PayPal works like this:
You have a form with a "buy" button. When that is clicked, it sends information (product, price, your account name, etc) to PayPal.
The buyer then agrees to pay you and when the transaction is completed, PayPal send an "IPN" (instant payment notification) to your notify URL - it sends POST data to that URL for your server to process. You reply to PayPal to ask if they sent the POST data (rather than an imposter) and if they then answer that it is a real transaction, you can release the product to the customer. Note that this all happens in the background while your buyer is still "at" the PayPal website.
There is a final optional stage, which is that PayPal returns the buyer to your website. In this case, they send the buyer back to your "return" url, and they can (optionally) pass back the transaction data again, (they call this PDT). And you can again check with Paypal if this is a valid transaction and provide a download etc at that point.
The most difficult bit that nobody explains is that the buyer doesn't get redirected to your notify URL. i.e. the "visitor" to your website's notify URL is PayPal, not the buyer, so this doesn't happen as part of your buyer's session. If you wish to persist a session across the three parts of this process, then you need to create a means of tracking the buyer in your form, and pass that to PayPal in a field of the form called "custom". This data is passed back to you in the IPN and PDT data, and you can use this to re-establish a connection with the original user session.
You really need to implement both IPN and PDT - if the IPN email fails then you have PDT as a backup. And if the user closes their web browser before they are redirected back to your PDT page, then you have sent an IPN email as a backup.
Search on IPN and PDT and you'll find quite a lot of information. PayPal also have full documentation and example scripts.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…