Just another reason to hate using others’ code: Paypal SDK for PHP

Recently, I have downloaded Paypal SDK for PHP developers release 1.1.93 which is for “Express Checkout, Recurring Payments, Transaction Details, Mass Pay, Direct Payment, Payment Settlements, etc.”

..and I have been trying to integrate it with my new web application which needs collecting credit card payments. I did not like the “Express Checkout” which is like 5 steps and customer is lead to Paypal’s website during the process; not really straight forward, and I must say, over the years, Paypal integration did not get any less confusing!

The main problem is those so-called Paypal SDK developers clearly have released UNTESTED code:

1. Buggy XML preparation for input: If you care to skim over 25000 lines of code in file: lib/PayPalAPIInterfaceService/PayPalAPIInterfaceService.php you will see function toXMLString() in class SetExpressCheckoutRequestDetailsType and function toXMLString() in class PaymentDetailsType and both of them use class BasicAmountType and its function toXMLString(). The bug is when you are using a currency other than USD, it tries to create an attribute currencyID for tag ebl:OrderTotal. But the function injecting the result already closes the tag; therefore, the amount sent to Paypal is incorrect!

2. Redundant class OAuthException in lib/auth/PPAuth.php causes fatal error if PHP OAuth extension is already enabled in your server environment.

3. Default settings file config/sdk_config.ini has incorrect SOAP service URL; it should be

There goes few sleepless nights! .. all because of some “cowboy” programmers!

by the way, see: http://en.wikipedia.org/wiki/Cowboy_coding

3 thoughts on “Just another reason to hate using others’ code: Paypal SDK for PHP

  1. Yikes! – sorry about that – looks like we missed an important test case – we will get on it right away. Btw – the endpoint is correct if you are using SSL Certificate as your API Credential instead of Signature (they both are correct for SOAP) – but we will look into how to hide them completely – no point in even exposing it as a config variable since they never change. Based on the API credentials you configure, the code should be able to figure out which end point to use. About the OAuthException – it’s a bummer, we never tested in an env where the OAuth ext is also installed. We will work on a workaround to detect/avoid the duplicate installs of the OAuth files. Thanks for your feedback – really appreciate it.
    Developer Evangelism/Tools

  2. Thank you for posting the comment about PPAuth and the extra OAuthException – have spent the last hour banging my head against the wall trying to figure out what was going wrong!

Leave a Comment