> Actually it doesn't seem like too much of a hack, except that it seems
> to be not a realtime operation (otherwise why would they need to contact
> your script?).

They contact your script so you can do whatever *YOU* want for each
transaction -- Log it, email the customer, ring a bell, whatever.  They
don't need to provide custom templates and database services to you on their
site just so you can manage your customers.

I dunno what the lag is between a transaction and the POST they send out,
but there's no reason to expect it's not as real-time as it gets.  All they
have to do is open up a connection to port 80 on your server and send a few
POST headers.  Sample code to do this abounds in the various PHP Code
Archive sites, so if you wanna write your own PayPal, this would be an easy

You are provided with a half of a key-pair to check back with their server
that it's *REALLY* coming from them, and not some spoofer thief trying to
fool your system into thinking they paid with PayPal when they didn't.  So
you send back your half of the key-pair, and they say "Yep, that's valid."
and you *KNOW* it's a valid notification.

Of course, if somebody can hack into PayPal server and insert their own
key-pair, you're screwed, but one would hope they're pretty up on security
over there at PayPal, eh?

Whether you have a Shopping Cart or not is irrelevant -- If you want to
provide people with the option of using PayPal, and you want to record their
purchase in real-time instead of, err, doing it by hand when PayPal sends
you some report or something, you want this instant payment notification

Don't have sample code, but it's basically just an fopen() to the URL they
provide with the key they provide, and then examine the output for either:
"Yes, that's valid."
"No, that's not valid."
"Our server is dead.  Sorry."
types of results.

If it's a "Yes", you mark the transaction as "Paid" or whatever your
shopping cart does, and then ship the goods.
If it's not valid, you log it, and tell the Customer their hack didn't work.
If the server is dead, you tell the Customer there will be a short delay in
verifiction, but they can check back in a half hour to be sure it all went
through, and then retry in a few minutes or whatever.

WARNING [EMAIL PROTECTED] address is an endangered species -- Use
Wanna help me out?  Like Music?  Buy a CD: http://l-i-e.com/artists.htm
Volunteer a little time: http://chatmusic.com/volunteer.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to