paypal integration with Website Payments Standard with sending download links by email

Question

I want to integrate paypal in the following way, but it may have some flaws which i am not aware of.

I would create a buy now button, with notify_url parameter which executes a php script. This script would do the following:

1. Store payers email, transaction id and some useful stuff in mysql database.
2. Generate a unique key from this and store it too.
3. Create an email and send it to the users address. This email would contain a link to a .php file with parameters like the unique key. (.php?key=xxxxxxx) If the customer clicks the link the file would check for the key in the database and create the actual link to the file to download.

I wonder if this can work, or there are some problems with this solution? Maybe i should use some sort of session handling?

Thanks for reading, any idea/advice is welcome.

ps: First, i wanted to redirect the user after payment, but read that it's not always working, only for those who use paypal account.

Answer 1

Yes it will work look into IPN, Paypal's way of talking to you once a transaction is done. Please do note that it is fairly complicated and you should watch out for different situations because Paypal will send IPN notices for many different situations.

From my experience:

• 1) Customer makes purchase on Paypal via credit card or account
• 2) Paypal servers will send IPN response your script
• 3) Verify that the transaction is COMPLETED and not pending
• 4) Generate a download key
• 5) Email the customer

Do not rely on the customer coming back to your site after the purchase. Let your IPN script do all of the work.

Answer 2

If you're going the Paypal IPN route, I assume that the script you detail above would occur after the IPN callback.

I've implemented a similar system myself, and is pretty straight forward - the design you've put forth is just about the same one I have as well. There's a bit of a disconnect between when the Paypal transaction completes (once they finish on Paypal's site, they take them back to a generic, "Thanks for paying" page on your site) and when they get the file download link in their email, but it works. As long as you're confident that your unique key is indeed unique, and you're not worried about keys being guessed or stolen, shouldn't be an issue. I also tracked how many times each key was used for a download just to keep an eye on possible "key sharing", or, if you want to do a one purchase-one download policy you can use a bool to track that.