CODEWITHSUNDEEP
phppaypalintegrationpayment-gateway
Skyfe
Skyfe

Reputation: 11

How to secure paypal integration for website

I have been using paypal in the past for selling stuff through my website ( e.g. memberships ) but I always had to verify through paypal whether the user really bought the membership (for example) before I could assign it to his/her account. Now I was wondering if there's a way that I can put a paypal purchase button onto my webpage to ( for example ) purchase a membership and then once the user paid, he'll automaticly be assigned the membership on my website ( e.g. there's a page purchase_result.php which assigns the membership, but ONLY if the user really bought it through paypal ). How can I make sure the user actually bought the item through paypal on the return page on my website?

Thanks in advance, Skyfe.

btw, I hope my question can be understood

Upvotes: 1

Views: 2368

Answers (1)

Robert
Robert

Reputation: 19356

You would PayPal Instant Payment Notifications to receive a server-to-server notification from PayPal which you can subsequently verify and use to update your database.

IPN works as follows:

  1. You create the PayPal and incude a "notify_url". The value for this parameter will be the full URL to a script on your server, called the 'IPN script' or 'IPN handler'.

You can specify an IPN handler as follows for Website Payments Standard <input type="hidden" name="notify_url" value="http://blah.com/ipn.php

For Express Checkout or Website Payments Pro, simply include the following in your SetExpressCheckout/DoExpressCheckoutPayment or DoDirectPayment API call respectively. NOTIFYURL=http://blah.com/ipn.php

  1. A buyer completes a transaction via PayPal
  2. Once the buyer completes the transaction, he/she may close the browser, or return to your website
  3. Once the transaction is accepted and processed by PayPal, PayPal will send out a notification to http://blah.com/ipn.php
  4. You need to take all POST data that was sent to this script, and POST it back to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate
  5. If the data you send back matches the data PayPal sent you, a 'VERIFIED' response is returned.
  6. If the response is VERIFIED, it's at this point that you would look up the matching transaction/buyer on your end, and update your database appropriately.

Some sample code and documentation for PayPal IPN is available at https://www.paypal.com/ipn/
In addition, some tips on making a secure IPN script are available at https://www.x.com/developers/community/blogs/ppmtsrobertg/securing-your-instant-payment-notification-ipn-script

Note: If you want to include any custom data along with the transaction which you can read out later, use 'custom'.
<input type="hidden" name="custom" value="xxxxx">
This will also be returned in the IPN POST data sent from PayPal.

Upvotes: 8

Related Questions