< Day Day Up > |
Prevent fraudulent transactions by comparing the value of the goods purchased with the amount received . PayPal has taken many steps to ensure that their system is secured against fraudulent transactions. However, just like any online eCommerce system, there are always ways for an unscrupulous person to attempt to cheat you. The PayPal Buy Now and Shopping Cart buttons , for example, are normally displayed as plain text in your web page's source code, which means that anyone can view your HTML code ormore importantlycopy and modify the code, and then submit a spoof payment (presumably with a lower price) to PayPal. And since PayPal doesn't maintain an active database of all the current prices of your products, it's up to you to engage in some proactive price checking.
Obviously, the primary concern is the price, given how easily it can be changed from, say, $18.00 to $.18. While a merchant who is able to view each and every transaction will likely notice when a $100 item was purchased for $.01, but it can, of course, be easy to miss this kind of thing, especially for high-volume merchants . And if you have a fully automated fulfillment system, such as for digital goods [Hack #71] , you'll need to employ some sort of price checking. The following solution employs the trusty IPN system to check whether a customer has paid the correct amount. 7.13.1 Simple Price Checking with Single Item PurchasesThe PayPal IPN system posts the variables as they were originally submitted to PayPal, so a spoofed price will be reflected in our IPN postback from PayPal. Because PayPal does not store any of your product information on their servers, you have to query your product information to ensure it matches the price the customer paid. To use a price-checking system on your site, you need to be able to run a dynamic server page technology (e.g., ASP, as is used in this example) and a simple database (e.g., Microsoft Access). The table in this example, tblProducts , has only two columns : item_number , containing a list of all of the unique product numbers , and item_price , in which the corresponding prices are stored. Naturally, your product database will be more sophisticated, but it will likely have analogous fields. Here is some skeleton code, written in ASP, that does rudimentary price checking for items purchased with Buy Now buttons: 'Declare and populate our price checking variables Dim item_number, item_amount item_number = Request.Form("item_number") item_amount = "Request.Form("mc_gross") 'Connect to database and create recordset connStore = "DRIVER={Microsoft Access Driver (*.mdb)};DBQ= "C:/InetPub/wwwroot/database/dbPayPal.mdb") set rsPriceCheck = Server.CreateObject("ADODB.Recordset") rsPriceCheck.ActiveConnection = connStore rsPriceCheck.Source = "SELECT item_price FROM tblProducts WHERE item_number = 'item_number'" rsPriceCheck.Open( ) 'Compare the values to see if amount paid is equal to or greater than required If rsPriceCheck("item_amount") >= item_amount Then 'Price paid is at least as much as required, process order 'Order processing code here Else 'Price paid is less than required, stop order processing 'Send alert to purchaser and merchant End If
This code relies on the mc_gross variable, which is equal to the purchase price plus any shipping, handling, or tax charges applied to the order (note that mc_gross does not include the deduction of any applicable PayPal fees).
7.13.2 Price Checking for Shopping Cart PurchasesPayPal does not pass back individual item prices in Shopping Cart transactions. If a customer buys three items worth $1.00, $2.00, and $5.00, respectively (and agrees to pay $3.50 for shipping), you don't get any of those individual values in the IPN data. Rather, the mc_gross variable will have a value of the total amount paid (in this case, $11.50). Thankfully, PayPal does pass back the individual item_number fields, which means that you can still look up the individual prices in your database.
As described in [Hack #45] and [Hack #50] , the PayPal Shopping Cart system returns an item number for each item in the cart. The variables are in the form item_number n , where n is the cart number for that item, starting with 1 . PayPal also provides the num_cart_items variable to indicate the number of items in the cart. To verify the order, add the values of each item as listed in your database and compare the total to the gross amount paid: Dim item_number, mc_gross, I, num_cart_items, price_check mc_gross = Request.Form("mc_gross") num_cart_items = Request.Form("num_cart_items") price_check = 0 For i=1 to num_cart_items 'Populate variable with value item_number = Request.Form("item_number" & i) 'Execute SQL query on database with item_number value 'Connect to database and create recordset connStore = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ="C:/InetPub/wwwroot/database/dbPayPal.mdb") set rsPriceCheck = Server.CreateObject("ADODB.Recordset") rsPriceCheck.ActiveConnection = connStore rsPriceCheck.Source = "SELECT item_price FROM tblProducts WHERE item_number = 'item_number'" rsPriceCheck.Open( ) 'Add value from database to our running count price_check = price_check + rsPriceCheck("item_price") Next If price_check = mc_gross OR price_check > mc_gross Then 'Price paid is at least as much as required, process order 'Order processing code here Else 'Price paid is less than required, stop order processing 'Send alert to purchaser and merchant End If
7.13.3 Sending a Price Check AlertOnce you see a problem with an order, it's up to you to send an alert. Use any simple mail component available to you and your server technology. In ASP, you can use the Common Data Objects (CDO) mail component with the following code: Dim PriceErrorCDO Set PriceErrorCDO = Server.CreateObject("CDOSYS.NewMail") PriceErrorCDO.From = Request.Form("receiver_email") PriceErrorCDO.To = Request.Form("receiver_email") PriceErrorCDO.CC = Request.Form("payer_email") PriceErrorCDO.Subject = "IPN Price Checking Error" PriceErrorCDO.Body = "There has been a price-checking error on the following transaction: " & Request.Form("txn_id") & "" PriceErrorCDO.Send( ) Set PriceErrorCDO = Nothing This email alert code sends an email to the recipient of the payment (you), but you might also want to send an automatic email to the customer to indicate that there will be a delay in processing the order.
|
< Day Day Up > |