Paypal IPN is very confusing to me, it seems the help says everything but what you need to know Everything i want to do is to have a common transaction id sent to my site along with client's email so my site can instantly process the software license and allow client access to members area. Its a bit nuts having to ask clients to send me a copy of their own transaction ids. Is this very hard to do? - Ah other thing, when a client pays with credit card (paypal seems to offer that option for people who don't have a paypal account) there will be any email address from the client? Any info you could provide would be very useful. Thank you.
Are you talking about this? // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); // assign posted variables to local variables $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { // check the payment_status is Completed // check that txn_id has not been previously processed // check that receiver_email is your Primary PayPal email // check that payment_amount/payment_currency are correct // process payment } else if (strcmp ($res, "INVALID") == 0) { // log for manual investigation } } fclose ($fp); } ?> PHP: So far i got this: Client Purchase -> Paypal sends variables to site -> site resends variables to paypal to aknowledge reception -> paypal send valid or invalid (hack attempt) But what does happen with the transaction id? I assume is the variable $txn_id = $_POST['txn_id']; Will it be the same for both client and seller? Because in the normal process they're different, thats my question here. If the transaction ids are different then this ipn thing is completely useless for my case. I need a common number/id that client can provide as a credential so this process can have any credibility.
I really don't know the anser to the last couple of questions above. What you have looks about right but ater the entire process is accepted and concluded there needs to be some additional action like writing to a database or sending you the email you mention in your initial post. The IPN process only "certifies" the validity of the transaction then something else has to happen for you to be able to use that information.
you can go to www.guru.com and post your project for free. There are plenty of coders there who are able to set up the ipn script for you. Hope this helps...
Colbyt i just took the example from the paypal page, i know i have to put the db processing code there, that part i got. What i really need to know if this ipn thing is secure enough i can tell my site to create credentials simply based in the VALID paypal returns. The common id that needs to be matched by client against db records is to give extra security (do i really need extra security over ipn?).
IMO, never having written one, but trusting more than one of them to work correctly, I believe that with a really well written script OR using encryted buttons it is safe enough for most uses. The bold part refers to details I am not at liberty to dividulge so if you are writing your own use the PayPal encryted buttons.