I am sure this has been asked a lot of times before, but I am still finding it hard to do it. I want to secure my return URL which updates the payment status of my member in the database.. so as soon as he pays on paypal, he should come back to my site with a parameter (his member id) and the returnURL page would update his payment status in DB. I DO NOT want to display what parameter I am sending in the URL neither do I want to display that on the paypal button source code.. and offcourse the memberID would change every time a new member registers and pays through paypal .. so we can't use encrypted HTML code.. can we do that ?
I think the only way you can do all that is write the username, password and a status of inactive to your database along with any other information you wish to collect as the person registers. The final step of registering is to pay. Then when the person pays the return url runs a script to update the status to active in the database. Login is then allowed only when the username/password match and the status is active. Doing it in this manner allows for encrypted buttons and with the proper safeties built in, the update staus can never be called from a browser as the only valid referrrer is the secure PayPal server. Right. That should not take more than a few minutes to write.
well, I don't want the encrypted button.. becoz, everything would be dynamic.. so my return URL would be http://sitename.com/payment.php?userID=1&productId=12&payment=10 ..which would be different for different orders. This URL would update the database for this user.. Now, my concern is users can view the HTML source and extract the URL and updates the DB w/o actually going through paypal.. I want to hide this URL
I do not use encrypted buttons on one of my sites because I am protected by the script. There is no way you can get to the files unless Paypal calls the script. All you will get is a "thank you for your purchase" page and email if you call it from the browser. But that is a good bit higher level of php programing than a person who had to ask this question is going to be able to write. I wish I could take credit for writing it. I did not. I bought it. Paid a whopping $20 for it. Best $20 I ever spent. It won't work for you because you want a version of a membership site software. It can be done.
Just a thought might want to download Oscommerce or Zen-cart as you need to sign up then you get kicked to paypal to paypal then shot back to the site of origin. Could have a peak at the paypal module they have and see if you use parts of it to make yours work
Why not pass username of member threw custom field in paypal then you can write your ipn separate from your thank you page. have paypal ring back to the ipn and update that members information. ie: WHERE username='$username' and have your statement update that users data.