Reputation: 989
This is not a coding question as such, but I would like to understand what's happening. It's the first time I'm having to integrate PayPal, so I used a sandbox environment and simple samples with hard-coded values to get started.
For SetExpressCheckoutRequest a payment value x was assumed, everything worked fine (buyer agreed, token returned). Then I realised DoExpressCheckoutPayment is needed to to finalise it, so I used some more sample code, and it, too, worked fine.
In the DoExpressCheckoutPayment code sample, a payment value y was assumed. As mentioned, I just wanted to get the bare bones working and didn't bother to tie in the values etc.
Now here's what surprised me: the actual transaction amount shown in the PayPal sandbox account was not the value x the buyer approved, but value y from DoExpressCheckoutPayment. Here the simplified sample code:
public ActionResult RunSample()
{
//...
PaymentDetailsItemType[] pdItem = new PaymentDetailsItemType[1];
pdItem[0] = new PaymentDetailsItemType()
{
Amount = new BasicAmountType() { currencyID = CurrencyCodeType.USD, Value = 1.50},
//...
};
var resp = new PayPalAPIAAInterfaceClient().SetExpressCheckout(ref type, req);
//...
return new RedirectResult(string.Format("{0}?cmd=_express-checkout&token={1}",
"https://www.sandbox.paypal.com/cgi-binwebscr?cmd=_express-checkout&token=EC-xxxxx", resp.Token));
}
public ActionResult RunSampleResult(string token, string payerId)
{
// result returned, buyer agreed to 1.50
var NVP = "METHOD=DoExpressCheckoutPayment";
//NVP += ...;
NVP += "&PAYMENTREQUEST_0_AMT=100";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create("https://api-3t.sandbox.paypal.com/nvp");
//...
string sResponse = string.Empty;
using (StreamWriter sw = new StreamWriter(request.GetRequestStream()))
{
sw.Write(NVP);
}
HttpWebResponse response = request.GetResponse() as HttpWebResponse;
// => 100 is charged, not the 1.50 agreed to
}
Is that just sandbox behaviour? Surely it can't be that easy to override the value a buyer agrees to? What am I missing?
Upvotes: 0
Views: 235
Reputation: 26036
Yes, whatever gets sent in DECP is what gets processed. The reason for that is because when SEC gets run you may not know the user's shipping address yet, so you would have calculate shipping and tax after being returned from PayPal and calling GetExpressCheckoutDetails to obtain the buyer's info.
With that info and additional calculations, you would display a final review for the buyer to see before running the new total through DECP to finalize the payment.
Obviously, if you took advantage of that in any way your application wouldn't last long.
There is a parameter included with SEC called MAXAMT you can use so that DECP can't process anything higher than what is set there, but again, that's up to you as the app developer to manage it anyway.
Upvotes: 1