Correct PayPal Adaptive Payments flow in crowd-funding site. I'm stuck

StackOverflow https://stackoverflow.com/questions/9130754

Question

I am developing a crowd-funding site (similar to Kickstarter) using the CodeIgniter framework.

I "successfully" implemented PayPal's adaptive payments using this library.

But, I'm just not sure how to correctly and securely check for succesfull/failed payments and witch data is important to save to database.

Note: it's a chained delayed payment, I am the primary receiver, and the secondary receiver is the crowd-funding project creator. The money is transferred to the secondary receiver after a predetermined period of time.

The flow I have right now goes like this:

  1. User click to buy a reward.
  2. I use the 'Pay' API operation to request payment (unique TrackingID included) and save the request in the database.
  3. If the request is succesfull, I save some response data in the session (TrackingID, PayKey, amount, ...) and redirect to PayPal..
  4. In this step the user can: accept payment, cancel, or just close the browser, so I dont really know what happens here... (recommendations?)
  5. If the user accepts the payment, he is redirected back to my site and I use data I saved in the session to request a 'PaymentDetails' API operation to obtain information about the payment.
  6. I save the result in database and check to see if the response 'amount' is equal to the request 'amount' (for security).
  7. If everything went OK I update the database and connect the payment TrackingID with the user and the reward he bought.
  8. Later (can be months later), the 'ExecutePayment' API operation is requested by an admin, and the money is transferred from us to the project creator, and we take a small fee (thats how crowd-funding works...)

Now, I'm sure I'm missing lot of things but I have no idea what:

  1. What about the IPN API? I need it? Where it comes to play inside the flow and checks?
  2. What I do if the user closes the browser window when he is in PayPay (out of my site).
  3. I heard that the PayKey is valid for 3 hours, how can I 'ExecutePayment' after months?
  4. How I handle the enormous amount of error types in the PayPal API?
  5. Any tips or examples of others things I need to take care of? Security? Errors? Others?

Thank you very much, I really need your answer!

Was it helpful?

Solution

  1. IPN will automatically POST data to your "listener" (which you'd need to develop) in order to automate post-payment procedures. For example, you could update a database, hit 3rd party web services, generate email receipts, etc. within IPN so that those events happen automatically any time you receive money in your PayPal account. You can also set it up to handle refunds, disputes, and other events. It's not required, but often very useful.

  2. This is one reason IPN can be useful. IPN will be triggered whether the user makes it back to your site or not. If you're doing post-payment processing procedures within your thank you page or something like that, I'd recommend you move it into an IPN solution.

  3. The PayKey is indeed valid for 3 hours when being used as a token. When you call Pay with an ActionType of CREATE, though, it sets up a delayed payment and the PayKey is then valid for up to 90 days.

  4. The error information will always come back in the same format in the response. You can just log or display errors accordingly based on this standard response.

  5. Sounds like you're pretty much on top of everything for the most part.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top