How do I handle database entry dependent on PayPal payment?

[DeX]

My application is completely working, I'm simply wondering about how the flow should work. I have a PHP site where:

 

1. The user chooses 1 of 2 possible listing types to list their property for rent. Whichever they choose is stored in a session variable and they're redirected to page 2.

2. Here they fill out their rental property information, click a submit button and all entered information (once validated) is entered into a session variable with the listing type from page 1. They are now redirected to page 3.

3. Page 3 only has a button to click to be redirected to PayPal for payment. The only reason I don't have this button on page 2 is because I first had to get all the entered information into the session variable and I needed an action trigger in order to accomplish this, like them clicking the submit button. I don't know if I should combine the 2 or keep this third page with just the payment button, however it does give the opportunity for the user to view their entry and confirm it is all correct prior to paying.

4. They get redirected to PayPal, pay, then are redirected back to my site with either a success or failure message. If success, a PHP function runs (triggered by function passed through URL) and saves all listing information into the database as a successful purchase and pushes the listing live.

 

Is this a proper use of session variables and should I instead be accomplishing this some other way? Should I be saving all the listing information after page 2 and instead just be putting the database row ID into the session variable, and then setting the row's PAID flag to 1 if the payment is successful? Then it's live once the flag is set? What if someone tries to use session injection in order to bypass the PayPal payment and just manuall put their information into the database? Is this possible?

[Jacques1]

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.

Edited October 2, 2016 by Jacques1

[DeX]

A huge problem of your current approach is that the entire data gets lost when the payment process doesn't go as planned (which can always happen). In case of a problem or a dispute, there isn't much you can do, because the session has probably been cleaned up already.

 

Storing the “order” in the database and simply setting a flag is far more reliable.

 

I'm not sure what you mean by “session injection”. The user cannot directly edit the session, unless there's a severe vulnerability in your application.

Thank you, I will switch it to store the information prior to payment and set the flag on payment success. If the session can't be edited in any way then I won't worry about it. I can even pass the database row ID to Paypal and get it back from them after payment so it doesn't have to go into the session. I think I can do that.

[requinix]

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

 

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.

[DeX]

Don't do anything simply based on the user returning from PayPal. It's just a URL. Anybody can visit a URL.

 

You have to verify the transaction was successful. Personally I prefer to use IPN: PayPal submits a request to your server directly, including information, you verify the information (sending a request back to them in the process), and if everything is good then you consider the payment as being completed.

Thanks, IPN is what I'm using.

[DeX]

Got it working by saving the listing prior to payment and activating the payment using PayPal's notify_url to pass back the property ID to be activated. Thanks for helping me out with the logic flow.