I'm in the midst of setting up a shopping cart that communicates with PayPal via IPN. I'm using Miccah Carrick's IPN with PHP and the WordPress Simple Paypal Shopping Cart. After several weeks I have modified the cart to address my needs, but I'm having an issue implementing the last of the fraud checks. The third fraud check is to ensure that the amount paid is equal to the amount of the purchase. My store contains numerous items so it is not possible to use a set number as Miccah Carrick does in his example. I thought the answer would be to use PHP session variables, but haven't had any luck. Within the shopping cart:
$_SESSION['cart_total'] = $total+$postage_cost;
Subsequently I tried to compare the mc_gross variable, which is the amount paid returned by PayPal, to the the $_SESSION['cart_total'] variable within the ipn file. Unfortunately this has not been successful. To error check, I outputted the value of the session variable to the ipn error log, and it appears that the session variable is not being set or at least not being transferred as a result of leaving the page to complete the PayPal checkout. I attempted to output a second session variable, which I know is set correctly and utilized in my various menus, and it also does not have a value in the ipn file.
Does anyone have any suggestions on how to complete this fraud check?
The IPN Listener can't access the $_SESSION variable for the user. The session is between the user and your site and is not passed in anyway to paypal. The only variable that you can pass to paypal would be the "custom" variable. You might be able to put some information in there (items ordered, totals etc) and that "custom" variable will pass to you IPN listener and you could validate on that.