Is your child struggling with math?

Child struggling with math?

Does your child need help with math?

How The Paypal “Buy Now” button works

By Mason

June 2, 2014

Revised July 14, 2014

A technical look at how websites implement the Paypal “Buy Now” button

How it works at a glance

The “Buy Now” button may look pretty simple and straightforward, but there are a lot of interactions that the user never sees. These are important to a mainstream website that potentially handles a lot of customers because they don’t need to handle every checkout by hand on the account page of Paypal. Paypal sends the merchant a notification of payments to a page of the merchant’s choice, which they set up to handle transactions. Paypal calls this an IPN (Instant Payment Notification), and is sent to the merchant whenever a user buys a product or service, this way the merchant can set up a page to automatically process transactions. The Merchant does have to validate this message with Paypal to ensure it was a message from Paypal. Then the merchant must validate the transaction to ensure the price, account, currency is correct, and that it is completed. Then the merchant should store the transaction in a database and initiate any procedures needed to deliver the product. All this happens in the background after the customer pays at the Paypal checkout page. Then the customer is brought back to the merchant’s website or they can go to their account. The “Buy Now” button sends a message to Paypal in a similar way when clicked. The message contains either: the information about the transaction they want to start i.e. the merchant account, the product name and number, the properties of the checkout page and other details, or it can contain a merchant account and a hosted button id. The former is a non-hosted button, which means all the details are stored in the button html, the latter is a hosted button where all the details are on Paypal’s website.

How it works in depth

The Paypal “Buy Now” button is an html form with the “Buy Now” button as the submit button. When clicked it posts a form and redirects to Paypal’s website. Paypal then processes the form and generates a checkout page based on the information. Visit Paypal’s page payments standard html variables to get a list of all the variables that you can submit to Paypal through the buy now button. When the customer is sent to the checkout page they enter their information or their Paypal account and click pay now. When Paypal validates the transaction they post a form to the merchant’s website, to a page in the background known as an IPN listener or handler. The handler takes the posted form (the IPN) and first sends it back to Paypal with “cmd=notify_validate” added to it so Paypal knows to send a response that indicates the validity of the IPN. Then when the merchant’s website receives a response from Paypal that the transaction is valid they can initiate any needed procedures based on the information in the original IPN.

Below is an illustration of the process with each step numbered and described:

Paypal Buy Now flow diagram

1. The user clicks the “Buy Now” button; it posts the form containing the information about the transaction to Paypal’s server. Paypal’s server receives the post from the merchant’s “Buy Now” button, the user does not see anything here; only a blank loading page.

2. Paypal sends the user to a checkout page, and it also sends the information about the transaction to the checkout page through session state or query string variables.

3. The user logs into Paypal and it validates information about the user and the account.

4. Once the validation is complete it shows the user some of their account information and a pay now button.

5. When the user pays, Paypal saves information about the transaction in their database.

6. Paypal’s server then sends the merchant an IPN containing the properties of the transaction.

7. The merchant posts back to Paypal the IPN with a command added that tells Paypal to validate the IPN; so fraudulent IPN messages will not go through.

8. Paypal Responds with a message containing either VERIFIED or INVALID.

9. If the response was VERIFIED then the merchant initiates some back-end procedure to process the payment.

10. While all of that is going on the user sees only Paypal’s checkout page. When Paypal is done processing the payment the user is given the option to return to the merchants website, likely to some type of “Thank You” or “Product Purchased” page. Alternatively the user can go to their account. The user may end up getting back to the merchants website or “Thank You” page before the merchant has processed the payment or before the IPN has gone through; Paypal does not wait on the IPN to go through before giving the user the option to return.

Problems I had with implementing

One of the problems I had was with Paypal not sending the IPN to our handler. This was caused by either, not sending the notify_url field with the button form, giving the wrong address to this field or not having this field URL encoded. If this form is posted through html with enctype="application/x-www-form-urlencoded" in the form definition tag, then the form will already be URL-encoded. At first I had thought, because I was not receiving the IPN from Paypal, that the form was not URL-encoded, so I was double encoding it, which was destroying the path. After removing the second encoding and leaving just the form enctype to encode the path, it worked. Other problems were with the actual handling and processing of the IPN when I did receive it from Paypal. Paypal has an IPN testing tool that allows you to simulate an IPN message and not go through the whole payment process, but because the IPN is sent from Paypal’s website I could not see error messages; it only tells you whether it succeeded or not. The first thing I did was put markers in the validation function so at certain points it would insert a message into our database so I knew it had made it to a certain point. This was not enough however, because while I could now narrow down the area but could not find exactly where the error was coming from, I needed a new approach. My approach was to simulate the IPN locally on our website so I could see the error messages and what line was causing them. I did this by skipping the Paypal validation (which I knew worked) and on the Preload event of my IPN handler page adding simulated entries from an IPN that would pass all the validation tests I had in the website. Then I just navigated with a browser to the page, and since our website was in debug mode (you can do this with an entry in each page or in the web.config for the whole website) I then got a detailed error message. I repeated this till I did not get any errors, then I knew there were no errors in the validation. For code samples in several languages for the Paypal validation visit: Paypal code samples.

 

Before our apps

Child struggling with math?