Do I need SSL on my Web Server for use with PayPal IPN?

PayPal upgrades:

1) Changes to PayPal security for HTTP/1.1 and TLS 1.2
2) IPN Verification Postback to HTTPS

PayPal say their target for these is June 2018

 

You may have seen an article from PayPal which talks about HTTP and TLS. This is a server issue
which is the responsibility of your web host. Essentially there is an upgrade by PayPal to ensure that
all their servers meet the latest standards and hence your web server will also require to operate
in that way. You should contact your host about this if you are unsure, although most servers will already
meet these standards.

 

The second update is using HTTPS for IPN verification.

PayPal says:

“If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure
that HTTPS is used when posting the message back to PayPal for verification. HTTP PostBacks
will no longer be supported.”

“Merchants and partners use Instant Payment Notification (IPN) to receive notifications of
events related to PayPal transactions. The IPN message service requires that you acknowledge
receipt of these messages and validate them. This process includes posting the messages back
to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these
PostBacks . For increased security going forward, only HTTPS will be allowed for PostBacks to
PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal
to the merchant’s IPN listener.”

In practice this means that you need https on your web server to send https to PayPal and
then you need to change the set up of you PHP-KeyCodes, PHP-eSeller or PHP-SecureArea
application to identify the URL of the site as https rather than http.

Note: if a customer tried to make a purchase it would still succeed, but your store would
not be notified of that fact, and your records will not reflect the sale properly. Nor
will the PHP application automatically send the information to the customer by email.

Refer to PayPal documentation:

https://www.paypal.com/au/webapps/mpp/ipn-verification-https

So do I need SSL on my Web Server when using PayPal IPN? Yes, the PostBack from PayPal will not work
and SSL will give better security for your site.

WordPress Plugin for selling License Key Codes – PHP-KeyCodes

Hello and welcome fellow programmers.

A WordPress version of PHP-KeyCodes has just been released which has most of the functionality of the standalone PHP/MySQL application PHP-KeyCodes.

The plugin can be viewed and downloaded from the following link:

https://wordpress.org/plugins/withinweb-php-keycodes/

The plugin allows you to sell per-configured license codes, pin numbers, mobile phone numbers or any other similar codes from your WordPress installation using a PayPal account.

Sell software license keys and pin numbers with a WordPress Plugin

PHP application to sell key codesWordPress PHP-KeyCodes is a WordPress Plugin to sell software license keys, product keys, serial keys, mobile phone codes and any other pre-generated license codes.

The plugin is available from here:

WordPress PHP-KeyCodes

It is similar to the stand alone application PHP-KeyCodes which is described on:

https://www.withinweb.com/phpkeycodes/

If you are a software developer, then using license keys is a way to ensure that your products are safe and secure.  You use this application to automatically distribute the codes after payment from PayPal.

The pin numbers are listed in the database one entry per line.  When a purchase is made, PayPal sends an IPN notification to the plugin which then extracts the first pin number, sends it to the purchaser and then removes that pin number from the list.

The email sent to the purchaser contains the pin number or key code, and you will receive a copy of the email.

The sales history listing also identifies which pin number has been sold to the purchaser.

A local test system is included which allows you to test without connecting to PayPal.

Setting a value in the Lower Limit entry box causes an email to be sent to the administrator when the minimum number of key codes has been reached.

The system has a high level of security in that the license key code will not be sent out until the correct PayPal return code is received with the correct purchase values.  The system checks that the database value is the same as the amount that has been spent, and the currency code is the correct value.  This ensures that any alteration to the button code will not work.

The html code for the PayPal buy now buttons can be easily placed on your WordPress pages.

Installation

The installation into WordPress is the same as for any plugin as is the procedure for upgrades which ensures the plugin is kept up to date.

WordPress PHP-KeyCodes

PHP-KeyCodes now has free button facility

PHP-KeyCodes is used to sell software license key codes or pin numbers after payment from PayPal. It is a PHP script which you can purchase from the withinweb.com web site. PayPal buttons are generated by the PHP script which can be added on to your website on any page allowing you to integrate the buttons into existing web pages.

PHP=KeyCodes now has a feature that allows you to send a code to a customer without them making a payment.

The customer enters their email address and the next key code is sent.

You then have a list of customers in your database which you can extract and use for marketing purposes.

For a full description of PHP-KeyCodes refer to:

http://www.withinweb.com/phpkeycodes

Sell key codes from your web site

The advantage with PHP-KeyCodes is that you do not have to use third party companies to manage you sells.  You can purchase this PHP script and install it on your own web site so that all your key codes and license codes are always under your control.  The PHP script uses PayPal IPN to make sure that the customer does not get hold of a license code unless they have made a valid and complete purchase.

The PHP script is able to manage all situations that can occur with PayPal purchases, such as buying with an e-check.

How to sell serial license keys for digital goods using PHP-KeyCodes

php license pin codesIf you sell digital products online such as software programs, games, phone PIN numbers and so on, then PHP-KeyCodes can be a useful application to install on your web site. It requires a web server running PHP and access to a MySQL database. It is easy to install with a one page install script and upload of files to your server.

PHP-KeyCodes is not just limited to distributing software license keys, you can also be use it to distribute any kind of unique key code to a customer. This could be pin numbers for mobile phone applications, TV activation systems and serial key codes for any system where there is a list of pre-generated license key codes.

If you have a requirement to sell license codes on line then this is a better method than using someone else’s web site as you do not have to pay them any fees.

Using a license system for your software program helps to prevent fraud and allows you to send free trial versions to customers. The key codes are loaded into the PHP-KeyCodes web site administration interface so that they are automatically sent whenever there is a purchase using PayPal.

The system will also send you an email when it is getting low on license keys.

The usual way to use PHP-KeyCodes is to enter the codes into the admin area so that the next code in the list is taken and sent when there is a purchase.

The PHP script has been written in such a way as to allow you to modify the program to cover other situations. So for example you may have codes in a text file that you want to upload to the server. You could modify the code to use such a text file. You could even have code that generates a key code depending on the user name or email address.

If you have particular requirements, then we would be willing to customize the code for you.

For more information: PHP-KeyCodes

http://www.withinweb.com/phpkeycodes/

Setting up email for use with PHP applications

If your web application requires emails to be sent out from your web server for such things as sending download information, login information and so on, then you will need to set up some email accounts on your hosting system. This is particularly true for an application such as PHP-eSeller where it is important for the emails to be sent out correctly and reach their destination without ending up in the spam folder.

Log into your hosting account where you set up your databases and administer your web hosting. Normally this will be using cpanel which will look something like this:

You should see a section identified as “Mail”.

You need to set up an email account, so click on the link for “Email accounts” which will take you to a display where you create an account with a user name and password for your domain.

Enter in an email account name. For my applications I normally create an admin account so this will become admin@myservername.com. You also need to enter in a password which you should should keep a record of.

Now that you have created your account, your hosting will provide you with a link to a web mail client where you can login and then see your emails. You may want to send a test email to your account from hotmail or yahoo just to see how it works.

Now that you have an email account set up, you can use this in your PHP applications.

There is one other step that you may want to do, and that is to redirect this email to one of your other accounts. This will mean that when someone emails admin@yourservername.com, it will appear in your hotmail or yahoo account.

To do this, in cpanel under the “Mail” section, click on the link called “Forwarders”. Click on the button called “Add Forwarders” which will take you a page that will look something like:

Update to PayPal IPN

In Sept 2016 PayPal are changing their requirement for posting IPN messages back to PayPal for verification.

They are making the post url as https. My current versions of scripts already post to https so there should not be any change required, however, they also suggest that https://ipnpb.paypal.com/cgi-bin/webscr should be used in the future rather than https://www.paypal.com/cgi-bin/websc

Change:

https://www.paypal.com/cgi-bin/webscr

to

https://ipnpb.paypal.com/cgi-bin/webscr

PayPal upgrade to Certificate which may affect IPN based programs and scripts

There appears to be quite a bit of chat about the changes that PayPal are making to their system to allow SHA-256 during September 2015. This is to do with improving the SSL (Secure Socket Layer) security and is used over https systems.

A part of their message is:

“PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.”

PayPal IPN can be used over non SSL, that is using http – that is why many developers like it because it does not need SSL certificates on their web servers which can be expensive especially if you are a small trader. You don’t really want to have to purchase certificates if you are selling a small number of items.

So the kind of systems that are affected are those that use https and which use PayPal API to provide secure connections from your server to the PayPal server.

IPN over plain http will be supported as it currently is, so you will still be able to supply a plain http link to your IPN listener script. However if your IPN listener script is sSL/TLS enabled it will have to be SHA-256 complaint and your listening server will need to be able to accept SHA-256 certificates.

So do the changes affect the scripts on www.Withinweb.com that use IPN? Well the answer to that is NO, it does not affect the scripts at all.

PHP-eSeller, PHP-SecureArea and PHP-KeyCodes use a simple method of handshake between PayPal to verify that the transaction has taken place and hence no modifications are need to the applications.

Using different currencies in PayPal

What currency should you sell your products in ? 

PayPal is able to handle quite a wide range of currencies and you have to descide which currency you should sell your products in. 

I guess the question really is “are you selling to the world or are you expecting payments from customers who are based in your locality ?”  This will depend on the type of products you are selling.  Digital products have the advantage that you have no shipping to worry about so you can choose whatever currency you want. 

The only issue that I have discovered with selling in different currencies is to do with the set up of your associated PayPal account. If your ‘native’ PayPal currency is GPB and you want to sell in Euros, you have to tell PayPal to automatically accept ‘foreign’ currency transactions (the default is to ask).  If you do not do this and you receive a purchase through your shopping cart you will receive an email saying something like “PayPal purchase verified and order is waiting to be processed” with body text of :  “Unknown pending reason was received.”
 
Telling PayPal to accept all currencies and convert them to GPB resolves the issue.