Search the Community

On page 150 of Larry's e-commerce book starts a discussion of "Using IPN" with regard to Paypal. I now have a need for updating a user in my MySql database who just paid his fee via Paypal by marking that user as "paid". The point, as I read it, is to get Paypal to "talk" directly to the database of the Merchant (me) to signal that a transaction of payment has actually been completed. I was a bit blown away at how complicated this is (or seems to me) and decided at least try and think of a simpler way of handling it, albeit maybe less secure. I was looking for a reasonable trade-off. I decided that I would send the user to a "thank you" page upon clicking the button that actually completes the transaction on the Paypal side. Paypal will do this for me. Because the amount paid is already set in the button, I can be sure that the user has paid the required amount. The "thankYou.php" page (on my server) will then update the DB and mark the user as having paid his dues for that year and that will be that. EXCEPT that the "thankYou.php" appears in the browser window. If the user were to see that he could simply type in the full URL for that page and bypass the Paypal payment page, getting credit for it anyway. So, my next solution was to change "thankYou.php" to something like "iwi429en298fn.php" and put in a redirect to a new "thankYou.php" that just says "Thank You for your payment" and that's all. This means that "iwi429en298fn.php" records the payment to the DB but its name doesn't stay in the browser window long enough to even be noticed. All one actually sees is "thankYou.php" that comes afterwards. I know this isn't the professional way to do it and wouldn't even try if the group of people involved in this organization only numbers about 110 and are a group of fine artists that are, in general, not likely to ever try to beat this system even if someone told them how. - I suppose a savvy and sneaky person might think to look in the browser history- In addition, there are always the Paypal receipts that are sent to seller and buyer to fall back on if there is a question. The payment is also only $25/year which limits possible damages. So my real question is: Is this a valid way of handling this given the circumstances or are there risks that I am not thinking of? Am I just being lazy in not wanting to do it the "right way" or does this seem to you like this really might be a "reasonable trade-off". Very interested n your opinion.