Search code examples
phpcodeignitercurlpaypalpaypal-ipn

Standard workflow in paypal integrate with PHP codeigniter

enter image description here

Right now I need to integrate Paypal with codeigniter and follow the tutorial here:

https://www.youtube.com/watch?v=-zMVf88XKCA

The workflow there is :

  1. use hidden form to post the item details , return url to https://www.sandbox.paypal.com/cgi-bin/webscr

  2. then verify the paypal by using CURL:

https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-synch&tx=$_REQUEST['tx']&at=token;

The problem is ,

1) is the tutorial standard and secure?

2 ) And I also found something like https://github.com/toolani/paypal-ipn-verifier-php? Is that means using IPN checker then no longer need CURL part. Only have to generate the Paypal website. And set the IPN script url in Paypal.

3) When generate Paypal page if I use the hidden field form , the visitor can easily change the amount. How can I (is it necessary) to prevent or check that? 

<input type="hidden" name="item_name_1" value="product_1">
<input type="hidden" name="item_number_1" value="p1">
<input type="hidden" name="amount_1" value="2">
<input type="hidden" name="quantity_1" value="1">
Solution
    1. The tutorial is about as secure as it can be. Payments Standard sends your data to PayPal, who is PCI compliant. You do not need any special security on your site to implement it.
    2. When you get an IPN request, you should verify it with PayPal. That's where the CURL request comes in. I find CURL to be more reliable that fsockopen but that's a preference only. Verifying IPN is critical or someone could spoof an IPN call to you.
    3. You could always cancel an order if someone did that but if it's that big of an issue you can always encrypt your buttons