Real World
PayPal IPN
Paypal’s
Instant Payment Notifications
are GREAT*
*Once You Actually Get Them to Work

Paul Croubalian
First Edition


The name, “PayPal” is owned by PayPal (Nasdaq: PYPL) and is
used within this text solely for ilustration and indentification purposes. PayPal neither endorses nor approved that which is written
herein.
The author has taken care in the preparation of this book, but
makes no expressed or implied warranty of any kind. The author
assumes no responsibility for errors or omissions. No liability is
assumed for incidental or consequential damages in connection
with or arising out of the use of the information or programs contained herein.
For information about buying this title in bulk quantities or for
special sales opportunities (which may include electronic, print, or
audio versions, content particular to your business, training goals,
marketing focus, branding interests, or consulting) contact the author at

Copyright © 2017 Paul Croubalian
This publication is protected by copyright and permission must
be obtained from the author prior to any reproduction, storage in
a retrieval system, or tansmission by any means, electronic, mechanical, photocopying, recording, or any other means. Contact the
author for information regarding permissions.
ISBN (eBook): 978-1-988406-02-2
ISBN (print): 978-1-988406-04-6

ISBN (audioBook , as narrated by the author): 978-1988406-03-9


Contents
Conventions used in this book
What you will learn
Just how “instant” is Instant?
IPN vs PDT
The IPN System, How it works
Why you’re “sort of” Good to Go
Who can use IPN
Lets go play in the sandbox
Details about Test Accounts
Creating Buy Buttons
2 Ways to NOT Test Buttons
Customizing a Hosted Button
The REAL way to test Hosted Buttons
How to build a button from scratch
Stored vs. Custom Buttons.
Creating your listener
Dissecting Listener.php
PayPal’s IPN Simulator
Debugging the listener
Appendix: Variables and Values
Variables for special PayPal features
Individual items variables
Payment transaction variables
Shopping cart variables
Recurring payment variables
Automatic Billing variables

Installment Plan variables
PayPal checkout page variables
Auto-fill PayPal checkout variables
Instant Update API variables
Variables for dimensions of individual items
Reader Promotions
About the Author


Conventions used in this book
Most text is written in this font. Code samples, or anything relating to code is written in this font.

ProTip:

ProTips offer hacks or shortcuts or just things to be careful
of. Watch for these Tips. They can save you a ton of
headaches.

Note:

Notes are used to point
something out that I consider important. Watch for these too. Sometimes, they just repeat something in the text.
I know people like to skim. ;-)
Bookmark Navigation, No Table of Contents

The eBook use Bookmark navigation. You can access the
bookmarks (which are easier to use) from the top left corner of
your device, or from the Table of Contents.

Three versions: eBook, Book, & AudioBook


The eBook version uses capabilities found in next-generation
readers, tablets, smartphones, and computers. That means
you can zoom in and out using the pinch-and-zoom method. I
increased font sizes so that you shouldn’t need to do that on
every page.
The print version has extra stuff in the Appendices. It’s tough to
click a link on a printed page. Well, it’s easy, but doesn’t take
you anywhere.
Both are available on Amazon. If you bought the print book,
you can get the eBook at a heavily discounted price.
The audio book version should be ready in June of 2017.
Cheers


What you will learn
After reading this book, you will be able to actually use PayPal’s Instant Payment Notification system.
That may not sound like a lot.
It is.
Once it gets going, it goes on forever on its own.
IPN will make your life easier.
Once you get it going.
You’ll see orders and deposits run automatically.
Once you get it going.
You can connect everything through your server back end to
make things seamless, automatic, and effortless.
Once you get it going.
Getting the darned thing going is another story altogether.
I wasted three solid weeks six months apart trying. I spent 3
months invoicing manually! That’s not ideal.

Documentation isn’t the greatest. Until now, I couldn’t find anything that set out a repeatable process, let alone set one out in
simple English.
That’s why I decided to write this book. It helps that I’m a
ghostwriter who’s specialty is demystifying tech.
I save you the headaches, aggravation, and Tourette’s style
outbursts that accompanied me on this journey.
Instant Payment Notification (IPN) does pretty much what its
name implies. IPN notifies you (nearly) instantly of any actions
people make on, to, or with your account.
That’s the first gotcha!
There are many more. I’ll share the ones that kicked me in the
teeth.


IPN notifies you of any action.
A notification that somebody added something to a shopping
cart is not the same thing as the notification that somebody actually bought that stuff.
Don’t laugh! It took me hours before I figured out why I had so
many repeating notifications. They can come in one right after
the other.
Just that warning alone is worth the price of this book.
No worries, once you understand that, you can deal with it. It’s
better to get too much info than not enough.
You will be able to verify that the order actually came from PayPal.
You will know who bought how much of what, for how much
and when.
Then you can fill the order.
You will learn how to use PayPal’s sandbox feature to build and
test your notification system
You will also learn how to build custom buttons on the fly.

You will know how to have your system send you an email synopsis of every notification. You’ll also know how to turn those
emails off.
You’ll learn how to generate a log of all notifications, busted up
by month and day.
You’ll Learn how to make your system read the incoming notifications, ask for verification, and then act on the ones you need
to act on.
PayPal will send info. They will even confirm that it came from
them.
They won’t do the work for you.

Just how “instant” is Instant?
Paypal goes to great lengths to tell you the system is not really
“instant.” Okay, so they’re right. But VVFN, “very, very fast notifications” doesn’t sound as cool. IPN is plenty fast enough for
most purposes.


It’s even fast enough for situations where the buyer is waiting
for a download link.
I ran 1000 test buys. The slowest one was 32 seconds. No
other test even came close to that. The next slowest was 21
seconds. Most, over 700, worked in less than 8 seconds. That
super slow one may have been due to the bad weather, busy
servers, or maybe my ISP was running slow.
Isn’t it funny how nowadays, 32 seconds seems like an eternity?
I also include links to my web site where you can download the
code we talk about here. Those files are the actual code but
in RTF format with color-coded notes. They make things very
easy.
That’s a drawback common to books and eBooks. It isn’t easy
to get stuff like code from the book to your site.

Those links fix that. They’re regular text files in rich text format
(RTF). Just save them as PHP when ready.
If you’re ready, so am I. Let’s get to it.
You’ll have it up and running before lunch.

Note:

All the examples and scripts
available for download are
in PHP with mySQL as the database. You
can easily morph them to your preferred
poison, sorry, language. PHP and mySQL
combine to drive the internet. Even Facebook started out as a LAMP stack (Linux,
Apache, MySQL, PHP). I figured that was
the best place to focus.


IPN vs PDT
PayPal has two notification systems, IPN and PDT. PayPal
loves its acronyms. We already learned that IPN was Instant
Payment Notifications. PDT stands for Payment Data Transfer.
Both use the Name Value Pair system, or NPV.
Yeah, PayPal really loves its acronyms.
NPV is fancy-pants talk. It just means a variable name has a
value associated to it. No poop, Sherlock. They’d be pretty useless otherwise. It’s like back in grade school when we learned
X=3. That’s a name-value pair too. “X” is the name. 3 is the value.

ProTip:

The trick for making this stuff

work is in knowing which variable names PayPal sends and which values those
names have. That can be complicated or easy. I’m
Constructively Lazy so I found the easy way. I’ll
show it to you soon.

Back to the two notification systems.

You would think that the “Instant” one would be faster, right?
Nope.
PDT is the real Instant one.
PDT fires off a notification the very moment a buyer buys.
There is no lag. Not even a tiny lag of a few seconds. They
click, “Buy,” and boom, you have a notification zipping over to
you.
You might be saying, “Yeah! That’s what I want! To heck with
this IPN stuff. Gimme PDT!!!!”
Hold your horses.
First of all, they both get set up the same way. Second, neither
is well-documented.
Second, yes, PDT is faster. We’re only talking seconds faster,
though. That extra speed comes at a cost, a Big One. Capitals
intended.


PDT sends a notification instantly. That’s the problem.
Did you catch it? No?
I’ll repeat it. This time I’ll add some emphasis.

PDT sends a notification instantly. That’s
the problem.

That’s right, it only sends one.
Ouch!
Miss it and you have an irate customer on your hands. It can
happen easily.
Double Ouch!
I wish for you to have so many orders your server can’t handle
them all. The ones it can’t handle will give you grief.
On a not so happy note, your server can be down for maintenance just when a bunch of orders pop in.
More grief.
Much as I love the whole idea of One-and-Done. . . This is not
the place for it.
IPN sends the notification and waits to hear you got it. Don’t
answer and it will resend it. That’s when “instant” is not all that
instant at all. IPN will continue sending the notification periodically for four days.
Better late than never.
There’s another problem with PDT. It only sends payment notifications. That might not sound too bad at all. But, there’s great
value to being to automate everything not just payments.

IPN lets you know about:

¾¾ Payments received: That includes Express Checkout

and Adaptive Payments.

¾¾ Credit card authorizations: Handy if your Buyer

doesn’t have a PayPal account or prefers to use a
credit or debit card.
¾¾ eCheck payments as well as pending, completed, or


denied situations.


¾¾ New subscriptions. It will even automatically assign

user names and id for you, if you like.
¾¾ New sign-ups or carts.
¾¾ Cancelled subscriptions or carts.

¾¾ Recurring payments: Those are related to subscrip-

tions and installment plans. They’re great. Payments
continue until either you or the buyer stops them. The
buyer just needs to click once.
¾¾ Chargebacks, disputes, reversals, and refunds.

Okay, so maybe we don’t really want those. Still,
they’re a fact of life.

Once you have the info, you can do whatever you want with it.
¾¾ You can email an order confirmation
¾¾ You can email an up-sell pitch
¾¾ You can add them to your email list for future mar-

keting.

¾¾ You can update their info with the info from PayPal
¾¾ Update your customer lists
¾¾ Segregate your lists based on buying habits.
¾¾ Update inventory

¾¾ Prepare a picking and/or packing slip
¾¾ Cut an order if you drop ship
¾¾ Issue a refund (not often, I hope)
¾¾ Update your accounting
¾¾ You can notify sales people of purchases by their

customers.

¾¾ You can update and assign sales to affiliates

You have the data. You can do whatever you need or want to
do with the data once you have it.

Want the Speed of PDT with the reliability of
IPN?
No problem. Implement them both.
Really, go ahead.


They aren’t mutually exclusive. There’s no law, rule or even
guideline that says you can’t. Nothing even says you shouldn’t.
PayPal believes, and I agree, that IPN is better suited for the
vast majority of applications.
If you need instant notification, use both. I strongly suggest you
don’t use PDT exclusively!

ProTip:

not an either/or thing.


IPN = good, IPN and PDT =
good, PDT alone = bad. It’s

It’s an IPN alone or IPN and PDT thing.
Even if you absolutely, positively need instant notifications, set
them both up.
The only reason I can see for not setting up IPN with PDT is if
the thing being sold is crazily time-sensitive. It would have to
be so much so, that you would rather lose a sale, and maybe a
customer, than risk processing too late.
Darned if I can think of something that would qualify. Maybe
off-track betting on horse races? Is that even legal?
Excited yet?
Ready to dive in with both feet?
Ready! Set! Wait a bit.
Let’s look at a quick overview of how this puppy works first.

The IPN System, How it works
If you’re reading this, you probably have some idea of what
HTML looks like You know about web forms and how they can
use either GET or POST as methods. When we start building
custom buttons you’ll recognize them for what they are, web
forms.
You’ll also see how this thingamabobber works more clearly.
Bear with me for now.


When you see a ton of seeming gibberish in your browser’s
address bar, it isn’t gibberish. It’s a bunch of variables passed
from one page to another. Yes, they’re name-value pairs.

That’s a GET.
GETs aren’t very useful for what we’re doing here. All the info
would be sitting right on the browser bar for anyone to see or
play with.
If someone was crazy enough to use GET for a sale, any idiot
that notices sale_price=100 can just delete a zero or two.
They can even delete the 1. Servers are fast. They aren’t very
bright.
POST works very much the same way as GET but hidden in the
background.
Much better.
PayPal uses a Secure POST to send you notifications. You
set up a listener page to, you guessed it, listen for those notifications. Don’t worry about how that works just yet. We’ll get
there.
The listener hears the notification. That’s not enough to act
on. That info could be from anybody who knows the link to the
listener page. If they know the info PayPal passes, and that’s
public, they can spoof it easily.
So, no, we can’t act yet.
The listener then parrots the info back to PayPal. PayPal answers that, yes, it was them, or no, someone is messing with
you.
That step, called logically enough, “verification”, is vital
to the process. We need to know we are talking to PayPal not
some idiot scammer. It’s pretty easy to pull it off.
I’ll show you how.
But, first, I’m reminded of a joke that illustrates the importance
of this point.
A cell phone is just sitting there on a bench in a country
club’s locker room. The locker room is a little noisy. The
phone rings. A man answers on hands-free.

Man: Hello?
Woman’s voice: Hi, Honey, it’s me. I’m at the mall with
the girls and I see the most amazing outfit. But, it’s like


$3,000.
Man: Well, if you like it, you like it. Go ahead and buy it
Woman: Oh honey!!! You’re the best! While you’re in
such a good mood. . . . Do you mind if my Mother stays
with us for a few weeks?
Man: No problem. Whatever makes you happy.
Woman: Oh, you are just the Perfect Man!! Bye.
Man: Bye
The man then turns to the others in the locker room and
asks, “Does anyone know whose phone this is?”
In keeping with the levity, let’s knock the POST technobabble
down to servers talking on the phone.
PayPal: Hey, Business, I got a guy here, Tom Smith,
who just bought a video game. He paid for it. Ship it to
his place, here’s the address.
Business: Whoa there. How do I know it’s you, PayPal?
PayPal: You have my number. Call me back. I’ll wait.
Business calls back.
PayPal: Paypal... how can I help you?
Business: It’s me, Business. You called about an order?
PayPal: Could be. What was it?
Business: Tom Smith bought a video game. He’s at this
address.
PayPal: Lemme check. . . . . . . . Yup, got it right here.
Tom Smith, one video game. It’s bought and paid for.

Go ahead and ship it.
Business: Will do. Thanks!
In a nutshell, that’s what happens. In reality, this is what happens. These are real sample communications. You don’t need
to worry about what they mean just yet. Your site will handle
that stuff.
This is a sample of a notification for Tom Smith’s video game
Express Checkout purchase for 19.99.


/>gross=19.95&protection_eligibility=Eligible&address_status=confirmed&payer_id=LPLWNMTBWMFAY&tax=0.00&address_street=1+Main+St&payment_date=20%3A12%3A59+Jan+13%2C+2017+PST&payment_status=Completed&charset=windows-1252&address_zip=95131&first_name=Tom&mc_
fee=0.88&address_country_code=US&address_
name=Tom+Smith¬ify_version=2.6&custom=&payer_status=verified&address_country=United+States&address_city=San+Jose&quantity=1&verify_sign=AtkOfCXbDm2hu0ZELryHFjY-Vb7PAUvS6nMXgysbElEn9v-1XcmSoGtf&payer_email=tomSmith%40example.
com&txn_id=61E67681CH3238416&payment_type=instant&last_name=Smith&address_state=CA&receiver_email=gpmac_1231902686_biz%40paypal.com&payment_fee=0.88&receiver_id=S8XGHLYDW9T3S&txn_
type=express_checkout&item_name=video+game&mc_
currency=USD&item_number=1&residence_country=US&test_ipn=1&handling_amount=0.00&transaction_subject=&payment_gross=19.95&shipping=0.00

Your server responds with

mc_gross=19.95&protection_eligibility=Eligible&address_status=confirmed&payer_id=LPLWNMTBWMFAY&tax=0.00&address_street=1+Main+St&payment_
date=20%3A12%3A59+Jan+13%2C+2017+PST&payment_
status=Completed&charset=windows-1252&address_
zip=95131&first_name=Tom&mc_fee=0.88&address_
country_code=US&address_name=Tom+Smith¬ify_
version=2.6&custom=&payer_status=verified&address_country=United+States&address_city=San+Jose&quantity=1&verify_sign=AtkOfCXbDm2hu0ZELryHFjY-Vb7PAUvS6nMXgysbElEn9v-1XcmSoGtf&payer_email=tomSmith%40example.
com&txn_id=61E67681CH3238416&payment_type=instant&last_name=Smith&address_state=CA&receiver_email=gpmac_1231902686_biz%40paypal.com&pay-


ment_fee=0.88&receiver_id=S8XGHLYDW9T3S&txn_
type=express_checkout&item_name=video+game&mc_
currency=USD&item_number=1&residence_country=US&test_ipn=1&handling_amount=0.00&transaction_subject=&payment_gross=19.95&shipping=0.00

If you look closely, your server replies with the exact same stuff
PayPal sent.
It just adds one little piece. It asks for validation. The bolded
red part, cmd=_notify-validate, is how PayPal knows it’s
a validation request. PayPal checks the data against its records
and responds with either VERIFIED or INVALID.
If it’s VERIFIED, you’re good to go, sort of. You’ll see why it’s
“sort of okay” in a bit.
If it’s INVALID, I just ignore it. Others report the fraudulent attempt to PayPal. You can take whatever measures you prefer.
It works pretty much like our fictitious phone call between servers. It’s just faster . . . a lot faster.
There is some gobbledegook. That’s because some symbols
have special meaning to a web server. You can’t use those asis. The same goes for spaces. The server will ignore anything
after the space.
That’s not a good thing. All you would get from PayPal is
/>gross=19.95&protection_eligibility=Eligible&address_status=confirmed&payer_id=LPLWNMTBWMFAY&tax=0.00&address_street=1
If you know percent-encoding, you have no trouble reading
this. Replace %3A with a colon. Plus signs replace spaces.
Ampersands signal the start of a new variable. Replace %40
with a “@.” Now the message is easily read.
I did it for you.

The Human-Readable Message

mc_gross=19.95
protection_eligibility=Eligible
address_status=confirmed
payer_id=LPLWNMTBWMFAY


tax=0.00

address_street=1 Main St
payment_date=20:12:59 Jan 13%2C 2017 PST
payment_status=Completed
charset=windows-1252
address_zip=95131
first_name=Tom
mc_fee=0.88
address_country_code=US
address_name=Tom Smith
notify_version=2.6
custom=
payer_status=verified
address_country=United States
address_city=San Jose
quantity=1
verify_sign=AtkOfCXbDm2hu0ZELryHFjY-Vb7PAUvS6nMXgysbElEn9v-1XcmSoGtf
payer_email=
txn_id=61E67681CH3238416
payment_type=instant
last_name=Smith
address_state=CA
receiver_email=
(this would be yours)
payment_fee=0.88
receiver_id=S8XGHLYDW9T3S
txn_type=express_checkout
item_name=video game
mc_currency=USD
item_number=1
residence_country=US

test_ipn=1
handling_amount=0.00
transaction_subject=
payment_gross=19.95
shipping=0.00
Again,it’s not important for you to know what all that stuff
means just yet (although you can figure it out, right?). We’ll get
to it. Still, it can give you an idea of what kind of information
you’ll get.
Also, it’s a good idea to double check certain things before you
act on the order.


That’s why I said you’re “sort of” good to go.

Why you’re “sort of” Good to Go
It’s like leaving your cell phone unattended in the locker room.
You can get into trouble.
We’ll get to how in due course, but for now, let just say it would
be a good idea to double check that the item ordered actually exists, it’s at the price ordered, in the currency ordered, and
that you’re the account the order is intended for.
You wouldn’t want to ship me your U$10 item for one Mexican
peso, would you?
Different notifications use different variables. You will need to
know which variables PayPal sends before you can work with
the data in those variables.
Makes sense, right?
There’s a hard way to do it and an easy way.
Guess which one I like better. We’ll get to how to do that soon
too.


What Variables are available
Different actions trigger different notifications. Not everything
is pertinent to everything else. A new subscriber notification
doesn’t need to mention sizes. An order for a bikini doesn’t
need a subscription date. There’s a list of variables that may be
in your notification in Appendix A.
It’s a long list. Don’t freak out.
I’ll show you the easy way to find out what variables are actually in your notification. I didn’t have this book when I started using IPN. I did it the hard way.
The hard way is very hard.
Then I figured out the easy way.
The easy way is much better.That’s what I’ll show you. That will
come later when we dissect the listener.


Who can use IPN
Only business members can use IPN. That makes sense. The
general public doesn’t sell stuff in any big way. John Q. Public
doesn’t need automation for the occasional eBay sale.
You don’t need a Premium Account (i.e. paid). Even a free
business account can use IPN. It might make sense for you to
get a Premium account. It might not. That all depends on your
needs, and doesn’t really matter for our purpose here.
Standard or Premium, the method is the same.
PayPal is pretty good about guiding you to the best solution.
When I first set my business up, I fully expected to open a
Premium Account. Jeremy, the PayPal Guy, went over what I
needed to do and suggested I stick with the Standard Plan.
It’s rare that a big business will put its customer’s needs ahead
of it own. I appreciated the gesture.

Every business account can use IPN, but it is not active by default. You need to activate it. It’s straight-forward.

Activating IPN

First you need to get to your Selling Tools. Depending on
where you happen to be on the PayPal site, you will need to do
one of two things.
1 – Click on your Profile icon. It’s the icon that looks
like a head-and-shoulders children’s drawing. From the
Business Profile section choose Profile and Settings, then Selling Tools.
OR If you don’t see the Profile Icon,
1 - Go My Account -> Profile -> Selling
Tools.
2 - Now that you’re in Selling Tools, scroll down to the
Getting Paid and Managing My Risk part. Click
on Update.
3 - Enter your full web site link including the https:// part.


Note:

You do have https, right? It
isn’t 100% required at time
of writing but it will be soon enough.
You may as well get ahead of the curve. Besides, what with Google putting big red insecure warnings on http sites, you look like
a fly-by-night scammer if you don’t have
one.
Get an SSL certificate, get your https and be
done!
4 - Put the full URL for your web site and the file that will

process the PayPal message. Yes, that’s your listener.
Here’s an example />cat_bruce/process_message.php
A couple of things to add here. I wouldn’t include “PayPal” or
“payments” or “here_is_the_cash_come_and_get_it” in that
filename. It isn’t easily readable, but why chance it?
You need to put something in there, but you don’t need to fall in
love with it. Think of that link as the default place where PayPal
will send you notifications. You can tell PayPal to send the notification for any button to a specific listener.
For you techie types that’s, “You can set the listener programmatically.” For you non-techies, you can also set it when you
create the button.
We’ll get to that when we build custom buttons. For now, just
click Save and this part is done.

Lets go play in the sandbox
Obviously, you wouldn’t want to test your IPN with real money.
PayPal realizes that. They provide us with a playground where
we can test stuff without incurring a boatload of fees.


Like most playgrounds, this one has a sandbox.
Lucky for us, PayPal’s sandbox has no cat poop in it.
Unluckily for us, PayPal’s sandox has other gotchas.
The Sandbox is just a replica of the real PayPal system. The
difference is that everything is simulated. You create a fake
business account and as many fake buyer accounts as you
like. You set them up anyway you like. You can load your fake
PayPal accounts with fake money or not. You can link fake
credit cards. You can make different fake accounts to simulate
different real regions.
I made Canadian fakes for every province to test taxation

scripts. I also made fake US and UK accounts.

Setting up your Sandbox is easy.

1.Go to https//developer.paypal.com.
2.Login. Use the email and password from your existing PayPal Business account. If you don’t have one, go
to PaylPal’s site and get one.
3.PayPal will send you an email to confirm that you are
you. Reply to it.
4.Go to />classic/lifecycle/sb_create-accounts/
5.Create at least two sandbox (i.e. fake) accounts.

You do need to create at least two fake accounts, a BUYER
type and a BUSINESS type. The BUYER type account will do all
the fake buying. The BUSINESS type will be you getting all the
fake orders, fake notifications, and oodles of fake dollars.
You really should create BUYER accounts as both verified and
not verified. Let’s call that a suggested optional step.
Those fake accounts work like they’re real except no money
changes hands and no fees are charged.
Actually, that’s not 100% true.
It’s true that you won’t get charged anything on your real account. But, PayPal does include what the fee would have been
had that fake transaction been real.
It’s more accurate, and more useful, to say that PayPal
charges fake fees against fake accounts for fake buyers that
buy fake stuff.


For real.


ProTip:

Create your tests with real
item and cost data. That way,
you’ll also get the real Paypal cost of that transaction. You may as well have your tests do double-duty.

Remember the passwords to those fake accounts. You will
need to enter the password when you place your fake orders.
Passwords don’t need to be super-secure. The accounts don’t
actually do anything.

Note:

Don’t forget the passwords
to your fake accounts. They
don’t actually do anything. It’s safe to write
the passwords down.
Everything we will do going forward will be with those fake accounts. Once you have everything nice and operational, it’s a
simple thing to make it go live.


Danger:

Remember what I said about
IPN resending failed notifications? They can come back to drive you nuts..
Some notifications may fail during testing to come
back to bite you on the ass when the system is live!
If you use the listener I suggest, you’ll be okay. It
will catch sandboxed notifications that come through
when the system live. It will send you an email to

that effect.
You can and should code your processing scripts to
ignore them.

I know of one guy who didn’t do this. Worse, or maybe luckily,
he used his home address as the sandbox BUYER account address. His warehouse shipped over 700 identical items to his
house.
Not good.
To be extra safe, create an email address specifically for your
testing. That temporary email must be reachable. Remove it
from the listener when you go live. The listener will ignore anything sent to that email as the Business. For example, if you
test with , remove that email
from the listener.
You’ll see what I mean once we dissect the listener file.

A note on Back-End Testing

f you plan to test extensive back-end processes, you may want
to build your own sandbox. It can just be a copy of your system with a limited number of products, or a single mySQL table
where records will go. Ask your techies.

Details about Test Accounts

CountrySelect: You can set where the fake BUY-

ER or BUSINESS lives. This way you can test shipping


costs, tax, etc. Set up as many test accounts as make
sense to you.


Account type: Select either the Person-

al or Business radio button. You must have at least
one of each. The BUSINESS account will receive all
your fake money. The PERSONAL or BUYER account(s)
will do the fake buying.

Email address: This could be fake too. PayPal

won’t send emails from the Sandbox. Instead, they will
list stuff on both the Notifications tab on the Developer site, and on the Sandbox test site. You will
use this email to login to the Sandbox site and to process your fake purchases. The BUSINESS email must
be real to get your messages from the system. It’s a
good idea to make an email just for testing.

Password: The password must be 8-20 charac-

ters long. Use numbers, letters, or both. You’ll need the
password to log in to the Sandbox test site as the
test account and to process fake orders. Don’t break
your head making it super secure. It’s not as if it actually leads to anything. Make it something you’ll remember.

First and Last names: Optional. I just use,

“Fake BuyerUSA,” “FakeBuyerQc,” “FakeBuyerOn,” etc.
(I’m Canadian, eh!)

PayPal balance: Optional, but a really good idea.


This is how much fake money your fake Buyer has to
make fake purchases. You can enter any integer from 1
to 10 million. Go hog wild. It might also be a good idea
to make some accounts without money.

Bank Verified Account: I suggest you create

both Verified and Unverified fake accounts. It will
be a better reflection of real-word situations.

Select Payment Card: Test payments made

with different payment cards by selecting either Discover or PayPal. That only works for “US-based” fake business accounts.

Credit card type: If you want, you can choose a
single credit card type for each fake account. Sandbox


will create a fake card number for the fake account to
send you fake money with.

Notes: Optional but suggested if you have several

fake accounts. You can scroll through the whole page to
find out what makes this fake account different. Or, you
can look at the note.
Once you have at least one BUYER account and one BUSINESS account you’re ready to move on to buy buttons.

Creating Buy Buttons
There’s an easy way and a hard way to build buttons. I usually

prefer the easy way of doing anything. That’s not necessarily
the case this time.
The easy way is to use PayPal’s button building and hosting
function. It works and works well. It has advantages. The security is built-in. PayPal hosts the button. It’s fast. You can create
a button in record time even if you never saw HTML in your life.
You can customize some of it on the fly.
One disadvantage is that you can’t customize all of it on the fly.
That’s not the biggest disadvantage.
The biggest disadvantage is also one of the reasons why so
many people have trouble setting up IPN.
PayPal hosted buttons are not sandbox-able. That means they
can’t be tested.
I have no idea why PayPal wouldn’t include hosted buttons in
the sandbox.
Take it up with them.
There is a workaround. We’ll get to it soon. Just know, that one
way or another, you will need to learn how to build a custom
button. That’s not a bad thing.
Things can be easy.
Things can be completely customizable.
Rarely are they both.


Creating a Hosted Button

¾¾ From your PayPal account, choose Tools from the

top menu bar.

¾¾ Scroll down to All Tools and click.

¾¾ Scroll down again to find PayPal Buttons. On my

page it’s on the far left, fourth row down. Click that. By
the way, if you click on the Heart, that Tool will be on
your initial drop-down menu.
¾¾ You’ll see links to sample buttons and links to create

new ones.

¾¾ To create a new button, click on “Create new

button,” and follow the steps.
Done.

ProTip:

if you click on the Heart in the
box that takes you to Buttons,
that Tool will be on your initial drop-down menu.

PayPal will write the HTML and show you a preview of what it
will look like. By default, it will notify to the link you set when
you activated Instant Payment Notification on your account.
By default, it also points to the LIVE PayPal site. We definitely
don’t want that right now.
Let me show you what I mean. This is the HTML generated by
the Button Builder for a Sample Subscription button.
<form action=” />webscr” method=”post” target=”_top”>
<input type=”hidden” name=”cmd” value=”_s-xclick”>

value=”93YR2PTH8LT2Y”>
<input type=”image” src=” />border=”0” name=”submit” alt=”PayPal - The
safer, easier way to pay online!”>