the third is followed by data-payment-form="" instead of action="/ . so I know the one I want is the one that includes data-payment-form
I tried using this code in Cheerio:
$('form.edit_checkout input['name="authenticity_token"']')
But that returns the first auth token on the first line and I need the auth token on the third line.
Thanks!
How about:
let input = $('[name="authenticity_token"]')[2]
Then to get the value:
let value = $(input).attr('value')

Some html tags are missing when i write to a file using python requests

I am trying to login to a website using requests.The website requies token for its login.
so decided to parse the html and write it to a file.txt But the file.txt is missing the token tag.
HTML code:
<form id="pw_form" class="exception_password" action="/409514769/password" method="post" data-xsrf-protection="enabled">
<input type="password" id="password" class="exception_password-input iris_input" name="password" placeholder="Enter password" autocomplete="off" data-validators="required">
<input type="hidden" name="is_review" value="">
<input type="hidden" name="is_file_transfer" value="">
<input type="submit" value="Submit" class="iris_btn iris_btn--primary">
<input type="hidden" name="token" value="4dc82c1a780e11667650f856da9b1d9fd31b176b.e7mu8nmqrb.1587446534"></form>
PYTHON code:
from requests import Session
with Session() as s:
site = s.get("https://vimeo.com/409")
with open('page.txt','w') as out:
out.write(site.text)
This is what the file writes:
<form id="pw_form" class="exception_password" action="/409514769/password" method="post">
<input type="password" id="password" class="exception_password-input iris_input" name="password" placeholder="Enter password" class="password iris_form_text" autocomplete="off" data-validators="required">
<input type="hidden" name="is_review" value="">
<input type="hidden" name="is_file_transfer" value="">
<input type="submit" value="Submit" class="iris_btn iris_btn--primary">
</form>
What is happening here?
Website don't allow request from bot.
One possible solution to this problem is to add headers while making the request.

POST to https://www.sandbox.paypal.com/cgi-bin/webscr gives 500 error , Classic asp

I am working on classic asp to create donation site and payment gateway is paypal.
I have implemented IPN and paypal is sending notification on that notify_url that i pass with form.
Also payment is also working correctly i.e i can get payment history and IPN history in my sandbox paypal account.
Now the problem is in IPN handler file, when i use sandbox.paypal url to post back to paypal, it give 500 error. Same thing is not true for live paypal url.
Below it the code that will explain better.
Test Form
<form action="zPaypalTest.asp" method="POST">
<input name="mc_gross" type="hidden" value="500.00" />
<input name="custom" type="hidden" value="some custom data" />
<input name="address_status" type="hidden" value="confirmed" />
<input name="item_number1" type="hidden" value="6" />
<input name="item_number2" type="hidden" value="4" />
<input name="payer_id" type="hidden" value="FW5W7ZUC3T4KL" />
<input name="tax" type="hidden" value="0.00" />
<input name="address_street" type="hidden" value="1234 Rock Road" />
<input name="payment_date" type="hidden" value="14:55 15 Jan 07 2005 PST" />
<input name="payment_status" type="hidden" value="Completed" />
<input name="address_zip" type="hidden" value="12345" />
<input name="mc_shipping" type="hidden" value="0.00" />
<input name="mc_handling" type="hidden" value="0.00" />
<input name="first_name" type="hidden" value="Jason" />
<input name="last_name" type="hidden" value="Anderson" />
<input name="mc_fee" type="hidden" value="0.02" />
<input name="address_name" type="hidden" value="Jason Anderson" />
<input name="notify_version" type="hidden" value="1.6" />
<input name="payer_status" type="hidden" value="verified" />
<input name="business" type="hidden" value="paypal#emailaddress.com" />
<input name="address_country" type="hidden" value="United States" />
<input name="num_cart_items" type="hidden" value="2" />
<input name="mc_handling1" type="hidden" value="0.00" />
<input name="mc_handling2" type="hidden" value="0.00" />
<input name="address_city" type="hidden" value="Los Angeles" />
<input name="verify_sign" type="hidden" value="AlUbUcinRR5pIo2KwP4xjo9OxxHMAi6.s6AES.4Z6C65yv1Ob2eNqrHm" />
<input name="mc_shipping1" type="hidden" value="0.00" />
<input name="mc_shipping2" type="hidden" value="0.00" />
<input name="tax1" type="hidden" value="0.00" />
<input name="tax2" type="hidden" value="0.00" />
<input name="txn_id" type="hidden" value="TESTER" />
<input name="payment_type" type="hidden" value="instant" />
<input name="last_name=Borduin" type="hidden" />
<input name="payer_email" type="hidden" value="test#domain.com" />
<input name="item_name1" type="hidden" value="Rubber+clog" />
<input name="address_state" type="hidden" value="CA" />
<input name="payment_fee" type="hidden" value="0.02" />
<input name="item_name2" type="hidden" value="Roman sandal" />
<input name="invoice" type="hidden" value="123456" />
<input name="quantity" type="hidden" value="1" />
<input name="quantity1" type="hidden" value="1" />
<input name="receiver_id" type="hidden" value="5HRS8SCK9NSJ2" />
<input name="quantity2" type="hidden" value="1" />
<input name="txn_type" type="hidden" value="web_accept" />
<input name="mc_gross_1" type="hidden" value="0.01" />
<input name="mc_currency" type="hidden" value="USD" />
<input name="mc_gross_2" type="hidden" value="0.01" />
<input name="payment_gross" type="hidden" value="0.02" />
<input name="subscr_id" type="hidden" value="PP-1234" />
<input name="test" type="submit" value="test" />
</form>
MY IPN handler File
zPaypalTest.asp
<%# language="VBScript" %>
<%
Dim Item_name, Item_number, Payment_status, Payment_amount
Dim Txn_id, Receiver_email, Payer_email
Dim objHttp, str
DIM ApplicationRootPath
ApplicationRootPath = Request.ServerVariables("APPL_PHYSICAL_PATH")
' read post from PayPal system and add 'cmd'
str = Request.Form& "&cmd=_notify-validate"
' post back to PayPal system to validate
set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")
'Set objHttp = Server.CreateObject("MSXML2.ServerXMLHTTP.6.0")
' set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP.4.0")
'set objHttp = Server.CreateObject("Microsoft.XMLHTTP")
'objHttp.open "POST", "https://www.paypal.com/cgi-bin/webscr", false
objHttp.open "POST", "https://www.sandbox.paypal.com/cgi-bin/webscr", false
'objHttp.open "POST", "https://www.sandbox.paypal.com/cgi-bin/webscr", false
'Send response message back to paypal'
'objHttp.open "POST", "https://ipnpb.paypal.com/cgi-bin/webscr", false
'objHttp.open "POST", "https://ipnpb.sandbox.paypal.com/cgi-bin/webscr", false
Response.write "IPN-Sand"
Response.write "<br/>"
objHttp.setRequestHeader "Content-type", "application/x-www-form-urlencoded"
objHttp.Send str
Response.write objHttp.status
if (objHttp.status <> 200 ) then
' HTTP error handling
elseif (objHttp.responseText = "VERIFIED") then
Response.write "VERIFIED"
elseif (objHttp.responseText = "INVALID") then
Response.write "INVALID"
else
Response.write "ERROR"
end if
set objHttp = nothing
%>
Above is the example file.
Here is the code sample that i used. https://github.com/paypal/ipn-code-samples
I test it on localhost IIS and it work fine there too.
So only problem is when i use ,
objHttp.open "POST", "https://www.sandbox.paypal.com/cgi-bin/webscr", false
OR
objHttp.open "POST", "https://ipnpb.sandbox.paypal.com/cgi-bin/webscr", false
I get 500 server error and this 500 server is only on my server that runs both in http or https, but in localhost IIS it works.
Also
If i change that url to live url
objHttp.open "POST", "https://www.paypal.com/cgi-bin/webscr", false
OR
objHttp.open "POST", "https://ipnpb.paypal.com/cgi-bin/webscr", false
It works.
If i just browse that page in my browser in my server i.e https://myserver.com/zPaypalTest.asp, it gives error when using sandbox url only.
I am not able to think what is the error here. Why it gives 500 error.
I will be very thankful if any one could give me any clue what's wrong.

Pyramid ignore missing template variables

I have a simple form using Pyramid and I want to use it as a new or update. I don't particularly want to have to create empty dictionary values for all the fields in my form, I just want it to ignore them without raising an exception.
<div metal:fill-slot="content">
<form method="POST" action="/studentupdate">
<input name="id" value="${studentid}" type="hidden" />
Name: <input type="text" name="studentname" value="${studentname}"/><br />
Exam Score: <input type="text" name="studentexam" value="${studentexam}"/><br />
Quiz Score: <input type="text" name="studentquiz" value="${studentquiz}"/><br />
Homework Score: <input type="text" name="studenthomework" value="${studenthw}"/><br />
<input type="submit" value="Save"/>
</form>
</div>
How can I do this?
Thanks.
You can workaround like this
${studentexam or ''}
% for i in missing_list or []
<li>${i}</li>
% endfor

Empty message with Formt in MODx

Here is my code of send-page:
<p>[[!FormIt?
&hooks=`email,FormItLog,spam,emailUser,redirect`
&emailTo=`heash94#gmail.com`
&emailSubject=`[[+subject]]`
&emailFromName=`[[+name]]`
&emailTpl=`ContactTpl`
&redirectTo=`62` ]]</p>
<div>[[+fi.error.error_message]]</div>
<form action="[[~[[*id]]]]" method="post"><input type="hidden" name="nospam:blank" value="" />
<div>
<label for="name">Name: </label> <input id="name" type="text" name="name:required" value="[[+fi.name]]" /> <span>[[+fi.error.name]]</span>
</div>
<div>
<label for="name">Email: </label> <input id="email" type="text" name="email:email:required" value="[[+fi.email]]" /> <span>[[+fi.error.email]]</span></div>
<div>
<label for="subject">Theme: </label> <input id="subject" type="text" name="subject:required:stripTags" value="[[+fi.subject]]" /> <span>[[+fi.error.subject]]</span></div>
<div>
<label for="message">Text: </label><span>[[+fi.error.message]]</span> <br /> <textarea id="message" name="message:required:stripTags" rows="7" cols="55">[[+fi.message]]</textarea></div>
<div>
<input type="submit" name="Submit" value="Отправить" /></div>
</form>
I tried many examples, but they send to my email empty messages.
Here is my reciver-page code:
This message [[+name]] ([[+email]]) was sand with callback form:
[[+message]]
But in response I have only "This message () was sent with callback form: ".
Modx Revolution.
Sounds like modx is not seeing the name="email:email:required" as 'email' - put your CSS/JS validation in another attribute & also use the &validate attribute for the formit call.

Resources