Jump to content


Photo

How do I handle database entry dependent on PayPal payment?


Best Answer requinix, 02 October 2016 - 04:20 AM

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed. Go to the full post


  • Please log in to reply
5 replies to this topic

#1 DeX

DeX
  • Members
  • PipPipPip
  • Advanced Member
  • 232 posts
  • LocationCalgary, Alberta
  • Age:35

Posted 01 October 2016 - 11:32 PM

My application is completely working, I'm simply wondering about how the flow should work. I have a PHP site where:

 

1. The user chooses 1 of 2 possible listing types to list their property for rent. Whichever they choose is stored in a session variable and they're redirected to page 2.

2. Here they fill out their rental property information, click a submit button and all entered information (once validated) is entered into a session variable with the listing type from page 1. They are now redirected to page 3.

3. Page 3 only has a button to click to be redirected to PayPal for payment. The only reason I don't have this button on page 2 is because I first had to get all the entered information into the session variable and I needed an action trigger in order to accomplish this, like them clicking the submit button. I don't know if I should combine the 2 or keep this third page with just the payment button, however it does give the opportunity for the user to view their entry and confirm it is all correct prior to paying.

4. They get redirected to PayPal, pay, then are redirected back to my site with either a success or failure message. If success, a PHP function runs (triggered by function passed through URL) and saves all listing information into the database as a successful purchase and pushes the listing live.

 

Is this a proper use of session variables and should I instead be accomplishing this some other way? Should I be saving all the listing information after page 2 and instead just be putting the database row ID into the session variable, and then setting the row's PAID flag to 1 if the payment is successful? Then it's live once the flag is set? What if someone tries to use session injection in order to bypass the PayPal payment and just manuall put their information into the database? Is this possible?



#2 Jacques1

Jacques1
  • Members
  • PipPipPip
  • Turtles all the way down
  • 4,224 posts

Posted 02 October 2016 - 12:20 AM

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.


Edited by Jacques1, 02 October 2016 - 12:21 AM.


#3 DeX

DeX
  • Members
  • PipPipPip
  • Advanced Member
  • 232 posts
  • LocationCalgary, Alberta
  • Age:35

Posted 02 October 2016 - 12:29 AM

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.

Thank you, I will switch it to store the information prior to payment and set the flag on payment success. If the session can't be edited in any way then I won't worry about it. I can even pass the database row ID to Paypal and get it back from them after payment so it doesn't have to go into the session. I think I can do that.



#4 requinix

requinix
  • Administrators
  • Lazy Administrator
  • 9,240 posts
  • LocationWA

Posted 02 October 2016 - 04:20 AM   Best Answer

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.
The Reimann Zeta Function Trolley Problem | "Summer is when I, the great ice fairy, can show my true power!"

#5 DeX

DeX
  • Members
  • PipPipPip
  • Advanced Member
  • 232 posts
  • LocationCalgary, Alberta
  • Age:35

Posted 02 October 2016 - 07:35 PM

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.

Thanks, IPN is what I'm using.



#6 DeX

DeX
  • Members
  • PipPipPip
  • Advanced Member
  • 232 posts
  • LocationCalgary, Alberta
  • Age:35

Posted 03 October 2016 - 05:12 PM

Got it working by saving the listing prior to payment and activating the payment using PayPal's notify_url to pass back the property ID to be activated. Thanks for helping me out with the logic flow.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users