PayPal PDT 付款后刷新浏览器导致商品被购买两次
我已经使用 PDT 实现了 PayPal 付款。我意识到建议将 PDT 和 IPN 结合使用,但就我的目的而言,PDT 就足够了。
我能够引导用户访问 PayPal,收取付款,然后在用户返回我的网站时执行操作(更新数据库中用户的帐户信用)。该 URL 显示的地址如下:
http://www.domain.com/process_pdt?tx=45138128VH922173V&st=Completed&amt=1.99&cc=USD&cm=&item_number=
到目前为止一切顺利。我遇到的问题是使用此 URL 刷新浏览器会导致用户的帐户再次记入贷方,而不会将用户重定向到 PayPal 再次收取付款。
我已经读到,我应该将交易 id(上面 URL 中的 tx)添加到用户表中,并检查以确保该 tx id 尚未被使用。如果有,我应该显示一条错误消息。这是解决此问题的唯一方法吗?即,将每个 tx id 存储在用户表中,然后每次用户(合法或欺诈)调用上面的 process_pdt URL 时检查 id 是否存在?
I have implemented PayPal payments using PDT. I realize a combination of PDT and IPN is recommended, however for my purposes PDT is sufficient.
I am able to direct user to PayPal, collect payment and then conduct an action (updating account credits for the user in the database) when the user returns to my site. The URL shows an address like:
http://www.domain.com/process_pdt?tx=45138128VH922173V&st=Completed&amt=1.99&cc=USD&cm=&item_number=
So far so good. The problem I have is refreshing the browser with this URL causes the user's account to get credited again without redirecting the user to PayPal to collect payment a second time.
I have read that I should add the transaction id (tx in URL above) to the user table and check to ensure this tx id has not already been used. If it has, I should display an error message. Is this the only way to go about this, i.e. by storing each tx id in the user table and then checking for the id's existence each time the process_pdt URL above is called by the user (legitimately or fraudulently)?
啊,是的:这确实是唯一的出路。作为一个简单的完整性检查,您可能需要从流程页面重定向到不包含 txn_id 的 URL(这样随意刷新就不会导致问题,但如果他们使用自己的返回按钮它仍然会发生)但您必须验证 txn_id 自己只使用一次。
Ah, yes: this is indeed the only way to go. As a simple sanity check you may want to do a redirect from the process page to a URL that does not include the
txn_id
(that way a casual refresh won't cause the problem, but if they use their back button it will still happen) but you must verify that the txn_id is only used once yourself.