Does anyone have experience selling eDownloads?

[mikes]

I have a potential client that wants to sell downloads directly off his site without using a 3rd party (other than the processor – paypal).

What he describes is:

1. Customer clicks PayPal button on his site.
2. Customer is sent to PayPal to complete the transaction.
3. PayPal sends a response back to his server (I’m not sure how this is accomplished or detected)
4. His system verifies the response from PayPal that the transaction was completed and emails the customer with a download link.
5. The customer clicks on the link and downloads the software.

There is a similar scenario in osCommerce where paypal redirects the customer to a specified page upon completion of the transaction and that page "assumes" the transaction was complete because the customer was sent there. A savvy customer could simply go to paypal, not complete the transaction and manually browser to the completion page thus fooling the software into giving him access to the download for free. I would like to prevent that. :)

Also, I don’t know how to enable/disable download areas and handle the download links programatically.

I realize that this is pretty far out of the realm of CSS Disussions, even for the "Other Discussions" forum, but I was hoping someone could point me to a source that might help?

I know of 3rd party sites that will do exactly what he wants and for a very modest fee but he wants it done locally and I’m kind of excited about leraning how to do it myself. :)

I emailed PayPal and 24+ hours later received a canned reply with no relevance whatsoever. <sigh> I’ve emailed them again but my expectations are not high.

Any ideas or suggestions would be greatly appreciated!

[lowell]

"mikes" wrote:

A savvy customer could simply go to paypal, not complete the transaction and manually browser to the completion page thus fooling the software into giving him access to the download for free. I would like to prevent that.

Also, I don’t know how to enable/disable download areas and handle the download links programatically.

assuming your using rails, a before_filter in your controller easily prevents this. easily, as in, a single line.
docs are at: http://api.rubyonrails.org/classes/Acti … thods.html

and as for paypal, there are a few gems out there for payment systems.. a paypal-specific one is doc’d here => http://dist.leetsoft.com/api/paypal/. i googled around and found another paypal-specific one => http://rubyforge.org/projects/vpaypal

as you can tell, these are resources you may find useful if you use rails.

if you are using a more common language, like php, there will be much, much more out there. this might help you: you don’t have any direction. decide on a language. then decide on a framework. this is important because it isn’t necessary to reinvent the wheel every time you build an app (i.e., user authentication etc). the only php framework i’ve seen in action on the dev side and played with is cake, which i like (it was cloned from rails, go figure), i’m sure there are tons of other options. inow, find a framework that will allow you to get down to business quickly and that will take care of the non-business end of things on its own temporarily. then for the business end, sign up as a paypal dev and log in. i just did and there’s more than enough info there to guide you; you have to know what you want – and for that, you have to know what you’re going to do.

[LonChaney]

Hi Mikes, are there no contribs for the download features you are looking for (Super Download Shop, Download Controller, etc)? I thought osC had a lot of this functionality built in (and fixed the security issues too) but I’ve never built a download cart so I’m not sure. A few of my friends would like to sell their music online too and have asked for my help so I’ll be interested in what you find out.

[mikes]

Since posting the question I’ve done more research. The problem described (where users can download the software w/o payout by redirecting their browser) is endemic to all pay systems that do not send a specific response (not just an email) verifying payment. Paypal has multiple pay systems. Some offer this type of confirmation. Others simply return the customer to a specified page where that page then *assumes* that they completed the checkout process.

osCommerce has various paypal modules for each of the paypal payment methods. By using a different module, oscommerce can be made secure against un-paid downloads. Actually, the problem isn’t limited to downloads. It applies to any purchase. But an order for a physical product can have payment manually verified against the email confirmation whereas the download happens instantaneously.

By using the proper module, I was able to secure osCommerce against this vulnerability but I’m still trying to adapt the module I used to work in a standalone situation. I want to set it up to be contained in a single button to sell a single product. There are many solutions on the market designed specifically for this but every one I looked at suffers from the same vulnerability.

Now that I have a module that is secure, though, I should be able to finish adapting it to do what I need.

[mikes]

Followup:

Here is a link I just found that appears to lead to a solution:

http://www.softcoded.com/paypal/secure_paypal_ipn.php

1. Customer clicks a "buy now" button on your site.
2. Customer is sent to PayPal to complete transaction.
3. Customer is returned to your site for a "thank you" message.
4. Paypal sends a message to your site (http not email) once payment is processed (delayed for echecks)
5. Your site programatically intercepts the message and verifies that it originates at Paypal
6. You site queries Paypal for verification
7. Paypal responds to your query and returns status
8. If verified, your site send email to customer with download link.

If status shows verification, you know that the customer completed the transaction and for what amount. You also know that payment was processed and is in your account. I do not believe that ths method can be spoofed or altered without detection. Everything is completely automated and does not require any intervention.

[Author]

Posts