Instant Payment Notification
If you are processing orders only occasionally or you don't immediately fulfill orders online, you might be finished at this point. But unless you check with PayPal or PayPal notifies you, you have no guarantee that PayPal actually processed the specified amount.
In order for your application to be securely notified of transactions on the server, you need to implement IPN. In a nutshell, IPN provides a Web-based callback mechanism for your application to independently receive confirmation from PayPal that a transaction was made to your account. PayPal POSTs back all the order information too, so you can verify that the order was actually confirmed for the amount that you originally asked. (Another possible scam is to exit the current order and come back in and transfer money for a different amount. You'd get a confirmation but it won't be for the right amount!)
Because PayPal calls this URL directly, the URL for this page is not apparent to the user and is therefore more reliable. PayPal also sends information about the order back to you, so that you can double check that the important information (such as the invoice number and order amount) match what you thought the customer should pay for.
IPN must be explicitly enabled on the PayPal site. The URL is configured like this: log on to your account, go to Profile and then Selling Preferences. Choose Instant Payment Notifications. Check the enable box and provide a URL on your site to which you want the IPN to post. In the case above, I want to have PayPal post back to my site to a special page called PayPalIPNConfirmation.aspx
. The code below shows what a typical IPN POST looks like.
As you can see, just about everything that was originally entered comes back to you, plus some PayPal internal stuff. The things you probably want to look at are the invoice
values, which let you quickly validate that what you sent in comes back to you.
This IPN POST-back page should be a non-visual ASPX page (or an HttpHandler). You can remove all HTML code other than the <%@PAGE %>
directive. The code in this page receives what amounts to a POST-back from PayPal that echoes the order information. The implementation for my Web store is shown in Listing 2
Most of this code is application-specific and deals with confirming the invoice once the callback has been verified. If the order is okay, a confirmation e-mailand in some cases, download linkscan be sent to the customer (using Invoice.SendEmailConfirmation()
). If it fails in any way, the error is logged into an application log.
The real work related to IPN is handled in the PayPalHelper class and the IPNPostDataToPayPal()
method. IPN works by having PayPal post back all the order information in POST format. The IPN protocol requires that your handler return all the FORM variables PayPal posts by posting them back to PayPal. In other words, you need to echo back all the POSTed form variables to PayPal, plus add a cmd POST
value with the value _notify-validate
to let PayPal know you're returning an IPN signature. Listing 3
shows the code in the PayPalHelper class that accomplishes this task.
The code reads the incoming Form variables and echoes them back by looping through the Request
.Form collection and writing each key back into the PostBuffer
of the HTTP client. The code starts by performing a couple of validations against the incoming POST data. Specifically, check the PayPal account to which you're receiving and the order amount to make sure that there isn't any sort of spoofing going on (perhaps the user decided to place a separate order with a different order amount). If you need to do additional checks, you can do that too by looking at the Form variables in the PayPalIPNConfirmation.aspx
The code then loops through all of the incoming Form variables and posts them right back to PayPal. I'm using a wrapper class around the .NET WebRequest class called "wwHttp" to simplify the posting process. The wwHTTP class automatically URL-encodes form variables and returns a plain string result. You can find this class described and available for download in my previous CoDe article, Retrieving HTTP content with .NET
. The class is also provided with the accompanying source code.
On success, PayPal returns a simple value: VERIFIED
. Now you have programmatically verified that the order is valid. The result is then returned to the IPN confirmation ASPX page, which confirms the order.