A listener on my website 'listens' for successful purchases made via Paypal. Data retrieved by the listener includes a post variable that I can set before initiating the purchase. This is possible with Paypal's IPN(Instant Payment Notification). I am trying to get the IPN to recognize the users account on my website upon purchase. Every account on my website has a unique user ID number.
I have tried passing the accounts unique ID through Paypal's "Custom" variable so the IPN can listen for that. Though I think this is a bad idea because then people can purchase things for another account if they passed their unique ID. Though this is a guaranteed purchase handler, hackers can take advantage of this with social engineering.
I see that some people instead pass the session_id with php, but this isn't safe because the listener would have no way of recognizing the user's website account if the session_id were to disappear. I also see that people will pass a cookie tied to the user's unique account. I don't think this is a good idea because the cookie could be cleared.
It is to my impression that I can not send a refund or cancel a purchase if the user's account could not be identified(Without doing it manually). What checkout flow should I do?
I would create a local invoice record in your system, and this invoice would get a customer ID associated with it.
Then you can use the INVOICE parameter to pass the invoice ID to PayPal, and that would come back in IPN where you can then lookup the customer ID based on that invoice ID.
Related
I am working on a software service and am offering a monthly subscription for my software service.
I am currently working on the subscription part - and am wanting to implement a paypal monthly recurring payment solution.
I have spent quite a bit of time looking over PayPal documentation, and trying different buttons, webhooks, IPN methods etc.
The problem is that I am not sure what solution to use - because I am confused by the multiple options.
What is most important to me is - that when the customers fill out the form on my website - and are then directed PayPal to pay - I then want to know that specific Customer ID from my website has successfully paid.
I would like to know:
Which SPECIFIC option(s) PayPal has that I can pass Customer ID from my website of that customer - let's say a subscription ID from my site - and that PayPal will then send the customer back with my subscription ID, that I passed them on to PayPal with.
Which is the easiest option to do that with?
I simply want the customer to:
sign up at my site. (my part)
be issued a unique Customer ID from my website (my part)
click a PayPal payment/subscribe button (my part)
be sent to PayPal to pay for the subscription (paypal's part)
be returned to my site with the unique Customer ID from my website from my site - as well as a confirmation of payment from PayPal (paypal's part)
Please do not simply pass me to the general area of the development sections -
As I said - I have already been through all of that and find there is too much information.
Please direct me to a specific solution, or example, or tutorial that covers a solution that will fit what I need.
I would recommend using the Express Checkout API with Recurring Payments.
The best thing to do would be to create a local invoice record in your system, and then have a related customer ID associated with that invoice.
In the CreateRecurringPaymentsProfile request to PayPal you can include a PROFILEREFERENCE parameter, which would be the invoice ID you generated for that order in your system. Then all future payments related to that profile would include this same reference ID as part of its data, so if you're using IPN, for example, it would be included there.
When working with Express Checkout the user is always guaranteed to end up back on your site to finish the checkout flow, so you can simply save data in sessions during checkout and update things like your database, email receipts, etc. directly in your payment flow. Then you could use IPN to process the recurring payments after that, and again, it would include that same reference ID. In IPN this would come back as rp_invoice_id.
I am selling my software on line, and using PayPal for payment processing. Every time someone buys my software, I get notified by PayPal, at which point I take the purchaser's name and encrypt it onto a unique password with which they can unlock the software. I e-mail this password to the user.
I'd like to automate this step, so that every time PayPal processes the payment, the user name is used to create an unique password, and the email is sent directly to the user. Is that possible from PayPal's side?
You have many options. For example:
PayPal - Instant Payment Notification. Basically, everytime one of
your clients buys your software PayPal will notify you using the url
you set in your button for IPN. Please check the documentation
HERE
Express Checkout. DOCUMENTATION
I have implemented PayPal payments using PDT. I realize a combination of PDT and IPN is recommended, however for my purposes PDT is sufficient.
I am able to direct user to PayPal, collect payment and then conduct an action (updating account credits for the user in the database) when the user returns to my site. The URL shows an address like:
http://www.domain.com/process_pdt?tx=45138128VH922173V&st=Completed&amt=1.99&cc=USD&cm=&item_number=
So far so good. The problem I have is refreshing the browser with this URL causes the user's account to get credited again without redirecting the user to PayPal to collect payment a second time.
I have read that I should add the transaction id (tx in URL above) to the user table and check to ensure this tx id has not already been used. If it has, I should display an error message. Is this the only way to go about this, i.e. by storing each tx id in the user table and then checking for the id's existence each time the process_pdt URL above is called by the user (legitimately or fraudulently)?
Ah, yes: this is indeed the only way to go. As a simple sanity check you may want to do a redirect from the process page to a URL that does not include the txn_id (that way a casual refresh won't cause the problem, but if they use their back button it will still happen) but you must verify that the txn_id is only used once yourself.
I've got a web application with a form where users can sign up for a seminar. The process is currently as follows:
Register for seminar
Registration success page with Paypal Buy-Now button to make payment
Paypal payment
Registration completion page
At present, emails are sent to the admin and the user at step 2 after registering confirming their registration. This needs to be changed so that the emails are actually sent in step 4, after payment has been made.
The application is built in ASP.NET, and all of the code to send emails, etc is all done. I'm curious as to what is the best way to trigger a process on the main website using the users details after they have completed the Paypal payment process.
From what I can see, there are the following options:
Store the data in the session. When the user returns to the registration completion page, retrieve the information and send the emails. My concern with this is that I've worked on a project in the past implementing this and it never worked very well, with the session getting lost.
Store the data in the database. Have the Paypal redirect include the transaction details in the querystring to the return page, which can retrieve the registration details using the email address and send the emails. However, this may not work if the email address used on Paypal is different from the one used to register (which is quite likely in this scenario).
Post all the details to Paypal, so that they are included in the transaction. Downsides: Won't send confirmation email to the user, only the admin (and assuming that the Paypal email address is the same as the email to which payment notifications should be sent). Also not sure if this can be used with hosted buttons.
I'm sure this is a common problem, and any advice would be appreciated. Thanks.
Use paypal instant payment notification
When the order is placed on your site, put it into a db table, with whatever you need to record. I then have an OrderId (from the db table) that I pass to paypal as an 'invoice' field, this gets passed back via ipn with a payment status etc.
I wanted to use Paypal's IPN service to verify payments for a recurring subscription charge for my website. How do you tie the IPN confirmations to a user in your site?
The IPN confirmation message has a name, email, paypal ID, recurring payment ID, but it seems to not give a unique identifier since I don't know where the paypal ID or recurring payment id comes from and it may not be trivial to uniquely match up the name/email that a user has on their paypal account (or entered there) with the name/email I have for them on my site (there may be many John Smith's and the person may choose to use a different email.)
1) When I send the initial payment request to Paypal, I can attach a unique UUID in the URL I ask them to send back to me, so if I save that unique ID for that user I can match that payment confirmation to the user who initiated it. Am I making that harder than it is? Is there an easier way?
2) Also, for a recurring/subscription charge, does paypal always use the URL I specified with the initial payment initiation? Does anyone have practical experience using the recurring Paypal payments with IPN's, does it reuse that unique URL? Or do I have to associate the Paypal ID's with the user after the first recurring payment is received?
Attaching unique data to the payment request is pretty much the accepted way to do it.
I don't have any experience with recurring charges.
I recently also set up some reoccurring payments with Paypal.
I actually wanted people to register as members after paying for the subscription, if they wanted to. As having to sign up as a member could add some friction to the sale process. So I don't send any user info along with the Subscribe button.
What my IPN script does is generate a unique activation code tied to the Paypal subscriptionID in the Activations table, then it sends this code to whoever paid for the subscription, with instructions on how to activate.
At the point of activation, you need to register or login. At this point the userID is added to the relevant row in the Activations table.
When the EndOfTerm IPN notification comes in the IPN script looks up the userID from the Activations table based on the SubscriberID given in the IPN. Then I can do whatever I need to do to that user to disable their subscription.
At all time the URL of the IPN script remains the same.
1) You can send an 'item_number' parameter with the initial subscription setup, which will get passed back to you. I'd suggest embedding an identification token in it.
2) If you mean the 'return' parameter, no, that's for sending the user to at the conclusion of the subscription setup. The renewal is automatic and doesn't 'ping' that page.
1) You want to be using the item_number parameter. Set this in your HTML form shown to the customer, and it will be returned to you by the paypal IPN, so you can put a database row ID in here, and use it to match up to the right person later.