Skip to content

Entrancehall by Jürgen Schrader.

Tags for Paypal Instant Payment Notification for membership payments

Topics

Home » Blogs » Aldo Hoeben's blog

Paypal Instant Payment Notification for membership payments

Submitted by Aldo Hoeben on Fri, 2009-03-27 22:27.

At long last, I have implemented an automated system for handling payments from users of the sites becoming a member and/or renewing their membership. Before this, for years, our treasurer was handling each payment manually. This caused (mostly minor) delays, and some confusion among our paying 'customers' (that means you, members!) when payments did not have that 'instant gratification' of getting member privileges.

Paypal has this concept of 'Instant Payment Notification'; it 'pings' a special address at the website, and after some additional handshaking the website can be pretty sure there was an actual payment and it was not forged in any way. There are a couple of modules for Drupal that implement IPN in some way or other, but guess what? None of them really applied to our situation, so I had to roll my own to integrate with our membership privileges/expiry/etc.

The system is now finally in live testing. It will be under close scrutiny for a while, since I have been anxious about creating a system that handles payments from our members. I've been genuinely scared to implement this system, because it is actual money we're talking about here; it must not misfunction. That's the main reason it has taken me almost a year and a half since the website started handling membership expiries.

In the mean time, we've had our first member renewing with the automated system, and the important bits worked. But for the coming months I will keep my eye out for any irregularities. Please let us know if something seems to go awry.

PS: For the technical minded among you, if you ever need to implement an IPN payment system yourself, do NOT use the code generated by the PayPal Script Generator as is! The generated code snippets come straight from Paypal, but they are hideously insecure. The code puts raw $_POST variables into MySQL queries, leaving the door wide open for MySQL injections. That means a malevolent user may gain full access to your database, and eventually to your site. Beware!