How to make safe Rails PayPal payment?





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}







0















I'm using this guide https://launchschool.com/blog/basic-paypal-checkout-processing-in-rails to redirect user to special PayPal page via simple get request.



Then website will wait PayPal answer at special hook page to allow the user to get his goods. But PayPal answer is just a simple post request, how to be sure that is a real PayPal answer, not fake request from third side app with the same params?



SOLVED



Additional layer of logic is needed. When PayPal sends a post request to our hook handler, we should resend it to special validation address, according to documentation
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNImplementation/



If it answers with "VERIFIED" - we could continue process the request






ruby-on-rails paypal







share|improve this question




















  • 1





    isn't there any secret key shared only between you and PayPal in the params?

    – Lenin Raj Rajasekaran
    Nov 27 '18 at 2:11













  • I'm trying to find it

    – user2572790
    Nov 27 '18 at 3:49


















0















I'm using this guide https://launchschool.com/blog/basic-paypal-checkout-processing-in-rails to redirect user to special PayPal page via simple get request.



Then website will wait PayPal answer at special hook page to allow the user to get his goods. But PayPal answer is just a simple post request, how to be sure that is a real PayPal answer, not fake request from third side app with the same params?



SOLVED



Additional layer of logic is needed. When PayPal sends a post request to our hook handler, we should resend it to special validation address, according to documentation
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNImplementation/



If it answers with "VERIFIED" - we could continue process the request






ruby-on-rails paypal







share|improve this question




















  • 1





    isn't there any secret key shared only between you and PayPal in the params?

    – Lenin Raj Rajasekaran
    Nov 27 '18 at 2:11













  • I'm trying to find it

    – user2572790
    Nov 27 '18 at 3:49














0












0








0








I'm using this guide https://launchschool.com/blog/basic-paypal-checkout-processing-in-rails to redirect user to special PayPal page via simple get request.



Then website will wait PayPal answer at special hook page to allow the user to get his goods. But PayPal answer is just a simple post request, how to be sure that is a real PayPal answer, not fake request from third side app with the same params?



SOLVED



Additional layer of logic is needed. When PayPal sends a post request to our hook handler, we should resend it to special validation address, according to documentation
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNImplementation/



If it answers with "VERIFIED" - we could continue process the request






ruby-on-rails paypal







share|improve this question
















I'm using this guide https://launchschool.com/blog/basic-paypal-checkout-processing-in-rails to redirect user to special PayPal page via simple get request.



Then website will wait PayPal answer at special hook page to allow the user to get his goods. But PayPal answer is just a simple post request, how to be sure that is a real PayPal answer, not fake request from third side app with the same params?



SOLVED



Additional layer of logic is needed. When PayPal sends a post request to our hook handler, we should resend it to special validation address, according to documentation
https://developer.paypal.com/docs/classic/ipn/integration-guide/IPNImplementation/



If it answers with "VERIFIED" - we could continue process the request






ruby-on-rails paypal




ruby-on-rails paypal






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 27 '18 at 4:51







user2572790

















asked Nov 27 '18 at 1:53









user2572790user2572790

15911




15911








  • 1





    isn't there any secret key shared only between you and PayPal in the params?

    – Lenin Raj Rajasekaran
    Nov 27 '18 at 2:11













  • I'm trying to find it

    – user2572790
    Nov 27 '18 at 3:49














  • 1





    isn't there any secret key shared only between you and PayPal in the params?

    – Lenin Raj Rajasekaran
    Nov 27 '18 at 2:11













  • I'm trying to find it

    – user2572790
    Nov 27 '18 at 3:49








1




1





isn't there any secret key shared only between you and PayPal in the params?

– Lenin Raj Rajasekaran
Nov 27 '18 at 2:11







isn't there any secret key shared only between you and PayPal in the params?

– Lenin Raj Rajasekaran
Nov 27 '18 at 2:11















I'm trying to find it

– user2572790
Nov 27 '18 at 3:49





I'm trying to find it

– user2572790
Nov 27 '18 at 3:49












1 Answer
1






active

oldest

votes


















1














When it mentions return_url it's talking about Payment Data Transfer (PDT).



When it refers to notification_url it's talking about Instant Payment Notification (IPN).



These are both similar in that you will send a POST request back to PayPal for verification purposes. If the data actually came from them, you'll get a VERIFIED result back. If not, it will be INVALID.



If the sample code included in that guide is not including this call back, then it's not a complete guide (and missing a vital piece of the puzzle.)



Details on this procedure are available in the docs linked above.






share|improve this answer
























  • Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

    – user2572790
    Nov 27 '18 at 3:46






  • 1





    Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

    – Drew Angell
    Nov 27 '18 at 4:01













  • Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

    – user2572790
    Nov 27 '18 at 4:40












Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491652%2fhow-to-make-safe-rails-paypal-payment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














When it mentions return_url it's talking about Payment Data Transfer (PDT).



When it refers to notification_url it's talking about Instant Payment Notification (IPN).



These are both similar in that you will send a POST request back to PayPal for verification purposes. If the data actually came from them, you'll get a VERIFIED result back. If not, it will be INVALID.



If the sample code included in that guide is not including this call back, then it's not a complete guide (and missing a vital piece of the puzzle.)



Details on this procedure are available in the docs linked above.






share|improve this answer
























  • Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

    – user2572790
    Nov 27 '18 at 3:46






  • 1





    Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

    – Drew Angell
    Nov 27 '18 at 4:01













  • Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

    – user2572790
    Nov 27 '18 at 4:40
















1














When it mentions return_url it's talking about Payment Data Transfer (PDT).



When it refers to notification_url it's talking about Instant Payment Notification (IPN).



These are both similar in that you will send a POST request back to PayPal for verification purposes. If the data actually came from them, you'll get a VERIFIED result back. If not, it will be INVALID.



If the sample code included in that guide is not including this call back, then it's not a complete guide (and missing a vital piece of the puzzle.)



Details on this procedure are available in the docs linked above.






share|improve this answer
























  • Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

    – user2572790
    Nov 27 '18 at 3:46






  • 1





    Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

    – Drew Angell
    Nov 27 '18 at 4:01













  • Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

    – user2572790
    Nov 27 '18 at 4:40














1












1








1







When it mentions return_url it's talking about Payment Data Transfer (PDT).



When it refers to notification_url it's talking about Instant Payment Notification (IPN).



These are both similar in that you will send a POST request back to PayPal for verification purposes. If the data actually came from them, you'll get a VERIFIED result back. If not, it will be INVALID.



If the sample code included in that guide is not including this call back, then it's not a complete guide (and missing a vital piece of the puzzle.)



Details on this procedure are available in the docs linked above.






share|improve this answer













When it mentions return_url it's talking about Payment Data Transfer (PDT).



When it refers to notification_url it's talking about Instant Payment Notification (IPN).



These are both similar in that you will send a POST request back to PayPal for verification purposes. If the data actually came from them, you'll get a VERIFIED result back. If not, it will be INVALID.



If the sample code included in that guide is not including this call back, then it's not a complete guide (and missing a vital piece of the puzzle.)



Details on this procedure are available in the docs linked above.







share|improve this answer












share|improve this answer



share|improve this answer










answered Nov 27 '18 at 3:35









Drew AngellDrew Angell

24.6k42445




24.6k42445













  • Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

    – user2572790
    Nov 27 '18 at 3:46






  • 1





    Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

    – Drew Angell
    Nov 27 '18 at 4:01













  • Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

    – user2572790
    Nov 27 '18 at 4:40



















  • Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

    – user2572790
    Nov 27 '18 at 3:46






  • 1





    Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

    – Drew Angell
    Nov 27 '18 at 4:01













  • Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

    – user2572790
    Nov 27 '18 at 4:40

















Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

– user2572790
Nov 27 '18 at 3:46





Exact values are: "return" - that's a my website page, where the user will be redirected to after payment will be completed. "notify_url" - my website post handler, where the PayPal will send post request with any details of this payment (success or cancel by any reason). Of cource, they send the data back to me, but how to check its verification? I could send the same post request, and anybody else also could do the same, how to check it?

– user2572790
Nov 27 '18 at 3:46




1




1





Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

– Drew Angell
Nov 27 '18 at 4:01







Did you even read my answer? I explained exactly how that works, and the docs I linked to provide the technical detail. You build a request from the PDT/IPN data, and you POST it back to PayPal for verification. Their system will then reply back with VERIFIED or INVALID. If you sent it from your own server, PayPal's verification within the script would come back INVALID, and you should build your code logic accordingly.

– Drew Angell
Nov 27 '18 at 4:01















Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

– user2572790
Nov 27 '18 at 4:40





Thanks, Drew, you are right. I was wrong because of similiar but not exact variable names. Unfortunately, that part is fully missed in the guide. Without it anybody could answer and I will regard this answers as actual PayPal.

– user2572790
Nov 27 '18 at 4:40




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53491652%2fhow-to-make-safe-rails-paypal-payment%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Wiesbaden

Image
Wappen Deutschlandkarte 50.0825 8.24 117 Koordinaten: 50° 5′  N , 8° 14′  O Basisdaten Bundesland: Hessen Regierungsbezirk: Darmstadt Höhe: 117 m ü. NHN Fläche: 203,93 km 2 Einwohner: 278.654 (31. Dez. 2017) [1] Bevölkerungsdichte: 1366 Einwohner je km 2 Postleitzahlen: 65183–65207, 55246, 55252 Vorlage:Infobox Gemeinde in Deutschland/Wartung/PLZ enthält Text Vorwahlen: 0611, 06122, 06127, 06134 Kfz-Kennzeichen: WI Gemeindeschlüssel: 06 4 14 000 LOCODE: DE WIB NUTS: DE714 Stadtgliederung: 26 Ortsbezirke Adresse der Stadtverwaltung: Schlossplatz 6 65183 Wiesbaden Webpräsenz: www.wiesbaden.de Oberbürgermeister: Sven Gerich (SPD) Lage der Landeshauptstadt Wiesbaden in Hessen und im Regierungsbezirk Darmstadt Offizielles Logo der Landeshauptstadt Wiesbaden Flagge der Landeshauptstadt Wiesbaden Wiesbaden is
Read more

Marschland

Image
Kilometerweite Marsch in den Vier- und Marschlanden am Elbdeich Die Wedeler Marschlandschaft in Schleswig-Holstein Der Hadelner Kanal zur Entwässerung der Marsch Die tief gelegene Marsch und ein Entwässerungskanal Das Schöpfwerk Otterndorf im Land Hadeln zur Entwässerung der Medem verfügte damals bereits über die größte Kreiselpumpe Europas. Das Schöpfwerk in Neuhaus für die Aue und des Neuhaus-Bülkauer Kanals Als Marsch(land) (v. niederdt., altsächs. mersc ) – auch Masch , Mersch oder Schwemmland genannt – bezeichnet man eine nacheiszeitlich entstandene geomorphologische Landform im Gebiet der nordwestdeutschen Küsten und Flüsse sowie vergleichbare Landformen weltweit. Inhaltsverzeichnis 1 Landschaft 2 Entstehung 3 Marschböden 4 Nutzung 5 Marschgebiete in Deutschland 6 Siehe auch 7 Literatur 8 Weblinks 9 Einzelnachweise Landschaft | Marschen sind generell flache Landstriche ohne natürliche Erhebungen. Si
Read more

Dieringhausen

Image
Dieringhausen Stadt Gummersbach 50.982777777778 7.5316666666667 165 Koordinaten: 50° 58′ 58″  N , 7° 31′ 54″  O Höhe: 165  (160–245)  m Einwohner: 5055  (30. Jun. 2016) Postleitzahl: 51645 Vorwahl: 02261 Lage von Dieringhausen in Gummersbach Im Hohl ca. 1927–1930 Ansicht von Südwesten bei Bünghausen Dieringhausen (im örtlichen Dialekt Dierkesen ) ist ein Ortsteil von Gummersbach im Oberbergischen Kreis, Regierungsbezirk Köln, Nordrhein-Westfalen (Deutschland). Inhaltsverzeichnis 1 Geographie 2 Geschichte 3 Kultur 3.1 Sehenswürdigkeiten 3.2 Regelmäßige Veranstaltungen 4 Infrastruktur und Wirtschaft 4.1 Verkehr 4.1.1 Schienen- und Busverkehr 4.1.2 Straßen 4.2 Öffentliche Einrichtungen 4.2.1 Schulen und Bildungseinrichtungen 4.2.2 Kirchliche Einrichtungen 5 Persönlichkeiten 5.1 In Dieringhausen geboren 5.2 In Dieringhausen gelebt 6 Einzelnachweise 7
Read more