Search code examples
phppaypal

Implementation of PayPal EWP in PHP


I'm new to the integration of PayPal in PHP.

I found some tutorial and I followed it. Now, I'm having problems with sandbox:

The email address for the business is not present in the encrypted blob. Please contact your merchant.

I have tried sending e-mail and Merchant ID of my Sandbox account, but no luck.

My code:

define("SANDBOX", 1);

$business_id="paypal@***********";
if(SANDBOX) $business_id="***********";

The data to be encrypted:

$form = array('cmd' => '_s-xclick',
        'cert_id' => '*************',
        'business' => $business_id,
        'custom' => 'test',
        //'invoice' => '...',
        'currency_code' => 'EUR',
        'no_shipping' => '1',
        'item_name' => 'TestItem',
        'item_number' => '12345',
        'amount' => '10'
    );

$encrypted = paypal_encrypt($form);

function paypal_encrypt($hash)
{

    ...trimmed...

    $data = "";
    foreach ($hash as $key => $value) {
        if ($value != "") {
            //echo "Adding to blob: $key=$value\n";
            $data .= "$key=$value\n";
        }
    }

    $openssl_cmd = "($OPENSSL smime -sign -signer $MY_CERT_FILE -inkey $MY_KEY_FILE " .
                        "-outform der -nodetach -binary <<_EOF_\n$data\n_EOF_\n) | " .
                        "$OPENSSL smime -encrypt -des3 -binary -outform pem $PAYPAL_CERT_FILE";

    exec($openssl_cmd, $output, $error);

    ...trimmed...
};
?> 

The PayPal form is:

<form action="https://<?php if(SANDBOX) echo "www.sandbox"; else echo "www"; ?>.paypal.com/cgi-bin/webscr" method="post" target=_blank>
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="encrypted" value="<?php echo $encrypted; ?>">
<input type="submit" value="Pay">
</form>

The code is just a sample from the tutorial, I haven't edited it too much.


Solution

  • I found out the encryption is not necessary as long as you are checking the IPN requests.

    I implemented the payment form without any kind of encryption and when IPN came, I check it against the database and PayPal.

    If everything matches, I update the DB and mark order as paid. If there are differences, I just log everything and email myself about the issue.