QueryString values removed from the IPN endpoint by PayPal [closed]

Question

We've had a simple payment integration with PayPal for 5 years that has run without issue until today. In the IPN URL (notify_url) we pass 3 values in the querystring e.g.

https://www.example.com/callback/ipn?pspId=A&secCode=MnBP%2fxOwbQhXLd%2arD5xd6g%3d%3d&isPur=false

From today PayPal strip the last 2 values and call with just the first querystring value, e.g.

https://www.example.com/callback/ipn?pspId=A

We use the secCode value as a signature that we verify on the callback to prevent any modification of the form. Why would PayPal suddenly start stripping out values from the querystring? I suspect they should be in the POST but I'm just not sure why the sudden change?

Answer 1

OK we have now realised that some of PayPal's servers are terminating at the first ampersand. This explains why we get the first query string value but not others.

It seems this behaviour is not just limited to notify_url value but as is suggested by Mike in the comments, this is happening with the CUSTOM field too. If you're pushing through a series of name value pairs with an ampersand separator you need to either switch to some other separator or URL Encode the whole value.

We're just now testing to see if URL Encoding the whole callback URL will still result in an actual callback being made.

EDIT:

Yes URL encoding the whole notify_url value resolved the issue and preserved the query string.

EDIT 2:

It seems URL encoding the whole value no longer works, so I'm assuming PayPal have reverted back to the original behaviour before we encountered these problems. Hopefully this will be consistent across all their inbound servers and will remain fixed now.