No IPN history and Paypal security

Question

Im sending the below form to PayPal

<form name="myForm" method="POST" action="https://www.sandbox.paypal.com/cgi-bin/webscr" >
<input type="hidden" name="cmd" value="_cart"/>
<input type="hidden" name="business" value="myemail@myDomain.com"/>
<input type="hidden" name="item_name_1" value="Product 1"/>
<input type="hidden" name="amount_1" value="500.00"/>
<input type="hidden" name="quantity_1" value="1"/>
<input type="hidden" name="upload" value="1"/>
<input type="hidden" name="currency_code" value="GBP"/>
<input type="hidden" name="return" value="http://XX/paypal/completed.aspx"/>
<input type="hidden" name="rm" value="2"/>
<input type="hidden" name="cancel_return" value="http://XX/paypal/Cancel.aspx"/>
<input type="hidden" name="shopping_url" value="http://XX/paypal/MyShop"/>
<input type="hidden" name="notify_url" value="http://XX/paypal/MyShop/checkout.aspx"/>
<input type="hidden" name="lc" value="GB"/>
<input type="hidden" name="image_url" value="http://XX/paypal/shop.gif"/>
<input type="hidden" name="no_note" value="1"/>
<input type="hidden" name="invoice" value="ZZZ1234567890"/>
<script type="text/javascript">document.myForm.submit();</script></form>

I can successfully make a payment using the sandbox accounts (for buyer and seller). I set up IPN to receive messages, enter a public URL which i can reach from outside my network.

Everytime i make a payment i never see any history for the transaction? Do i need to add any additional configuration above or with my Paypal account? - the URL im looking at is:

https://www.sandbox.paypal.com/uk/cgi-bin/webscr?cmd=_display-ipns-history

I set up AutoReturn by enabling it as i need the transaction data to update my database with the response from paypal.

I add the same URL as the notify_url to the Return URL, and enable Payment Data Transfer. I note the Identity Token but not needed to use this so far....

Below is my C# code to process the response

try
{
    string strRequest = string.Empty;
    string strLive = "https://www.sandbox.paypal.com/cgi-bin/webscr";
    HttpWebRequest req = (HttpWebRequest)WebRequest.Create(strLive);
    req.KeepAlive = false;
    req.ReadWriteTimeout = 600000;
    req.Timeout = 600000;

    //Set values for the request back
    req.Method = "POST";
    req.ContentType = "application/x-www-form-urlencoded";
    byte[] param = Request.BinaryRead(HttpContext.Current.Request.ContentLength);
    strRequest = Encoding.ASCII.GetString(param);
    strRequest += "&cmd=_notify-validate";
    req.ContentLength = System.Text.Encoding.UTF8.GetByteCount(strRequest);

    //Send the request to PayPal and get the response
    Stream RequestStream = req.GetRequestStream();
    StreamWriter streamOut = new StreamWriter(RequestStream, System.Text.Encoding.UTF8);
    RequestStream.ReadTimeout = 600000;
    RequestStream.WriteTimeout = 600000;
    streamOut.Write(strRequest);
    streamOut.Close();
}
catch (Exception ex)
{
.....
}

But i didnt need the Identity Token to verify anything? So im a little curious to know i've secured this correctly and that i dont need to add additional checks to ensure the page that processes the response cannot be easily manipulated?

I know ive not posted the code that actually processes the database record but im checking to see if the form and the response from Paypal have any fields that i should base my checks on.

Answer 1

It looks like the email address on your receiver's account wasn't confirmed. When the email address isn't confirmed, the payment will stay in a "pending" state until the receiver (a) creates an account under that email address, and (b) confirms that email address. If the receiver doesn't do those within 30 days, the payment is automatically cancelled and returned to the sender.

I've gone ahead and confirmed the email address on your sandbox account for you. You should see the transactions show up in your receiver's account shortly.