CODEWITHSUNDEEP
asp.netpaypalpaypal-ipnpaypal-sandbox
Erfan pj
Erfan pj

Reputation: 381

Payment Security of Paypal

I want to use Paypal services and I am in the testing procedure and using Sandbox, but the confusing issue is that when a user purchases a product from my website and is later redirected to my 'Success' page by Paypal, I receive the data with 'Querystring' and only from there I am able to read the data. I believe that this is wrong, because 'Querystring' can be changed and modified very easily. I would like to know how can I be certain that the 'Querystring' which I have received, belongs to a user who has made a payment via the purchasing request.

        string redirecturl = "";
        redirecturl += "https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_xclick&business=" + ConfigurationManager.AppSettings["paypalemail"].ToString();            
        redirecturl += "&first_name=erfanpj";
        redirecturl += "&city=stockholms";
        redirecturl += "&state=stockholms";
        redirecturl += "&item_name=" + l1.Text;
        redirecturl += "&amount=" + l3.Text;           
      //redirecturl += "&[email protected]";
        redirecturl += "&shipping=5";
        redirecturl += "&handling=5";
        redirecturl += "&tax=5";
        redirecturl += "&quantity=1";
        redirecturl += "&currency=USD";
        redirecturl += "&return=" + ConfigurationManager.AppSettings["SuccessURL"].ToString();
                 redirecturl += "&cancel_return=" + ConfigurationManager.AppSettings["FailedURL"].ToString();
        Response.Redirect(redirecturl);
    }

Moreover, I am very eager to know what exactly does the 'notify_url' and 'paypal-ipn' parameter do. Any feedback from the respectful readers here would be highly appreciated.

Regards,

Upvotes: 3

Views: 321

Answers (1)

jzonthemtn
jzonthemtn

Reputation: 3404

From your question I'm not sure you have a good understanding of the PayPal purchase process.

First, you should use PayPal generated buttons (made in your PayPal account) that are encrypted and prevent the user from changing the parameters on the purchase page.

Second, upon a transaction the PayPal IPN will POST (over SSL) to a page on your webserver that you have designated. Here you can extract the details of the purchase. (C# example on PayPal IPN handler) You should make sure the response is VERIFIED, verify the receiver email address is your email address, and the transaction amount is correct in the IPN handler prior to fulfilling the order. (More code samples are at PayPal Code Samples.)

Upvotes: 4

Related Questions