Half of this is just me venting so bear with me...
First of all, the PayPal documentation is a joke. The manual page for IPN...
Directs you to this pdf...
Which is nothing more than a redirect to this pdf...
Then instead of going to the manual page, go to the technical documentation page...
Then at the bottom of that it says:
"For a complete list of all IPN variables and detailed instructions on how to use Instant Payment Notification, please refer to the Website Payments Standard Integration Guide" which is a link to this pdf instead:
The IPN section in that doc then simply references another doc, "Order Management Integration Guide", which by title is the same doc that you eventually get to with the
"manual" page. But guess what, it goes to a different link, which then does another redirect to here:
Are you kidding me? This creates a real problem for me. I'm not the type of developer that just codes something until it works. Sometimes that's ok, but when were talking about securing real money, there's not much I'm willing to leave to chance and I need to know the "why" to every line of code.
That said (yes finally :) ), I'm at a sticking point. The first document gives you the option of "shared secret" vs "post back" for IPN validation. Shared secret was the easy choice for me as a simple salted hash gave me a perfect secret that I can generate per order plus the documentation made it sound like the prefered method.
But then on another obscure page...
"PayPal then sends confirmation back to your server with a single word, "VERIFIED" or "INVALID", in the body of the response. Your IPN script should then post back a 200 OK response to prevent additional attempts by PayPal to post your transaction data. If PayPal does not receive the 200 OK response from your server, PayPal will resend the notification for up to four days."
This makes it sound as though I must do the post otherwise I will continue to get IPNs.
In the end, it's not a huge deal for me to just do the post to be safe, but I was hoping that somebody might be able to offer some real clarification to paypals pile of garbage documentation. If not, I'd say go with google checkout instead :P.