Paypal Security and IPN

Introducing IPN

IPN stands for Instant Payment Notification. It is a method that Paypal provide for those selling products and using Paypal to sell their products to record the sale immediately into their own database. In other words it provides a direct feed of the information collected by Paypal during the sale process into your own site.

Now Paypal claim that their payment process is "Fast, Safe, and Secure" and so it is when you are selling a product that needs to be physically shipped once the purchase is complete. The problem comes where you want to make the product available for immediate download from your site but only where a valid payment has been made. The reason for the problem is that the page on your site to which Paypal is to return after the payment has been made needs to be passed to Paypal and therefore needs to be either coded as a hidden field in the form that is passed to Paypal (where it is visible when the source is viewed) or it needs to be passed as a parameter on the end of the address (and is therefore visible in the address bar of the Paypal page). In either case once the return page address is known the would be thief can go straight to that page without making a payment first.

By adding an extra parameter or hidden field containing "rm=2" we can tell Paypal to pass all of the form fields that are passed to it on to the return page. This means that a dynamic return page (eg. one written using PHP) can check for the appropriate parameters being passed to it and to enable it to display an appropriate error message if the passed parameters are not correct instead of allowing access to the download. Unfortunately this can be bypassed by the would be thief creating their own form to feed the required parameters to the return page directly without going through Paypal.

We can add code to the return page so that every time that it is accessed it logs the event either in a database or by sending us an email. This will let us know when someone accesses the page without first making a valid payment.

When I first set up my pages to allow for my email and site search scripts to be purchased via Paypal, I set the return pages up so that the person needed to enter their email address into the page and press a button to send the script that they had purchased to themselves via email. By also sending a blind copy to myself every time someone sent themselves one of these scripts I could tell when my script was being stolen and when it had been legitimately downloaded after being purchased. This discouraged most of the many people who bypassed the payment process and enabled me to track down the one person who actually stole the script and got them to delete it from their site.

None of these measures by themselves is sufficient to actually stop would be thieves from actually stealing your downloads. They just enable you to tell when someone is considering stealing and who actually does.

Now let's consider combining these ideas. Now if we have our return page set up to write an entry to a database and if the Paypal IPN script can also write to the same database then we have a way of confirming that the payment has actually been made before allowing access to proceed with the download. Actually these will happen the other way around. The IPN script will write an entry to the database and the return page will first check that an entry for the purchase already exists in the database and then update it to indicate that the person has already gained access to make the download (so as to stop their providing the information to match the existing database entry to someone else allowing that second person to access the download area without paying. There are a number of Paypal IPN scripts available that you can purchase that work this way.

With one of these scripts in place you can not only check that the person has made a payment before allowing them access, you can confirm that they haven't altered any of the parameters in an attempt to pay less than the correct purchase price. If you are using Paypal to sell products online then using an IPN script is the only way to secure your download page so that it can only be accessed once the correct payment has been made.

Tough luck on anyone who doesn't have database access from their site. Some IPN scripts have versions that use flat files instead of a database but if your host doesn't allow scripts to update flat files either then you can't use one of these either. If this applies to you then you definitely need to read on because I came up with a solution that doesn't require any databases or flat files.

IPN without File or Database Updates

I didn't particularly want to purchase one of these IPN scripts since I prefer writing my own code. The problem that I could see regarding setting up an IPN script to control access using a database is that if your buyers have access to the downloads page once then they can view the source of that page to find out the location of the download file. If they pass on that information then others can access the download directly without needing to get to the download page or paying for the download. The easiest way I could think of to conceal where the actual download file is stored is to provide a facility for the purchasers to email the download file to themselves as an attachment.

Now why get the purchaser to enter their email address to send themselves the download when Paypal is already passing payer_email as one of the fields identifying who it is that is making the purchase. The download could be automatically emailed to the payer from the return page provided that their payment was complete and correct.

The only problem with this is that Paypal allows some payments to be made that are not able to be immediately processed, for example, echeck payments take some time to be cleared, also the very first credit card payment that you receive in a personal Paypal account will be held up until you upgrade the account. In each of these cases the person reaches the return page having made their payment in good faith but it has not yet been completely processed. If the email with attached download is sent now and the echeck that "paid" for it fails to clear then you have not been paid for the download but if you don't send it now then how does the payer get the download once the payment does clear?

The IPN script has access to all of the same parameters as the return page does and what's more when the payment clears the IPN script gets called again by Paypal so as to provide the information relating to the clearance to your database (but the return page doesn't get called again as the purchaser is long gone from your site). There is a need for the IPN script to notify the purchaser that they can now visit the return page to obtain their download.

Hang on, getting the IPN script to update the database when the purchase is first made, update it again when the payment clears and send the purchaser an email providing them with access to the return page which updates the database to record their visit and then sends them another email with their requested download attached doesn't seem quite right. Send the purchaser an email so that they can visit a web page that will send them another email. Why not send the email with the download attached in the first place?

In fact, setting up the IPN script to automatically send an email with the purchased download attached when the payment is complete provides the purchaser with their purchase and removes the need to provide any access to perform downloads from the return page. It also does away with the need for a database as Paypal is now tracking the payment process for us and calling the IPN to tell us when the payment is complete. To me this seems a much simpler and more secure method of providing purchasers with the online products that they purchase. It also greatly simplified the writing of my own Paypal IPN Script since there was no need to set up a database to track purchases.

As an added benefit, doing it this way allows the payment by echeck process to be fully automated as the IPN script is called a second time when the payment clears and can send the email with the purchased script attached when that call occurs. The conventional approach using a database and download page does not properly cater for echeck payments and many IPN scripts require manual intervention in these cases.

Note that it is the responsibility of each seller to ensure that the measures that they implement to secure their site provide sufficient security to meet their needs and the above information is provided to assist in identifying some of the security methods that are available. Felgall Pty Ltd accepts no responsibility for the theft of any download files from sites collecting payments via Paypal regardless of whether that site has or has not implemented any of the security measures discussed on this page.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow