Paypal payment using Spring MVC

Question

I was working with SpringMVC + Paypal payment and found out what a stupid code i've written (although it is working fine). I'm using a paypal form that submits data like amount, item name, success url, cancel url etc. to paypal for the payment. It contains hidden fields to send the data and as we all know that hidden fields are not hidden any more :)

Anybody can right click on the form and use inspect element and can change the value of the amount. Also, when i've done the payment, i have to click the "Return back to ...." link to get back to my page where i cannot read any data returned by paypal about the transaction.

So I would like to ask if there is another workaround like before I move to paypal page, I get some token using my API key and after the payment is done, paypal auto redirects back to my url ( don't have to click "Return ..." ) and I can validate the transaction there after

I tried and was able to find some code using google but all of them are paying with their own account.

In my application, client has to enter their paypal account information when they reach the paypal page

Waiting eagerly for a reply, thanks & regards

If you require code, i will post my form code too but I know it is not good technique using form & session for payment

Answer 1

I solved it with the help of this URL:

https://developer.paypal.com/docs/classic/api/apiCredentials/

Answer 2

I wouldn't know how to do it exactly in Spring MVC (as I'm PHP oriented) but in general this workflow is independent from the language used. Basically, you would use PayPal API which does things on the server-side away from your users.

That said you would need to have some "Pay now" button which would redirect user to another page (controller/action since you're working with MVC) on your site which does the following:

1. initiate SetExpressCheckout API with payment info (description, total amount, currency etc.) where you should also specify 2 URLs: returnURL (to which page user will be redirected from PayPal in case he authorizes the payment), and cancelURL (to which page user will be redirected from PayPal in case he cancels the authorization)
2. as a successful response from PayPal you'd receive some data along with redirectURL field to which you should redirect your user to PayPal for him to authorize the payment
3. at this point you would redirect user to the given URL
4. after user authorized the payment, he will be taken to returnURL.

When user gets redirected back to you website, PayPal will append token parameter which you can further use to verify and complete payment using GetExpressCheckoutDetails and DoExpressCheckoutPayment API calls. Basically, everything happens on the server-side so pretty much you're safe from tampering on the client-side.

Yes, users would be able to modify token once they're redirect back to your website but there is no point in doing so. After you call GetExpressCheckoutDetails API, you can check if call was successful or not and act accordingly.

UPDATE

In the PayPal documentation you can find various examples and use cases, so I would suggest you take a look there, especially: this (if you want to process payments immediately), or this (or if you want to process payments later, let's say after few days).

Please note that PayPal has two versions of API: Classic (older, more thorough, a little bit hard to start on), and REST (newer, easier to grasp, but still lacking some advance use cases). But in any case, links I gave you above should help you understand how Express Checkout works.