I've setup a PayPal site which uses IPN and I was having trouble getting PayPal to send the GET variables to the return URL that I had specified. It was sending the user's browser to the return URL, but nothing was being passed via GET or POST.
I changed one setting in the PayPal business account: "Payment Data Transfer (optional)" to On which generated an "Identity Token" on the PayPal website.
I also got an automated email from PayPal saying:
---------- Forwarded message ----------
From: service#paypal.com <service#paypal.com>
Subject: Payment Data Transfer (PDT) Has Been Enabled
This email is to inform you that you have successfully enabled Payment Data Transfer.
PDT's primary function is to display payment transaction details to buyers when they are redirected back to your site upon payment completion. However, there are cases, such as with pending transactions, where you won't receive notification of all transactions. For this reason, PayPal strongly recommends that you also enable Instant Payment Notification (IPN).
To learn more about enabling and setting up IPN:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/ipn-intro-outside
To learn more about Payment Data Transfer, including setup instructions and a complete list of variables:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/pdt-intro-outside
Sincerely,
PayPal
Clicking on the second link and clicking on "Technical Overview" (https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/pdt-techview-outside) shows:
Your POST should be sent to
https://www.paypal.com/cgi-bin/webscr.
You must post the transaction token
using the variable "tx" and the value
of the transaction token previously
received (e.g.
"tx=transaction_token"), and the
special identity token using the
variable at and the value of your PDT
identity token (e.g.
"at=identity_token"). You will also
need to append a variable named "cmd"
with the value "_notify-synch", for
example "cmd=_notify-synch", to the
POST string.
However, I am NOT passing the Identity Token at all, yet everything is working fine!
(a) Is this a problem?
(b) Why is it working if the documentation implies that it shouldn't?
(c) Is this a consequence of specifying an outdated API version (58.0)? What is the value I should be using?
In my opinion the identity token should be a required param since it is the only way Paypal can verify that the request you're making is valid. Otherwise, other people can simply guess a transaction id (even though it is not intended for their accounts) and get details for that transaction from Paypal.
I'm guessing this is a bug you're experiencing. Are you testing in the Paypal sandbox or in a live environment?
Realizing that the OP probably no longer needs an answer after 9 years, but others still might:
The POST of the transaction ID and identity token is purely for the purpose of verifying that the original transaction notification (relayed via the GET method to the merchant's Return URL) actually came from PayPal.
It is as if to say to PayPal, "My website just got this supposed confirmation that a customer paid. Here is the transaction ID and my seller ID again. Is this a legitimate match?"
In fact, at https://developer.paypal.com/docs/api-basics/notifications/payment-data-transfer/, when talking about setting up for testing, it only talks about getting your script ready to receive, parse and display the GET data. It doesn't mention the POSTing back to PayPal (though that is mentioned elsewhere). So, yes, the PDT function should work without doing the POST back to PayPal afterward and waiting for that response of SUCCESS or FAIL, but...
Anyone who knew what they were doing could go to a seller's URL and append a query string with the right combination of variables to fake the same kind of GET request that the PayPal PDT system would initially send, whether or not the transaction ID were a real one.
Related
With PayPal billing, with Auto Return and PDT enabled, when a user is returned to one's Return URL after a successful charge event, several parameters are appended by PayPal to the URL (e.g. "tx" for transaction id), which can then be used to identify the user.
However, if the user has just joined subscription with a free trial, no such information is appended and so the user is not identifiable at that point in time.
Since IPN is asynchronous, the IPN notification may arrive too late so one cannot rely on this.
Is there any way of identifying a user via the Return URL after they have entered a subscription with a free trial?
Similar Que: Implementation of free trial period with PayPal doesn't return any custom parameter
"If you are using PDT, then nothing will be sent back as no payment is taking place. Information will only be sent back if you are making a payment. I would recommend using IPN. Both the rm variable and PDT are dependent on the buyer returning back to your site. If the buyer does not return, such as their browser window unexpectedly crashes and closes, or they simply shut it no information will be sent back and it will be lost. This is why the rm variable and PDT are used more for creating dynamic receipts. IPN is more used for updating your system as it does not rely on the buyer returning back to your site. "
"Also with IPN you can resend the data to your system if you need to, and you can also view your IPN history from within your account. IPN usually takes place right after the payment is completed."
I'm currently trying to implement a mechanism whereby i can return a customer to a success page containing an activated PIN allowing access to a piece of software. The process is a straight forward PIN purchase without any kind of user accounts or login system involved.
I have the payment buttons and IPN script in place and working fine, but this only allows me to email the PIN after a successful payment via the IPN script, since of course the two sessions are completely separate to maintain security.
My problem with this is that i can't be sure the customer has access to the same email they used to pay with via Paypal. I had the idea of asking the user to enter which email they would like the PIN sent to prior to the Paypal redirection and then sending it as a custom value.. but then came visions of a mammoth backlog of support emails where users have entered the wrong email. I would really like to be able to redirect to a success page containing the PIN.
Thanks in advance.
I would recommend using the Express Checkout API. The payer experience is very similar to standard payment buttons, however, the user is always guaranteed to return back to your site, so you can display whatever you want on your final page.
That documentation can be a little scary, but it's really just a matter of utilizing 3 API calls.
SetExpressCheckout - This is used to setup a new transaction and will return a token that you'll append to the end of a redirect URL to PayPal. The user is sent to PayPal, they login and agree to pay, and are then sent back the ReturnURL that you specify in this request.
GetExpressCheckoutDetails - Now back on your site/application, you use this API to obtain information about the buyer like their shipping address, address status, payer status, payer ID, etc. You will need the Payer ID for the final API call.
DoExpressCheckoutPayment - This is very similar to the SetExpressCheckout request, but no transaction is completed until this call is completed. Only then does the money move.
Again, those final calls are done on your site so you can use the API response data to update your database and display details on the final page however you want to.
Keep in mind that payments could still be pending for one reason or another, so you'll want to check the status (returned in the DECP response) and display appropriate information on the final page.
IPN's will still be triggered with Express Checkout so you can adjust the IPN script to handle pending payments or anything else you may want to automate outside the checkout flow.
If you happen to be working with PHP my class library for PayPal will make these calls very quick and easy for you.
I have integrated PayPal into my website and have the IPN system working successfully. The problem I have now is that unless the PayPal email is the same as the one they used to register on my site, I have no idea who the person is.
I would like to add on my own data to the IPN message such as AccountID=10 or AccountName="SomeName" so that I can identify who the person is for my own user base since it is selling of virtual goods and privileges and not shipping to some address. Can this be done?
You certainly can send many parameters such as invoice parameter with your Paypal IPN request and get it returned with IPN response.
Full parameters list is available here:
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNandPDTVariables/
You could also make this a non-issue by setting it up so your customers use their PayPal login credentials to log into your site. Have a look at the following documentation:
https://developer.paypal.com/webapps/developer/docs/integration/direct/identity/log-in-with-paypal/
I'm using PayPal Payments Advanced with TEMPLATE=TEMPLATEC. I already figured out how to create an IFRAME and receive confirm/cancel/silent_post responses from PayPal. But I've found no way to validate parameters my confirm/cancel/silent_post pages receive. Is there a way to ensure that these parameters are from PayPal and not just sent by arbitrary user?
About the best option you have is to run an inquiry transaction (TRXTYPE=I) against the secure token and secure token ID you received from PayPal before displaying the iframe. If a transaction was run, that call will give you the transaction ID (PNREF) from the transaction. (And depending on your situation, the PNREF may be all you need.) If that matches the PNREF sent back to you by the buyer, then there's a good chance that the rest of the data is genuine.
For example:
Request:
USER=****&VENDOR=****&PARTNER=****&PWD=****&TRXTYPE=I&SECURETOKEN=7tGDq6ILZeEmATCwTXrSRkwjz&SECURETOKENID=76ac5819ee01475daf15b2af038da977&VERBOSITY=HIGH
Response:
RESULT=0&PNREF=E79P4ABEC9DE&TRANSSTATE=8&ORIGRESULT=0&ORIGPNREF=E19P4BFB14B2&RESPMSG=Approved&AUTHCODE=111111&AVSADDR=Y&AVSZIP=Y&CVV2MATCH=Y&ORIGPPREF=1XR06058R58346646&CORRELATIONID=bdd79cb3c7fb6&PROCAVS=X&PROCCVV2=M&SETTLE_DATE=2013-04-23 07:22:06&TRANSTIME=2013-04-23 07:22:06&LASTNAME=NotProvided&AMT=24.99&ACCT=3698&EXPDATE=1214&CARDTYPE=0&IAVS=N
ORIGRESULT is the result of the original transaction (0 is a success; anything else is a failure.)
ORIGPNREF is the PNREF from the original transaction.
You can also put a long, unique "token" parameter in your silent post URL. Something like
"http:// www.my-web-site.com/confirm-payment?token=2348349u21034ms39n899"
and match it up with the same token a server side script is expecting. Since the silent post URL is stored in your PayPal manager account, the token is confidential, and even the URL as a whole is confidential. Plus the transaction info is also passed to this silent post URL allowing you to match up info with your transaction you saved in your database at checkout. This is a good secure method to confirm payment was correctly made. The silent post will work for both "pay with paypal" and "direct credit card payment" methods on the payments advanced iframe (a.k.a. hosted checkout page). Additionally, you can also throw in one more check, to see if PayPal is the $_SERVER['HTTP_REFERER']; (which of course can't be trusted purely on its own).
I've got a web application with a form where users can sign up for a seminar. The process is currently as follows:
Register for seminar
Registration success page with Paypal Buy-Now button to make payment
Paypal payment
Registration completion page
At present, emails are sent to the admin and the user at step 2 after registering confirming their registration. This needs to be changed so that the emails are actually sent in step 4, after payment has been made.
The application is built in ASP.NET, and all of the code to send emails, etc is all done. I'm curious as to what is the best way to trigger a process on the main website using the users details after they have completed the Paypal payment process.
From what I can see, there are the following options:
Store the data in the session. When the user returns to the registration completion page, retrieve the information and send the emails. My concern with this is that I've worked on a project in the past implementing this and it never worked very well, with the session getting lost.
Store the data in the database. Have the Paypal redirect include the transaction details in the querystring to the return page, which can retrieve the registration details using the email address and send the emails. However, this may not work if the email address used on Paypal is different from the one used to register (which is quite likely in this scenario).
Post all the details to Paypal, so that they are included in the transaction. Downsides: Won't send confirmation email to the user, only the admin (and assuming that the Paypal email address is the same as the email to which payment notifications should be sent). Also not sure if this can be used with hosted buttons.
I'm sure this is a common problem, and any advice would be appreciated. Thanks.
Use paypal instant payment notification
When the order is placed on your site, put it into a db table, with whatever you need to record. I then have an OrderId (from the db table) that I pass to paypal as an 'invoice' field, this gets passed back via ipn with a payment status etc.