Redirect to Paypal after a successful payment and receiving payment info: how to change the method?

Connected paypal for payment. After successful payment, h\s 10 seconds there is a redirect to our website with the generated get request which already adds on the basis of the received data corresponding to the entry in our database.

Question:
If this is correct. Because now it turns out two problems:
1) If the person is not waited 10 seconds and immediately closed the page of Paypal payment, he will not return to our success.html and we do not get confirmation (which is formed on the basis of visited success.html with the options that already gives Paypal, incl. status=completed).

2) you Can add to the database any entry on the basis of this get-request, that mud is a blatant breach. If someone finds the loophole, it can easily sasamat database millions of records or to do something nasty. Is it possible to change the method to post or get confirmation of some other, in a safe way?

Tell me, dear developers, how to do it better. Thank you in advance!
July 8th 19 at 11:37
2 answers
July 8th 19 at 11:39
1) actually there is Callback URL
carefully read the documentation, there is still the API key is severity
in addition, it is possible by API to query PayPal about the transaction

2) well, in any web application so it is possible, but living somehow
how is done now (I have updated 10 times success.html?foo=bar&... and my system flew 10 entries + 10 emails with confirmation is free? - Carlee_Daugherty39 commented on July 8th 19 at 11:42
so if the account allows, why not? - Juanita17 commented on July 8th 19 at 11:45
: I do not understand. I make 1 payment. Then paypal redirects me to my website on the page with the settings: success.html?foo=bar&... the Question is, what can I save this address and call it 100 times - the same times will be added to OUR database payment confirmation. So she now works. If you wish, you can also change how you want the data and voila - you bought something without paying, proof of that is (even partially). - Carlee_Daugherty39 commented on July 8th 19 at 11:48
I say - if you have to pay added to the base pay )
end than to pay to hire provera familiar with CSRF protection, or at least with the concept - Juanita17 commented on July 8th 19 at 11:51
July 8th 19 at 11:41
Any modern payment system works like this:
client on the website wants to pay something
website forms the order with a unique number, keeping the who, what and for how much pay
- the client goes to the website of the payment system with the order number and price
- if the customer has paid the order, the payment system returns it to the site, but it doesn't MATTER
because some payments may hour to go from the client to the payment system (although the PP is, maybe not true)
- when SS will make sure that the customer paid for the order, it pulls the script on our site by informing him that the order number so-and-so paid for that amount. There may be a preliminary confirmation that the order is worth so much - only under this condition the customer with anything at all will be removed. But in any case the information that the order was paid for, the website brings the user's browser (the big hole), and the server PS
- when the client comes after that on the website, the site already know what the customer has paid the order, and acts accordingly

Any other "quick buttons" or bike - it's not serious and quite possibly vulnerable to freeloaders.

Find more questions by tags Payment systemsPHPPayPal