Jsp – How to use HTTP POST in JSP page to send a FORM to Paypal and read response

httphttp-gethttp-postjsppaypal

I'm using paypal's sandbox to test out the Payment Data Transfer (PDT) feature from Paypal. Please note, Paypal doesn't have a code example, in JSP, for PDT. I'm shocked, since they seem to have examples for everything else.

According to Paypal, I can specify the URL that I want to use for processing the PDT information. I did just that in my sandbox profile.

Now I'm stuck on a few things with the JSP code. I managed to get some example code, but it might not be complete, and to tell you the truth, I'm not exactly familiar with some of the code in it.

The JSP code is below. If you look at Paypal's Payment Data Transfer page, it explains, without any code examples, the PDT process.

It states that the transaction id will be appended to the URL specified in your Profile. Okay, so I can get that id via request.getParameter("tx"). That's the easy part.

1) — But how do I POST the form (as shown below) back to Paypal? That part I don't understand. How do I code that?

2) –Then the page states "In PayPal's reply to your post, the first line will be SUCCESS or FAIL. An example successful response looks like this (HTTP Header has been omitted):
SUCCESS

first_name=Jane+Doe
last_name=Smith
payment_status=Completed
payer_email=janedoesmith%40hotmail.com
payment_gross=3.99
mc_currency=USD
custom=For+the+purchase+of+the+rare+book+Green+Eggs+%26+Ham

How is this information retrieved from within my JSP page?

Html Form to Post to Paypal

<form method=post action="https://www.paypal.com/cgi-bin/webscr"> 
<input type="hidden" name="cmd" value="_notify-synch"> 
<input type="hidden" name="tx" value="TransactionID"> 
<input type="hidden" name="at" value="YourIdentityToken"> 
<input type="submit" value="PDT"> 
</form>

JSP code

// Java JSP

<%@ page import="java.util.*" %>
<%@ page import="java.net.*" %>
<%@ page import="java.io.*" %>

<%@ page import="javax.servlet.*"%>
<%@ page import="javax.servlet.http.*"%>
<%@ page import="javax.naming.*"%>
<%@ page import="javax.sql.*"%>
<%@ page import="java.sql.*"%>

<%
// read post from PayPal system and add 'cmd'
Enumeration en = request.getParameterNames();
String str = "cmd=_notify-validate";
while(en.hasMoreElements()){
String paramName = (String)en.nextElement();
String paramValue = request.getParameter(paramName);
str = str + "&" + paramName + "=" + URLEncoder.encode(paramValue);
}

String transId = request.getParameter("tx");

// post back to PayPal system to validate
// NOTE: change http: to https: in the following URL to verify using SSL (for increased security).
// using HTTPS requires either Java 1.4 or greater, or Java Secure Socket Extension (JSSE)
// and configured for older versions.
java.net.URL u = new java.net.URL("https://www.sandbox.paypal.com/cgi-bin/webscr");

java.netHttpURLConnection uc = (java.net.HttpURLConnection)u.openConnection();

uc.setRequestMethod("POST");

uc.setDoOutput(true);
uc.setRequestProperty("Content-Type","application/x-www-form-urlencoded");

PrintWriter pw = new PrintWriter(uc.getOutputStream());
pw.println(str);
pw.close();

BufferedReader in = new BufferedReader(
new InputStreamReader(uc.getInputStream()));
String res = in.readLine();
in.close();

// assign posted variables to local variables
String itemName = request.getParameter("item_name");
String itemNumber = request.getParameter("item_number");
String paymentStatus = request.getParameter("payment_status");
String paymentAmount = request.getParameter("mc_gross");
String paymentCurrency = request.getParameter("mc_currency");
String txnId = request.getParameter("txn_id");
String receiverEmail = request.getParameter("receiver_email");
String payerEmail = request.getParameter("payer_email");

            DataSource ds = null;
            Connection conn = null;
            Statement stmt = null;

            try {
            final Context ctx = new InitialContext();
            ds = (DataSource) ctx.lookup("java:comp/env/jdbc/mydb");
            conn = ds.getConnection();
            stmt = conn.createStatement();

            //test_paypal
            int success = stmt.executeUpdate("insert into test_paypal values("paymentStatus="+request.getParameter("payment_status")+"paymentAmount="+request.getParameter("mc_gross")+
                                             "txnId"+request.getParameter("txn_id")+")");
             }//try
             catch(Exception e) {}

             finally {
                       stmt.close();
                       conn.close();
                     }



check notification validation
if(res.equals("VERIFIED")) {
// check that paymentStatus=Completed
// check that txnId has not been previously processed
// check that receiverEmail is your Primary PayPal email
// check that paymentAmount/paymentCurrency are correct
// process payment
}
else if(res.equals("INVALID")) {
// log for investigation
}
else {
// error
}
%>

Best Answer

To expand on @BalusC's comment a bit... I agree with him - you might want to consider using the PayPal API instead. There are two versions, the NVP (Name Value Pair) version and the SOAP version.

Essentially, it does come down to the same thing - you take the transactionId that is passed to you on the return URL, and you use that to to make a server side request to PayPal to retrieve the detailed information about the transaction.

However:

Once you've learned your way around the NVP API, you'll find that it provides much richer data then this simple PDT POST.
The NVP API will intuitively make more sense to you. You'll also find code examples and SDKs in all languages.
If you do much work with PayPal, you'll find yourself dealing with the NVP API anyway. Might as well just do it now.

Related Solutions

When do you use POST and when do you use GET

Use POST for destructive actions such as creation (I'm aware of the irony), editing, and deletion, because you can't hit a POST action in the address bar of your browser. Use GET when it's safe to allow a person to call an action. So a URL like:

http://myblog.org/admin/posts/delete/357

Should bring you to a confirmation page, rather than simply deleting the item. It's far easier to avoid accidents this way.

POST is also more secure than GET, because you aren't sticking information into a URL. And so using GET as the method for an HTML form that collects a password or other sensitive information is not the best idea.

One final note: POST can transmit a larger amount of information than GET. 'POST' has no size restrictions for transmitted data, whilst 'GET' is limited to 2048 characters.

What’s the difference between a POST and a PUT HTTP REQUEST

HTTP PUT:

PUT puts a file or resource at a specific URI, and exactly at that URI. If there's already a file or resource at that URI, PUT replaces that file or resource. If there is no file or resource there, PUT creates one. PUT is idempotent, but paradoxically PUT responses are not cacheable.

HTTP 1.1 RFC location for PUT

HTTP POST:

POST sends data to a specific URI and expects the resource at that URI to handle the request. The web server at this point can determine what to do with the data in the context of the specified resource. The POST method is not idempotent, however POST responses are cacheable so long as the server sets the appropriate Cache-Control and Expires headers.

The official HTTP RFC specifies POST to be:

Annotation of existing resources;
Posting a message to a bulletin board, newsgroup, mailing list, or similar group of articles;
Providing a block of data, such as the result of submitting a form, to a data-handling process;
Extending a database through an append operation.

HTTP 1.1 RFC location for POST

Difference between POST and PUT:

The RFC itself explains the core difference:

The fundamental difference between the POST and PUT requests is reflected in the different meaning of the Request-URI. The URI in a POST request identifies the resource that will handle the enclosed entity. That resource might be a data-accepting process, a gateway to some other protocol, or a separate entity that accepts annotations. In contrast, the URI in a PUT request identifies the entity enclosed with the request -- the user agent knows what URI is intended and the server MUST NOT attempt to apply the request to some other resource. If the server desires that the request be applied to a different URI, it MUST send a 301 (Moved Permanently) response; the user agent MAY then make its own decision regarding whether or not to redirect the request.

Additionally, and a bit more concisely, RFC 7231 Section 4.3.4 PUT states (emphasis added),

4.3.4. PUT

The PUT method requests that the state of the target resource be created or replaced with the state defined by the representation enclosed in the request message payload.

Using the right method, unrelated aside:

One benefit of REST ROA vs SOAP is that when using HTTP REST ROA, it encourages the proper usage of the HTTP verbs/methods. So for example you would only use PUT when you want to create a resource at that exact location. And you would never use GET to create or modify a resource.