I have tried to go through the jungle (really, PayPal, why don't you weed it out...) for a few days now to find the solution to my pretty simple problem.
I have a website with membership subscriptions. The customer signs up with their email and password on my site. Then they go to PayPal to pay their subscription.
My problem is how do I pass on the key - their email - through the whole transaction so I know who the payment is for?
This because it is likely to happen that they sometimes sign up with one email and pay with another. And how to do it all with a (safe) encrypted button.
What I figured is that I could make the encrypted button on the PayPal "Create PayPal payment button" page.
In Step 3, Add (x-ed out real url) advanced variables:
notify_url=http://xxxxxxxxxx.com/xxxxx.php
test_ipn=1
Get the code:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="N6UMVCMXSWMYG">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
and paste the given code into my php page, but add a hidden field named "custom" and give it the email at hand and change the form action to go to the sandbox.
Sort of like this:
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="custom" value="<?=$signUpEmail ?>">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="N6UMVCMXSWMYG">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
This custom variable I can later pick up on my ipn page so I know who the membership is for..
Am I thinking right? Or should I do the button with "handwritten" code? Or is there some better way?
There is a field you can use in the Paypal form to put whatever you want. The name of the filed is "custom". So you can write something like:
<input name="custom" value="blablabla" type="hidden">
I suggest to encode the value of custom value. For example some sort of base64_encode could be useful to discourage curious people. However, there is also a good explanation of what you can do with Paypal in the manual. This link and this one are an excerpt.
Moreover, as suggested in the comments, it is not possible to use session variable related to your frontend in the backoff communication between your site and paypal.