I have a website providing a product such as an EBook. Initially i was configuring the site to use Paypal's basic payment processing.
The user would:
I had this in place but then spotted a glaring issue. The return url upon successful payment is stored in a hidden input; as such, a user could simply view the source of the page, take the return URL and traverse to it. Even if i pass a validation token, it wont prevent the issue as no matter what i do, the user can see the URL.
I have looked into using the IPN service and i can see this will provide me with a way of confirming if a transaction has been accomplished.
My questions is: How would i approach securely confirming a registered user has paid before providing either a URL download link or simply an email containing the ebook.
You answered it yourself. IPN is what you want. When a transaction takes place you'll get an IPN with data like txn_type, txn_id, payment_status, etc. If you check the payment status within this script and it's completed then you know you can deliver the link. If not, deliver a different message accordingly.
For example, if somebody pays with an e-check you'll get an IPN with a payment_status of pending. You could have your IPN script generate an email that says "thanks for your payment, it is currently pending. As soon as it clears you will receive your download link."
Then when it does clear (or fail) you'll get another IPN with an updated payment_status but the same txn_id. If the status is completed at that point it would generate a completed email, or if it failed, a failed email, etc.
There are all sorts of cool things you can do within IPN to automate tasks based on transactions.