understanding paypal IPN

sneakyimp

ok...

i've read the paypal sample code, the paypal implementation guide (nearly all of the 168 pages anyway) and before i start coding and stuff, i'm STILL trying to get a broad understanding of what happens.

i have a shopping cart--shopping_cart.php. i collect the user's order and store it in a mySQL database.

the shopping cart submit button is one of the typical buttons you can create on the paypal site with their button generator...the final form on my site looks something like this:

<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="sales@sales.com">
<input type="hidden" name="item_name" value="Sales Order #xxxxxxx">
<input type="hidden" name="item_number" value="xxxxxx">
<input type="hidden" name="amount" value="1.00">
<input type="hidden" name="return" value="http://sales.com/thanks.php">
<input type="hidden" name="cancel_return" value="http://sales.com/cancel.php">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="notify_url" value="http://sales.com/ipn.php">
<input type="image" src="https://www.paypal.com/en_US/i/btn/x-click-but03.gif" border="0" name="submit" alt="Make payments with PayPal - it's fast, free and secure!">

so the user is taken to the paypal site where they enter info.

now i think i understand what my cancel.php and thanks.php files are for, but the ipn.php file...what is up with that? how do thanks.php and ipn.php work together?

as best i can tell, when the user clicks PAY on the paypal site after entering all their info, then paypal posts to ipn.php some info which IPN.php is supposed to echo back to paypal and then paypal responds yet again and expects a final response....that's a lot of back and forth....

and then we go to thanks.php....or don't we? i really don't understand all the back and forth and when and under what circumstances the paypal site actually gets to the thanks.php file and does the thanks.php file get information POSTed to it or is it a simple redirect? seems to me that IPN.php is going to get the VALID or INVALID response and must somehow inform the THANKS.PHP page that the payment went through (or didn't). do i understand that correctly?

here's recommended code for ipn.php:

<?

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
?>

AstroTeg

In a nutshell:

IPN.php is to handle the transaction status processing. Did the transaction go through? Was it successful? How much money was really paid? What fees were involved? When did the payment clear? IPN.php receives notices at anytime from PayPal regarding any transaction that has originated from your IPN transactions. Its IPN.php's job to confirm your site is who it says it is and it also has to confirm the transaction its processing is correct and hasn't been tampered with. If all is ok, it confirms with PayPal all is good. At the same time, you might have this script record the status and maybe even email you. But that's up to you. If you want those features and functionality, ipn.php is the place to put it.

thanks.php and cancel.php are exit pages. If a user cancels the transaction while filling out the info, PayPal will send the user to cancel.php. Its up to you to decide what you want to do, but think of it from a user standpoint and then think about it from a webmaster standpoint. As a user, when you cancel, what do YOU want to see when you get back to the site? What will you do with the cart if they cancel?

The thanks.php page is where PayPal will send the user after the transaction has been submitted - note: "submitted" It doesn't mean the transaction is good or bad. It just means the user made it all the way through the process. You might toss up a "thanks for sending me money!" message and then log something in the database and/or send an email receipt to your user and maybe an email to yourself about the transaction. Thanks.php would be the place to do it.

For a clearer picture, sit down and map out on paper all the possibilities starting with your shopping cart checkout. When they check out, where will they go? What happens there? What if they do this? What if they do that? If you map it out on mapper, it may become a lot clearer how this all works...

Installer

A.T.'s excellent answer may be all you'll need. For a good "Line by Line" run-through of ipn.php, look here.

Edit 03-16-05: That link is now dead. The same material can be found (as of this writing) here.

Here are some more helpful pages:
http://www.perl-studio.com/php/paypal/
http://www.paypaldev.org/forum.asp?FORUM_ID=24
https://www.paypal.com/en_US/pdf/ipn.pdf
http://www.19.5degs.com/element/601.php
http://www.phpclasses.org/browse/package/855.html
https://www.paypal.com/pdt
http://paypaltech.com/sitemap/

sneakyimp

this is VERY helpful. thanks, both of you.

i reckon my approach will be to use an IPN.PHP very much like the one Installer sent. It'll take care of writing all the necessary details to the database.

my THANKS.PHP file will subsequently check the database record and display the appropriate message.

if transactions are 'pending', then IPN.PHP might receive another posting at some random time in the future when the funds actually clear. i hope to configure IPN.PHP to do the whole back and forth thing for those as well (is the routine the same for these other postings?) and send the user an email.

thanks folks.

sneakyimp

i'm looking at the code Installer sent...am i correct in thinking that code assumes register_globals is on??

if (strcmp ($payment_status, "Completed") == 0) {
   //blah blah
}

Installer

Yes, it does. It shouldn't be too hard to convert it to use $POST.
There's a script that uses globals off here. You can use it as is, or use it to get a more complete $POST list.