Jump to content
Sign in to follow this  
DeX

How do I handle database entry dependent on PayPal payment?

Recommended Posts

My application is completely working, I'm simply wondering about how the flow should work. I have a PHP site where:

 

1. The user chooses 1 of 2 possible listing types to list their property for rent. Whichever they choose is stored in a session variable and they're redirected to page 2.

2. Here they fill out their rental property information, click a submit button and all entered information (once validated) is entered into a session variable with the listing type from page 1. They are now redirected to page 3.

3. Page 3 only has a button to click to be redirected to PayPal for payment. The only reason I don't have this button on page 2 is because I first had to get all the entered information into the session variable and I needed an action trigger in order to accomplish this, like them clicking the submit button. I don't know if I should combine the 2 or keep this third page with just the payment button, however it does give the opportunity for the user to view their entry and confirm it is all correct prior to paying.

4. They get redirected to PayPal, pay, then are redirected back to my site with either a success or failure message. If success, a PHP function runs (triggered by function passed through URL) and saves all listing information into the database as a successful purchase and pushes the listing live.

 

Is this a proper use of session variables and should I instead be accomplishing this some other way? Should I be saving all the listing information after page 2 and instead just be putting the database row ID into the session variable, and then setting the row's PAID flag to 1 if the payment is successful? Then it's live once the flag is set? What if someone tries to use session injection in order to bypass the PayPal payment and just manuall put their information into the database? Is this possible?

Share this post


Link to post
Share on other sites

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.

Edited by Jacques1

Share this post


Link to post
Share on other sites

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.

Thank you, I will switch it to store the information prior to payment and set the flag on payment success. If the session can't be edited in any way then I won't worry about it. I can even pass the database row ID to Paypal and get it back from them after payment so it doesn't have to go into the session. I think I can do that.

Share this post


Link to post
Share on other sites

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

 

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.

Share this post


Link to post
Share on other sites

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

 

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.

Thanks, IPN is what I'm using.

Share this post


Link to post
Share on other sites

Got it working by saving the listing prior to payment and activating the payment using PayPal's notify_url to pass back the property ID to be activated. Thanks for helping me out with the logic flow.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.