I've looked around, but haven't been successful in finding exactly what I want. If you can help me along, I'd really appreciate it. 1. Create a paypal Buy it Now Button (That's easy) 2. Have the customer click it and pay. (That's easy) 3. Have paypal redirect to my website and a script will verify that they've bought it. (Difficult) 4. If they've been verified, do various things. (That's easy) It's the verification part I'm having trouble with. I can't find any pages on paypal showing verification techniques. The most secure option would be great. Thanks, Sam.
I think this is what you'd need: https://cms.paypal.com/us/cgi-bin/?...nt_ID=developer/library_code_ipn_code_samples
This is the modified code I wrote on top of their IPN example for my kblinker purchase form (on the order page of kblinker.com) When you create the button in paypal you want to use notify_url=http://www.yourdomain.com/ipn.php in the advanced box so that you give the button a notify url (so that you're not having to set a global notify for every transaction you get). Then in the ipn.php I have something like this (some data omitted mainly where I actually insert information into my database) <? function verify() { $verify = false; $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); if(!$fp) return false; // http error fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { $verify = true; break; } else if (strcmp ($res, "INVALID") == 0) { break; } } fclose ($fp); return $verify; // false by default unless true due to verification } function insert_data() { global $data; $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; $name = $_POST['first_name']." ".$_POST['last_name']; $contact = $_POST['option_selection2']; $db = @mysql_connect("localhost", "username", "password"); mysql_select_db("database_name", $db); $result = mysql_query("SELECT id FROM transactions WHERE txn = '".$txn_id."' LIMIT 1;"); if(!($result === false)) { $row_count = mysql_num_rows($result); if($row_count > 0) { $row = mysql_fetch_array($result, MYSQL_NUM); $id = $row[0]; } else $id = 0; mysql_free_result($result); } else $id = 0; if($id > 0) { //Transaction already exists, update status mysql_query("UPDATE transactions set `status` = '".$payment_status."' WHERE id = ".$id); } else { //Transaction does not yet exists, insert $access = 0; if(($payment_amount == 50) && ($item_number == "KB-SL")) $access = 1; else if(($payment_amount == 75) && ($item_number == "KB-ML2")) $access = 2; else if(($payment_amount == 100) && ($item_number == "KB-ML3")) $access = 3; if($access > 0) { mysql_query("INSERT INTO transactions (...) VALUES(...)"); } else { mail("my-email", "KBlinker IPN Notice", "A valid payment, has been made, but there was a problem determining item type \n".$data); } } mysql_close($db); } $data = ""; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $data .= "\n$key=$value"; } $verify = verify(); // Replace BLANKED OUT with your own unique merchant ID // This can be found in your paypal profile // This prevents someone from paying themselves // But using your url as the notify url, in attempt to fake an // actual payment if($_POST['receiver_id'] == "BLANKED OUT") { //Make sure the currency received is USD, if so process if($_POST['mc_currency'] == "USD") { if($verify) insert_data(); else mail("myemail", "IPN Notice", "Could not Verify"); } else { if($verify) $add = " and was verified as an actual transaction."; mail("myemail", "IPN Notice", "A Payment for Transaction ".$_POST["txn_id"]." was not in USD currency".$add." \n ".$data); } } ?> PHP: Basically any unexpected but valid transaction should be emailed for manual inspection rather than automatically processing. You could go as far as doing the same to unverified accounts by checking against $_POST['payer_status'] which will either be "verified" or "unverified"