Paid cart no longer matches database cart once they've actually paid

So you blindly ship goods without checking the actual amount received? If not, I don't see how that's a problem.

IPN provides custom fields for you to pass whatever info you need and I've found it perfectly flexible enough for my needs.

[edited by: FalseDawn at 2:57 am (utc) on Nov. 27, 2006]

So you blindly ship goods without checking the actual amount received?

Ahem. The whole point of my post is that I *am* trying to check the price paid for each item, but that's kind of hard to do when PayPal doesn't return that data to me.

Passing data through the custom fields is useless from a security standpoint, as it's easily faked. I want PayPal to pass me back what was *actually* paid for each individual item. Can PayPal do that? I hope I'm missing something, because otherwise it looks like it can't. Maybe I should check out Google Payments....

Passing data through the custom fields is useless from a security standpoint, as it's easily faked

Actually it's not if you are doing it properly and using the notify-validate parameter.

Could I ask you to be a little less cryptic? Exactly what are you talking about? From what I understand notify-validate simply tells me that an order was actually paid for at PayPal. It does not verify that the amount paid for the item is the amount that was supposed to be paid. And anyone can easily fake the value of the cutom variable by passing their own form to PayPal, unless you know something I don't.

Again, my issue is that I'm trying to find a way to verify from PayPal that the price paid for an item was the price that should have been paid.

[edited by: lorax at 3:55 pm (utc) on Nov. 27, 2006]
[edit reason] removed commentary [/edit]

Okay, it looks like PayPal *will* return the price for each item via IPN, using the "mc_gross_X" variable, with X being the individual item number. That's definitely not obvious, since the variable isn't named with something more helpful (like, oh, say, "PRICE"), and the "mc" part means that it's for PayPal's "multiple currencies" scheme for foreign payments, whatever that is. I'm accepting orders from the U.S. only and in U.S. dollars only, but the "mc_gross_" variable still seems to work for me.

My next problem is that I don't see that PayPal returns the SHIPPING cost back to the server via IPN. Well, it returns the cost if you're charging separate shipping on each item, but if your shipping is cart-wide, I don't see a way to get the shipping cost. My workaround is to pass the shipping info through the hidden "custom" variable.

Isn't it in the mc_shipping variable?

The PayPal Integration Center has an IPN/PDT Variable Reference page that might help you locate all of the available fields passed back with your payment notification.

Their docs aren't at all clear as to whether the variable works in my case, or even what the exact format of the variable is. (mc_shipping# ... is # some sort of wild card?)

Anyway, I just tested it by getting the values for the following, since I wasn't sure which, of any to use:

$ship1 = $variable{'mc_shipping'};
$ship2 = $variable{'mc_shipping#'};
$ship3 = $variable{'mc_shipping1'};
$ship4 = $variable{'mc_shipping_'};
$ship5 = $variable{'mc_shipping_1'};

The actual shipping for the order was $5.

Variables $ship1 & $ship3 reported "0.00".

Variables $ship2, $ship4, & $ship5 were empty.

None of them reported the proper 5.00 shipping.

PayPal scrapes.