Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.The How To for the Instant Payment Notification (IPN) says:
Use the transaction ID to verify that the transaction has not already been processed, which prevents duplicate transactions from being processed.
Validate that the receiver’s email address is registered to you.
Verify that the price, item description, and so on, match the transaction on your website.
I run into the first one of the mentioned aspects. I was wondering about duplicates in the simple_payment table.
The module should also verify the second point. The last one depends IMHO to the module implementing the simple payments API.
| Comment | File | Size | Author |
|---|---|---|---|
| #8 | no-duplicates.patch | 7.64 KB | jbrown |
| #6 | simple_payments-875910-5.patch | 7.38 KB | osopolar |
| #2 | simple_payments-transaction_id-paypal-875910-2.patch | 4.17 KB | osopolar |
| #1 | simple_payments-transaction_id-paypal-875910-1.patch | 3.68 KB | osopolar |
Comments
Comment #1
osopolarI've prepared a patch which code adds the transaction_id column to simple_payment table, looks for existing transaction before storing the paypal transaction. It also checks the receiver_email as suggested by the PayPal how to.
Comment #2
osopolarFIX: wrong watchdog message for the receiver_email check.
Comment #3
osopolarBTW: Its not necessary, but I recommend to apply the patch in #848228: Problem in drupal_write_record.
Comment #4
jbrown commentedI think the detection of duplicate transactions should occur in simple_payments_payment_received().
I don't think it is correct to validate the email address automatically.
You could have a site where various people can be paid, but you still want the ipn. That is why $vars['business'] can be customized.
Maybe there should be a helper function?
Comment #5
osopolarI applied the suggestions in #4. The patch has now the general check for duplicates in simple_payments_payment_received() and it extends the email validation. If $vars['business'] will be customized by some module the same module may implement hook_simple_payments_paypal_verify_receiver_email. If this hook is implemented it will be used. Otherwise the account email may validated against the one set in settings. If no validation of the account email set in settings is desired, it could be disabled in the paypal settings form.
BTW: Maybe the module or the submodule needs a readme.txt containing all the instructions.
Comment #6
osopolarPatch for #5 attached.
Comment #7
osopolarWould like to see someone reviewing this. This is somehow critical for all users using paypal because otherwise simple payment will mess up your payments table with duplicate entries.
Comment #8
jbrown commentedThe validate receiver isn't related to this issue. Also, there should not be an admin setting for it. It is modules that are using simple_payments that decide to use the default account, so it is the modules that should check the payee reference if required. There can be a helper function for this.
Comment #9
jbrown commentedhttp://drupal.org/cvs?commit=454916
Comment #10
osopolarAnyway, are you interested in this?