Finding a secure method of
payment can be a problem for small businesses
without merchant credit card accounts or access
to a secure server. This article concerns
creating an e- commerce site using your
own shopping cart or a third-party cart in
conjunction with PayPal. This solution will
maximize the business benefits and minimize the
inconvenience to the customer. A database and
server-side scripting will be implemented using
MySQL and PHP. Some knowledge of these
technologies and of HTML is assumed.
Using PayPal is an inexpensive way to
implement e-commerce. To find out if it suits
your needs simply go to the PayPal site and read
the information provided there. In order to use
PayPal a business account needs to be set
up. This is a fairly straightforward matter and
will not be dealt with here. Once your account
is set up you might want to read the article
Adding PayPal to Your
3rd Party shopping Cart found in
the 'How-To Articles' of PayPal Developers
Network. It forms the basis for this discussion.
When using a third party shopping
cart with PayPal you have only two options. You
can pass your entire shopping cart to PayPal and
show detailed purchase information or you can
pass in only a total. You cannot pass both your
shopping cart items and detailed customer
information. Passing in the contents of your
cart means that your customer will have to
duplicate information already entered into your
database. Given the precariousness of retail
e-commerce transactions this is not a viable
option. For this reason, we have chosen to pass
in summary information. Additionally, capturing
customer information in our own database rather
than one that resides at PayPal makes better
business sense. It will be more easily
more easily manipulated.
The only minor downside to this
option is that your customers will not receive
details of their order with their PayPal
invoice. However, this can easily be remedied
with an e-mail from your site.
Let's assume that our customer is
viewing order details and is about to complete
his purchase. We present him with a confirmation
The remainder of this article
discusses what happens when the "Place" button
is pressed. When this button is pressed a page
called "paypal.php" will be invoked and three
values will be passed in a query string. These
are, the number of items purchased, the total
cost and the unique identiiier for our' current
customer. The dynamically created code to invoke
this page might well look like this:
This is all the information we
need to complete the transaction.
Collecting the information
This section deals in detail with all the code
in our "paypal.php" page. Explanatory comments
have been added. Discussion will be broken up
into three pads. The first part will deal with
hard- coded information that doesn't change,
next the information passed in the query string
is retrieved and finally the customer data from
our MySQL database.
This page will net be visible to
the user. It includes a form but every input
type on the page is "hidden". This page will be
invoked after the user has reviewed and
confirmed his order on your website. Any
information needed for order fulfillment or
follow-up has already been captured to the
database and presented to the user, This page
merely consolidates all the information required
by PayPal and automatically submits it using
A number of the parameters needed by PayPal
can be hard-coded right into your page. For
example, the "action" attribute of the "form" is
the page at PayPal that is set up to accept
submission of your order. At the time of
writing, it is as follows:
<form name= "order" action="https://www,
Since we wish to send detailed
customer information, the input control with the
name attribute set to "crud" must have a value
type="hidden" name="cmd" value="_ext-enter"><br>
The next line is also a
requirement for using extended values. Its value
must be set to "_xclick". In this way we will be
able to pass our customer information to PayPal
and not require that it be re-entered.
type="hidden" name="redirect cmd" value="_xclick"><br>
After submission to PayPal, the
user is returned to your site and the success or
failure of the transaction is confirmed. This
will be handled in a page called "notify. php",
but feel free to name it whatever you like. A
query string called "status" will be examined in
order to output an appropriate message to the
type="hidden" name="return" value ="http://<your
type="hidden" name="cancel_return" value =
Enter the appropriate values for
the next set of items. Remember, the value of
the input "business" will be the same as the
e-mail address of your Paypal account. Likewise
with "item_name" and "shipping". The first
shipping value represents the cost of shipping
the first item and the second the cost of each
type="hidden" name="business" value ="firstname.lastname@example.org">
<input type="hidden' name="item_name"
<input type='hidden" name="shipping'
<input type="hidden" name='shipping2"
If handling shipping costs in
this way does not meet your requirements Paypal
provides other ways of doing this. These are
described in article mentioned earlier.
Information Retrieved from
Detailed order information was
presented to the user in the previous page and
will net be re-presented at the PayPal site.
Paypal still needs summary information in order
to bill the correct amount. This will now be
retrieved from the query string passed to this
page. The number of items is also retrieved as
this will affect shipping costs.
//get values from previous page
$quantity = $HTTP_GET VARS['quantity'];
$total = $HTTP GET VARS['total];
echo "<input type=\"hidden\" name=\"quantity\"
echo "<input type=\"hidden\" name=\"amount\"
The "customerid" parameter was
also passed in to this page but will be
retrieved when needed to create a database
Information from the database
First a note about the database. Assume a
customer table with the following structure:
information needs to be retrieved from the
database. Let's create a connection and the SQL
query to retrieve the information we wish to
pass to PayPal.
database password information etc.
$hostname = "myhost.com";
$username = "user";
$password = "password";
if(!($link = mysql_connect($hostname,
die("Could not connect to database.");
$databasename = "mydatabase";
die("Could not open table.");
Retrieve the information from
the database using the primary key.
customer info from database
$customerid = $HTTP_GET_VARS['id'];
$strsql='SELECT email, firstname, lastname,
streetaddress1, "."streetaddress2, city,
stateprov, pcode FROM "."tblcustomer WHERE id =
if(!($rs= mysql_query($strsql, $link)))
die("Could not open table.");
//only one row should be returned
$row = @ mysql2fetch array($rs);
The form is now completed with
the information retrieved from the database.
echo "<input type=\"hidden\" name=\"email\'"
echo "<input type=\"hidden\"
echo "<input type=\"hidden\"
echo "<input type=\"hidden\" name=\"address1\"
value = \"$row[streetaddress1]\"><br>\n";
echo "<input type=\"hidden\" name=\"address2\"
echo "<input type=\"hidden\" name=\"city\"
echo "<input type=\"hidden\" name=\"state\"
echo "<input type=\"hidden\" name=\"zip\"
You might have noticed that
there is no "submit" button associated with our
"paypal.php" page. Because our customer has
already confirmed his order, code is used to
submit this form to PayPal. The following
loaded and your customer will not see the
"paypal.php" page at all.
Your customer will now be
looking at a summary of his order on the PayPal
site. All personal information will already be
An economical e-commerce
solution was created using PayPal: A secure
e-commerce transaction can be conducted in this
way at minimal cost. Business benefits were
maximized because we were able to retain full
control of customer information in our own
database and the customer was not inconvenienced
by having to enter the same information twice.