Payment Handling Code Question

hadoob024

OK. I have a real estate listing site where searches are for free, but we charge the customer to list their property. Here's how I'm setting up my site:

Add Listing p.1 - Customer enters listing type (to determine how much to charge customer). Form action sends control to Add Listing p.2.

Add Listing p.2 - Customer enters payment info on a form on our site. The action of the form sends the information to the merchant account payment gateway. The return value of this determines whether or not the payment went through.

If payment goes through, we send control to:
Add Listing p.3. - Customer enters in listing info. The action of the form sends control to Add Listing p.4, which basically is a confirmation that the info was added to the db and that the payment went through.

Basically, I want to know is how can I prevent anyone from accessing Add Listing p.3 without getting a 'yes' confirmation from the payment gateway? Like I don't want someone to try and access Add Listing p.3 by directly entering the URL, thus bypassing the payment part. Any thoughts?

sneakyimp

Your payment step should store something in a database. Page 3 should check that the appropriate record is in the database before showing anybody anything. You should pick your payment gateway and go ask them about how their gateway works. Paypal IPN would work. Or Paypal Website Payments Pro would also work but both of those solutions can be really complicated to figure out because the documentation SUCKS.

Authorize.net is also a decent solution.

Also, were it up to me, I would let the user enter their listing first and only activate it once they've paid.

hadoob024

That's what I was thinking too. I haven't finished going through all the docs for the merchant account. We're using LinkPoint through CardService International. Maybe I'll ask them if there's any kind of specific info they send that I can check before loading Add Listing p.3? What about using SESSIONs instead of loading the info into a db?

sneakyimp

Sessions can work too I think but if you must hand off your user to the other site the session can get dropped if they have cookies turned off. Given that money is changing hands, I would advise you to try and store all the related info you can somewhere for reference in the event of a problem or dispute. It's often very helpful for troubleshooting.

hadoob024

Hmmm... This is getting trickier than I had originally thought. Well, what I was going to is the payment first, and then go to the listing information. Once the info is submitted, I send myself an email with the listing information. Once the info gets added to the db, I send myself another email saying that it was successfully added to the db (that way if something gets messed up after the payment goes through, I have all the listing info which I can add to the db manually in the event of a screwup). And this will send me to the listing added/payment went through confirmation page. How about that?

sneakyimp

Most of the payment gateway stuff I have seen allows you to have 'pass-thru' variables. Meaning that when you hand them off to the payment site they get returned to your site with those variable in POST or GET data so you can resume what you are doing. The techniques are different for different gateways so read your docs.

hadoob024

OH really?!? Sweet! Yeah, that pass-thru stuff would help out IMMENSELY! I was trying to figure out a good way to figure out how to commit the payment stuff and the listing stuff without getting screwed by either the payment stuff not working or the listing stuff not working. Yeah, I'm still going through their docs right now and haven't gotten to that part. That sounds like the best solution though.

Think it'll work if one of the listing form fields is an image file upload? And I'm also thinking about the fact that I do my listing verfication using PHP. So what happens if the payment goes through, and when control is returned to my script, there was a problem with one of the form fields? If I send them back to the form, then won't the payment go through again?

Or could I have the form action to go Add Listing p.2. I then can verify the form info, and if it's correct, then maybe I could re-direct them to the payment gateway? Damn, I think I'm confusing myself again.