Payment issues...

Aaron · 01-05-2008, 08:14 AM

So I have this script that I need to make. The problem I have now is...

How can I make sure they have paid (by paypal) before I create the account? A static address would be a security risk, and a dynamic address would be... hard to do... (I am referring to the page that paypal sends you to after a payment optionally)

codefreek · 01-05-2008, 09:50 AM

Hum. good question.
as i would think dont know how you would do it but it might be done like this
maybe like an feed like rss. but you get the other feed you whant :S

i am just talking i realy dont know..
+ i am tired so might be just some bla bla bla..
but hey atleast i posted a msg.

ohh well hope some one will post the right way so
i can learn also :)

You could do like this when you see the cash you send out
an 10 number code
that they can use.
or something like that :)

PS: you might be able to ask paypal for edvice. :S
i think.
Cya..

Aaron · 01-05-2008, 10:52 AM

I was thinking about sending a hidden form value, but I didn't know if it would pass through paypal.

I also considered sessions, but I don't know how to do them...

Something that tells you the referrer of the page would work.

so the page is order.php, and at the top it says if the referrer is paypal.com/cgi-bin?payment=successful (or something like that), execute this block of code.

this is completely unrelated, but what about SSL? How would I use that in PHP? There aren't any tutorials on it :(

Wildhoney · 01-05-2008, 11:29 AM

You can use PayPal's IPN (or Instant Payment Notificication). You may send custom POST items through PayPal. PayPal then sends it you all back in a series of transactions send back and forth to ensure the payment was successfully made.

There are quite a few good documentations on IPN on PayPal's website so I won't reiterate all of that.

Aaron · 01-05-2008, 11:57 AM

So.. they give me this jumble of code...

PHP Code:


			
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
?>

Karl · 01-05-2008, 12:34 PM

You need to compare your details against the details sent back from paypal. It's actually straight forward, although they make it seem difficult. You could add the following validation function and then call that in replace of the comments:

PHP Code:


			

function validatePaypal()
{
    // Ewwww global, I feel dirty :)
    global $payment_status, $payment_currency, $payment_amount, $receiver_email;
    
    // Check that the payment is actually complete
    if ($payment_status != 'Completed')
    {
        error_log('IPN failed, expected payment status Completed, received ' . $payment_status);
        return false;
    }
    
    // Check receiver email against your email.
    elseif ($receiver_email != PAYPAL_EMAIL)
    {
        error_log('IPN failed, expected reciever email ' . PAYPAL_EMAIL . ' received ' . $receiver_email);
        return false;
    }
    
    // Check the payment amount against your products amount
    elseif ($payment_amount != PRODUCT_AMOUNT)
    {
        error_log('IPN failed, expected payment amount of ' . PRODUCT_AMOUNT . ' received ' . $payment_amount);
        return false;
    }

    // Check the payent currency against your requested currency
    elseif ($payment_currency != PRODUCT_CURRENCY)
    {
        error_log('IPN failed, expected ' . PRODUCT_CURRENCY . ' currency, but received ' . $payment_currency);
        return false;
    }

    // Todo: Check for duplicate txn_id
    
    return true;
}

Then, replace all the comments:

PHP Code:


			
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment

With a call to the function:

PHP Code:


			

if (validatePaypal())
{
     // Payment is complete and is OK!  Make sure you log this payment, 
     // especially the txn_id
}
else
{
     // Payment failed, we have the error logs but you should
     // also log this for manual inspection
}

I've missed out one validation check from the validatePaypal function and it's an important one. You need to check previous payments txn_id and ensure that you're not receiving a duplicate.

Hope that helps.

Aaron · 01-05-2008, 06:16 PM

Is this only for the accounts you pay for? My account is basic, and I don't want to update it because my last name is messed up.

Karl · 01-06-2008, 12:11 PM

Quote:

Originally Posted by Aaron

Is this only for the accounts you pay for? My account is basic, and I don't want to update it because my last name is messed up.

Sorry, I don't understand. Your payment details would be the details of the account that your clients are sending funds to. You'd want to define the 3 defines that I've used and replace them with your own details, such as:

PHP Code:


			

define('PAYPAL_EMAIL', 'john@smith.com'); // Your paypal email address
define('PRODUCT_AMOUNT', 9.99); // The price of your product
define('PRODUCT_CURRENCY', 'USD'); // The currency, make sure we get USD

Aaron · 01-26-2008, 02:07 AM

This software will be given out to many people, most of which might not have a business paypal account. I need a way to do this that doesn't require a business paypal account, and Paypal needs one for that IPN.