I am developing a crowd-funding site (similar to Kickstarter) using the CodeIgniter framework.
I "successfully" implemented PayPal's adaptive payments using this library.
But, I'm just not sure how to correctly and securely check for succesfull/failed payments and witch data is important to save to database.
Note: it's a chained delayed payment, I am the primary receiver, and the secondary receiver is the crowd-funding project creator. The money is transferred to the secondary receiver after a predetermined period of time.
The flow I have right now goes like this:
- User click to buy a reward.
- I use the 'Pay' API operation to request payment (unique TrackingID included) and save the request in the database.
- If the request is succesfull, I save some response data in the session (TrackingID, PayKey, amount, ...) and redirect to PayPal..
- In this step the user can: accept payment, cancel, or just close the browser, so I dont really know what happens here... (recommendations?)
- If the user accepts the payment, he is redirected back to my site and I use data I saved in the session to request a 'PaymentDetails' API operation to obtain information about the payment.
- I save the result in database and check to see if the response 'amount' is equal to the request 'amount' (for security).
- If everything went OK I update the database and connect the payment TrackingID with the user and the reward he bought.
- Later (can be months later), the 'ExecutePayment' API operation is requested by an admin, and the money is transferred from us to the project creator, and we take a small fee (thats how crowd-funding works...)
Now, I'm sure I'm missing lot of things but I have no idea what:
- What about the IPN API? I need it? Where it comes to play inside the flow and checks?
- What I do if the user closes the browser window when he is in PayPay (out of my site).
- I heard that the PayKey is valid for 3 hours, how can I 'ExecutePayment' after months?
- How I handle the enormous amount of error types in the PayPal API?
- Any tips or examples of others things I need to take care of? Security? Errors? Others?
Thank you very much, I really need your answer!