Integration Guide
Table Of Contents
- Order Management Integration Guide
- Preface
- Introduction
- Payment Data Transfer
- Instant Payment Notification (IPN)
- Transaction History and Reporting Tools
- IPN and PDT Variables
- About These Tables of Variables
- test_ipn Variable in Sandbox
- IPN Variables in All Posts
- Buyer Information
- Basic Information
- Advanced and Custom Information
- Website Payments Standard and Refund Information
- Currency and Currency Exchange
- Auctions
- Mass Payment
- Dispute Notification Variables
- PDT-Specific Variables
- Downloadable History Log Columns and Values
- Index
Order Management Integration Guide October 2006 31
Instant Payment Notification (IPN)
IPN Notification Validation: Preventing Fraud
2. Click the Profile subtab.
3. Under Selling Preferences, click Instant Payment Notification Preferences.
4. Click Edit.
5. Click the checkbox and enter the URL of the program that will process the IPN posts.
6. Click Save.
notify_url
Alternatively, you can activate IPN by including the notify_url variable in your PayPal button
HTML. This field specifies the URL of a program that can process the IPN. For more details,
see “IPN Notification Validation: Preventing Fraud” on page 31.
Setting Up an IPN-Processing Program
The data sent to you by IPN is in the form of HTML FORM name/value pairs. At a minimum,
your program must process these pairs. What other processing might be required depends on
your order management needs, what kinds of database you use, and other factors outside the
scope of this guide.
Code samples for the following development environments are available on the PayPal
website at
http://www.paypal.com/de/cgi-bin/webscr?cmd=p/xcl/rec/ipn-code-outside:
z ASP.Net/C#
z ASP/VBScript
z ColdFusion
z Java/JSP
z Perl
z PHP
IPN Notification Validation: Preventing Fraud
After your server receives Instant Payment Notification, you must confirm that you received
it. This is known as notification validation, which is a means for PayPal to help you prevent
spoofing or “man-in-the-middle” attacks.
IMPORTANT:If you do not use Encrypted Website Payments (EWP) or shared secret
validation, you must check the price, transaction ID, PayPal receiver email
address and other data sent to you by IPN to ensure that they are correct. By
examining these the data you can be sure that you are not being spoofed.
You have two methods by which you can validate the notification: