Integrating WorldPay into a database driven website

Jul 25, 2012

Table of contents:

  1. Picking up from last time
  2. An overview of the process
  3. Pulling the data
  4. WorldPay Security
  5. Outputting the form
  6. Conclusion

WorldPay is a safe and reliable payment processor that can be used to take payments on your website and allow you to start earning money online. Last week I gave you an overview of getting started with WorldPay integration. This week I’m going to give you an example of how you can integrate WorldPay into a database driven website or ecommerce platform.

If you missed last week’s post, go back and read it before continuing because it will give you a much deeper understanding of how WorldPay works and explanations of some of the key bits of data that we are going to be using in this tutorial.

Picking up from last time

In last week’s tutorial I introduced you to the mandatory and optional parameters that you will need to use when transferring data to WorldPay. I also gave you some code to produce a static form to be used for transferring your transaction data.

Whilst it is important to start with a basic example, I’m sure you will want to do a lot more interesting things with your website. That is where using a database driven website comes in. With a database driven website you can create a complete online ecommerce website where customers can sign up and purchase your products or services. By creating customer accounts you can effectively track repeat sales and you create a much better experience for your customers.

This post will cover the steps you need to take to process an order and send it to WorldPay.

I am assuming you are already have your ecommerce website set up as creating the whole thing from scratch is out of the scope of this tutorial.

Basically, you will need to allow signed in customers to add products to their basket. From there we pick up and I’ll show you how to create the secure form to send to WorldPay.

The transaction form we will be creating will be for FuturePay agreements. If you only want regular transactions and not FuturePay agreements, simply delete the FuturePay parameters that are listed here.

With all that said, let us begin!

An overview of the process

Before getting into the code, I’ll give you a quick overview of how this process needs to work.

  1. John selects a product from your website and adds it to his basket.
  2. John is finished shopping so he hits “checkout”. John is already a member of your website so he enters his Email address and Password and logs in.
  3. This is the part of the process where this tutorial will pick up. Now that John has decided he wants to pay for his selection we must prepare the data to send to WorldPay. We pull this from the database and produce a page where John can confirm his decision. When John clicks confirm he is whisked away to WorldPay to enter his payment details and complete his transaction.

Pulling the data

So the first thing we want to do is to pull the data from the database. This will be entirely based upon how your website is set up and so I’ll just give you a general outline.

The following is a list of the parameters that we are going to be sending to WorldPay. It is up to you which of these you wish to store in your database and which you want to just hard code into this script.

  • instId
  • cartId
  • currency
  • testMode
  • name
  • email
  • MC_business
  • MC_customerId
  • MC_productId
  • MC_orderId
  • address1
  • address2
  • address3
  • town
  • postcode
  • country
  • tel
  • paymentType
  • normalAmount
  • initialAmount
  • amount
  • desc
  • signature
  • futurePayType
  • option
  • startDelayUnit
  • startDelayMult
  • intervalMult
  • intervalUnit

If you don’t understand what any of these parameters mean, refer back to last week’s post.

WorldPay Security

You may remember in last week’s post that in order to transmit data to WorldPay through a form, you simply create hidden form elements. This is obviously a huge security risk as you leave yourself wide open to any number of exploits.

In order to protect the integrity of your data, WorldPay allows you to create a hash signature that is verified when WorldPay receives your data. If the data in the form does not match the data in the hash then WorldPay will reject the payment request.

To set up your signature, log in to your WorldPay account and choose your installation integration setup.

At the bottom of the form you should see a field labeled “MD5 secret for transactions”. Type a signature phrase you want to use and then re-enter it into the confirmation box. For this tutorial I’ll be using the phrase “nachos”.

Under that field, you will see another labeled “SignatureFields”. It is in this box that you want to enter the data parameters you want to protect. For the purpose of this tutorial I will be protecting the following parameters.


Notice how I separate each parameter with a “:”. This is extremely important, so don’t forget to set out your string like this.

Next, back in our script we need to create the signature to send to WorldPay. To do this we create a string that matches the exact structure of the one we entered into the WorldPay admin panel. We then md5 it which turns it into a hash.

md5() is a function that turns a string into a md5 hash. When you hash a string, you can’t unhash it. The only way to verify it is to hash the input on the other end to see if it produces the same hash.

To create a signature, copy the following code and change where appropriate.

$signature =
    "nachos:123456:Acme Shop:GBP:" .
    $price .
    ":" .
    $price .
    ":" .
    $customerId .
    ":" .
    $productId .
    ":" .
    $orderId .
    ":regular:" .
    0 .
    ":" .
    $price .
    ":" .
    4 .
    ":" .
    1 .
    ":" .
    1 .
    ":" .
$signature = md5($signature);

Now if someone were to tamper with the data we are transferring to WorldPay, the hash would not match our signature and so the transaction would be rejected.

Outputting the form

Now that we have all of our data set up, we can output the form to allow the customer to confirm and send it to WorldPay.

To do this, create an array of your data like this.

$data = [
    "instId" => "123456",
    "cartId" => "Acme Shop",
    "currency" => "GBP",
    "testMode" => "100",
    "name" => $firstName . " " . $secondName,
    "email" => $email,
    "MC_business" => $businessName,
    "MC_customerId" => $customerId,
    "MC_productId" => $productId,
    "MC_orderId" => $orderId,
    "address1" => $addressLine1,
    "address2" => $addressLine2,
    "address3" => $addressLine3,
    "town" => $town,
    "postcode" => $postcode,
    "country" => $country,
    "tel" => $telephone,
    "paymentType" => $paymentType,
    "normalAmount" => $price,
    "initialAmount" => $price,
    "amount" => $price,
    "desc" => $productName,
    "signature" => $signature,
    "futurePayType" => "regular",
    "option" => 0,
    "startDelayUnit" => 4,
    "startDelayMult" => 1,
    "intervalMult" => 1,
    "intervalUnit" => 4,

Next you need to create the form in your view.

To create the hidden fields we simply loop through the array using a foreach statement.

<form action="" method="POST" />
    <?php foreach ($data as $key => $value) { ?>
        <input type="hidden" name="<?php echo $key; ?>" value="<?php echo $value; ?>">
    <?php } ?>
    <fieldset class="submit"> <input type="submit" value="Confirm your purchase" />

This will out put the form into your HTML page and will create a button so your customer can confirm their purchase and be transferred to WorldPay’s secure payment servers.


And there you have it, now you can take data from your database, prepare it, and then create the output to allow your customer to send it to WorldPay.

Next time I’ll be covering what happens when your customer reaches WorldPay, the various files you need to create and how to build a callback script that integrates back into your ecommerce system.

To ensure you don’t miss the next post, follow us on Twitter, Facebook, Google+ or RSS.

If you have any questions, feel free to leave them in the comments and I’ll try and help you out.

Philip Brown


© Yellow Flag Ltd 2024.