Verifying a Paypal transaction via POST information

Question

I'm at a complete loss. I think I might be getting "mis-informed", but I'll try explain my situation as best I can.

The Idea

• We have a form for users to purchase credits. Type in credit number, click pp button.
• Upon click of button, a post is made to set the transaction log information and set it as pending (works fine).
• Upon valid post return it continues to submit the paypal form (works also).
• The user is redirected to paypal page and makes payment (so far so good).
• after payment made, they click the return and are directed toward the "success" page (still working).
• upon reaching this page I take in post data from pp (uh oh, here's where it gets sticky)
• verify the data is "true" pp data and update the transaction log (HOW!?)

What I'm being told & what i've tried

I was initially going to use IPN to do a post back to paypal to verify the recieved data (ensure it wasn't spoofed), however, I'm being told that for cost purposes and having to setup an "ipn server" we can't use IPN ....

Ok, so I was gonna use PDT, except either I missed a major step in my attempt or it ISNT working right at all because I'm not doing somthing right. Here is where I'm lost, i've tried a dozen different things, including a direct link post, using sparks (for CI) to set the data and call to paypal link, and etc ...

I've looked over every paypal question on here and a half dozen other forums and can't seem to get anything going.

Can anyone "clearly" tell me how I can verify the POST data of a successful paypal transaction and maybe even tell me if i'm being misinformed about the IPN, cause I looked over the docs and I can't find what i've been told, nor can I really find my solution.

I feel stupid, please help.

Answer 1

Finally made it work correctly thanks to the update in info on IPN. My solution added the following line to my form:

<input type="hidden" name="notify_url" value="<?= site_url('payment/notifyTest'); ?>">

Then in the notifyTest function i ran this:

    $pDat = $this->input->post(NULL, TRUE);
    $isSandBox = array_key_exists('test_ipn', $pDat) && 1 === (int)$pDat['test_ipn'] ? TRUE : FALSE;
    $verifyURL = $isSandBox ? 'https://www.sandbox.paypal.com/cgi-bin/webscr' : 'https://www.paypal.com/cgi-bin/webscr';
    $token = random_string('unique');

    $request = curl_init();
    curl_setopt_array($request, array
    (
        CURLOPT_URL => $verifyURL,
        CURLOPT_POST => 0,
        CURLOPT_POSTFIELDS => http_build_query(array('cmd' => '_notify-validate') + $pDat),
        CURLOPT_RETURNTRANSFER => 0,
        CURLOPT_HEADER => 0,
        CURLOPT_SSL_VERIFYHOST => 0,
        CURLOPT_SSL_VERIFYPEER => 0,
        CURLOPT_CAINFO => 'cacert.pem',
    ));

    $response = curl_exec($request);
    $status   = curl_getinfo($request, CURLINFO_HTTP_CODE);

    curl_close($request);

    if($status == 200 && $response == 'VERIFIED') {
        //  SUCCESS
        $data = array (
            ... => ...
        );
        $this->db->insert('transactions', $data);
    }
    else {
        //  FAILED
        $data = array (
            ... => ...
        );
        $this->db->insert('transactions', $data);
    };

THE IMPORTANT DIFFERENCE AS WE FOUND -> DO NOT SET YOUR CURL VARS TO TRUE OR FALSE USE 0 FOR TRUE AND 1 FOR FALSE, IT MIGHT SOUND STUPID, BUT IT WOIKED!!!

Answer 2

When your user clicks a PayPal button and goes to PayPal, when they complete the transaction, an IPN POST is made to a URL of your choosing. So you don't have to have another web server.

When the IPN request comes in, PayPal wants you to re-send the entire POST they made to you back to them, including all of the fields, in the exact order, at which point they will return the word 'VERIFIED' or 'INVALID.' If verified, then do whatever it is that you need to do to toggle your txn log from pending to verified. Also, any information you include in your button (your button is actually a form so you can include your own fields) is included in the POST. Useful for keeping a 'transaction id' or some other identifier for mapping back to your transaction.

If the IPN fails it will resend in n+4 minute increments (where n is how long it waited the last time - 4 minutes, next after 8 minutes, next after 12 minutes, etc) for a few days.