Hack 76 Enable Multiple IPN Pages

figs/moderate.gif figs/hack76.gif

Use a multiplexer script inspired by PayPal's code samples to duplicate the IPN posting to multiple scripts.

PayPal's IPN facility enables you to process your orders in real time. By specifying a script on your site, you can automatically update your database, add a name to your subscriber list, or email a custom order confirmation. PayPal's system is capable of making a call to only one IPN page per transaction, but with some code and tweaking, we can call more than one script.

7.16.1 The IPN Multiplexer

Any IPN script [Hack #65] accepts data from PayPal, verifies it, then goes about its business. The following multiplexer script is no different, but its mission is simply to pass the information on to your secondary scripts.

' read post from PayPal system and add 'cmd'

str = Request.Form & "&cmd=_notify-validate"

' post back to PayPal system to validate

set objHttp = Server.CreateObject("Msxml2.ServerXMLHTTP")

objHttp.open "POST", "https://www.paypal.com/cgi-bin/webscr", false

objHttp.setRequestHeader "Content-type", "application/x-www-form-urlencoded"

objHttp.Send str

' assign posted variables to local variables

' Check notification validation

if (objHttp.status <> 200 ) then

' HTTP error handling

elseif (objHttp.responseText = "VERIFIED") then 

' PayPal says the posting is good; post the data to the secondary scripts.

objHttp.open "POST", "http://othersite1.com/ipnpage.asp", false

objHttp.setRequestHeader "Content-type", "application/x-www-form-urlencoded"

objHttp.Send str

objHttp.open "POST", "http://othersite2.com/ipnpage.asp", false

objHttp.setRequestHeader "Content-type", "application/x-www-form-urlencoded"

objHttp.Send str

objHttp.open "POST", "http://othersite3.com/ipnpage.asp", false

objHttp.setRequestHeader "Content-type", "application/x-www-form-urlencoded"

objHttp.Send str

When this IPN script is called, it performs the PayPal verification process to ensure the transaction is a real one. It then posts the information to your secondary IPN scripts. Each script you use should follow the form of a typical IPN processor script [Hack #65] .

7.16.2 Turning off Secondary Verification to Eliminate Extra Postings

The multiplexer in the previous section does the job of assuring the posting data is genuinely from PayPal [Hack #65] Once its authenticity is verified, the data is passed along to the secondary scripts.

If your secondary IPN scripts do what they're supposed to do, they will each reverify this information for themselves. There is nothing wrong with this, but if you would like to cut down on the bandwidth your site uses, you might want to remove any redundant verification by eliminating the lines in the subordinate scripts that post data back to PayPal.

If you decide to turn off IPN validation in the secondary scripts and their location is known to spoofers, you potentially open up your system to falsified data. Ensure that security is adequate before taking this step.

7.16.3 Hacking the Hack

Here are a couple tips for working with this hack:

  • Embrace code multiculturalism. Because the scripts communicate with each other?and with the PayPal system?using the standard, documented HTTP protocol, you need not stay with one programming language for the multiplexer and the secondary scripts it serves. You can use the multiplexer in ASP/VBScript, while deploying a secondary one in Perl, and another in Python.

  • Test off-site. Who says your IPN script's data needs to originate with PayPal? Build a system tester that simply posts data to your IPN script. You can see exactly what will happen when your customer tries to buy an odd item from your site or how your system will handle a payment from a hacked button. Be sure to comment out the verification step before testing and reenable it before putting your system back into production. See [Hack #99] for other testing methods.