Confusion over recurring payment sequence

martaaay
Contributor
Contributor
Posted on
‎Oct-02-2011 09:01 PM

Hi!  I want my users to be able to purchase a subscription.  I have it all working -- they can click a subscription button, go to PayPal, hit purchase, and then I get an IPN notification (and log it in my database).  But, I can't figure out how I'm supposed to associate that IPN notification with my original user.  I passed their email in the 'custom' field in the original POST to paypal, but it doesn't look like the 'custom' field was passed to my IPN code.

 

What's the "correct" way for me to connect an IPN notification to the original purchaser?

 

Thanks!
Marty

Login to Me Too
0 Kudos
Login to Reply or Kudo
3 REPLIES 3

PayPal_RobG
PayPal Employee
PayPal Employee
‎Oct-02-2011 10:19 PM

Hello martaay,

 

'custom' is definitely returned in the IPN message.

Can you do a var_dump on the full POST array that you get back? You should be able to see it in there.

 

(Note: I mention var_dump because most IPN handlers are in PHP. Use your language's equivalent if you're not using PHP).

 

You can also review all IPN data that's sent to you by logging in to your account and navigating to History > IPN History.

 

 

Alternatively, log a ticket with us at https://www.paypal.com/mts/ and we'll look into it.

----
For technical assistance with PayPal merchant product offerings, please file a ticket at https://www.paypal.com/mts/
Login to Me Too
0 Kudos
Login to Reply or Kudo

martaaay
Contributor
Contributor
‎Oct-03-2011 04:56 PM

I'll inspect again, but custom was not seeming to come through (I was using print_r to a variable and logging it in mysql).

 

But, I did ride the user_id on os0/on0.  Is this okay?  I dont mind the extra bit of printout on the paypal screen.  Is there any security concern?

Login to Me Too
0 Kudos
Login to Reply or Kudo

PayPal_RobG
PayPal Employee
PayPal Employee
‎Oct-04-2011 01:34 AM

If you're passing it publicly via the on0 parameter it would be open to tampering (e.g. via Firebug / Chrome Developer Tools) where malicious users can adjust the value for the on0 parameter to a different username.

 

But in your application of it that would merely mean they'd be paying for a different username; so there should be no

problem there.

 

As with anything though, I would strongly suggest double-checking all data coming back to you through the IPN against the data you have stored locally on your side. The amount, username, etcetera.

As a general development principle: "don't blindly trust user input". Including all data returned via IPN.

----
For technical assistance with PayPal merchant product offerings, please file a ticket at https://www.paypal.com/mts/
Login to Me Too
0 Kudos
Login to Reply or Kudo

Haven't Found your Answer?

It happens. Hit the "Login to Ask the community" button to create a question for the PayPal community.