[andyl]

Well, I feel I give my fair share of help on these forums - now I need someone else to help me!

I want a secure-ish way of accomplishing the following task:

- A user (registered to a bespoke system) clicks a 'Buy Now' Paypal button
- After *completing* the Paypal payment (successfully!), a 'credit' (integer increment) gets added to their account (i.e. the field in the database for the logged in user gets incremented).

The only bit of the whole task I'm unsure how to complete is the bit highlighted quite obviously. I know you can do 'completion' pages coded into a Paypal button, but once that URL is known by anyone, a user can just go to that URL (which will be a PHP script) without the need to go through the Paypal gateway - and I assume using if (strpos("http://paypal.com", $_SERVER['HTTP_REFERER'])) (or something to that effect) is not a secure way of preventing this.

It seems like such a simple problem, I hope there's a way to do this!

Thanks in advance...I hope I've posted in the right place, it's not really e-commerce as such but hey-ho, it's a Wednesday afternoon.

[rallport]

Sounds like you should be doing this on your IPN processing script, not on the completion URL (you shouldn't be doing any important processing on this page really).Obviously on your IPN script you can check for duplicate payment id, paypal payer ids - E.g. run the transaction against all your business rules etc.

If you were using Sagepay, this wouldn't be an issue btw as SagePay is so much more secure than paypal it's silly

[andyl]

Thanks for the response, as I understand it, this is what I need to do:

1. Create the Paypal 'pay now' button, with data encoded to the form.
2. Use this IPN service, with this code:

// PHP 4.1

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
?>

3. The large commented area (after if (strcmp ($res, "VERIFIED") == 0) { ) is where I need to do final checks before creating a 'key' for use with the website?

[rallport]

Would personally try your code in theior sandbox first, as you have your code pointing at the live paypal site at the mo.

I'd personally prevent direct access to that script from sites other than paypal and the paypal ip too.

After the verified bit the comments there (from the paypal sdk) are the absolute minium you should be checking for. But yes, that's where you do all your order processing. email confiormation etc.

Would also save the raw paypal response (the $req variable in your code) in your database too.

[andyl]

Thanks for your guidance rallport, I think I've got it working now.
I've been using Sandbox and have got to the stage where my script detects a completed transaction and carries out the required tasks. It also detects incomplete and sends e-mails on what to do...

I ended up finding a template IPN script on some blog (can't remember which one now), which was highly rated and had 100's of good comments - obviously it's been largely modified now though to suit my requirements. Had about 10 consecutive successful tests, hopefully got my head round it all now!