Jump to content

Security Advice


Recommended Posts

I'm currently setting up a little shop that uses PayPal as a payment system. I've searched online and on the board and found enough information to get going. The way certain things are done worry me though. Any help with any of these would be appreciated.

1. It seems as though the payment is completed before the user clicks the 'continue' button which leads back to my site. If for some reason the user did not make it back to the site, the database cannot be effectively updated in regards to the order. This seems to go against the concept of a transaction to me.

2. Sending data initially to PayPal through hidden form variables. I've read this is not a good way to do it, and I don't like the idea of anyone being able to view this information. Would it be better to send the vars through a socket (which is the only other post data solution I've come across) in some sort of Order class?

3. I've written a Basket class with a getTotal() function. I could send this to PayPal, but then the entire basket is counted as a single item, and this might confuse users. Is there a way around this?

These are my three main concerns (particularly #1). If anyone is familiar with this stuff, are there any other security considerations I should be making? This is the first time I've done anything involved a payment system, and I want it to be as safe as possible.

Thanks in advance for any help on this.
Link to comment
Share on other sites

1) After payment, behind the scenes PayPal fires off the transaction to your script. Your script has to handle IPN transactions and update your database. It has nothing to do with the continue button being pressed or not.

2) There's other ways, like using cURL. A good tutorial link is below.

3) Don't understand this point so I can't comment. Maybe somebody else will address it.

PayPal PHP IPN tutorial:
[a href=\"http://www.zend.com/zend/tut/tutorial-paypal.php\" target=\"_blank\"]http://www.zend.com/zend/tut/tutorial-paypal.php[/a]

IPN test sites:
[a href=\"http://www.eliteweaver.co.uk/testing/ipntest.php\" target=\"_blank\"]http://www.eliteweaver.co.uk/testing/ipntest.php[/a]
[a href=\"http://www.optioninsight.com/IPNtestbed.html\" target=\"_blank\"]http://www.optioninsight.com/IPNtestbed.html[/a]

Horror stories of using PayPal:
[a href=\"http://nopaypal.com/forums/\" target=\"_blank\"]http://nopaypal.com/forums/[/a]
Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.