Update 8/27/09: I am available for consulting to help with this issue, I’ve helped quite a few people out already. My rate is $75/hr, and you can contact me at ryan@stillnet.org. -thanks

If you use the CFX_PayFlowPro tag to connect to PayPal’s PayFlowPro service (formerly owned by Verisign) you should be aware that it will stop working in September of 2009. You must transition to one of their newer connection methods before then.

Here is a drop in replacement custom tag you can use. You should be able to pretty much just change your code from “CFX_PayFlowPro” to “CF_PayFlowPro”. If you run into any issues and end up modifying the tag, please let me know and I’ll get the changes worked back into the original.

A “thanks” to Mark Breneman’s blog post that provided some of the code.

You can get the tag from http://cf_payflowpro.riaforge.org

Usage examples:

Simple CC charge:

            HOSTADDRESS   	= "#cfg_pfp_host#"
            HOSTPORT       	= "443"
            TIMEOUT        	= "30"
            TRXTYPE        	= "S"
            TENDER         	= "C"
            PARTNER 		= "PayPal"
            VENDOR 		= ""
            USER    		= "your_username"
            PWD            	= "your_password"
            ACCT           	= "#cardnum#"
            EXPDATE        	= "#Form.ccexpmo##Form.ccexpyr#"
            AMT            	= "#amt#"
            COMMENT1       	= "#Form.email#"
            COMMENT2       	= "Purchased qty #Form.qty# of #Form.product#"
            EMAIL		= "#Form.email#"
            NAME		= "#Form.ccname#"
            STREET		= "#Form.ccaddress#"
            CITY		= "#Form.cccity#"
	    STATE		= "#Form.ccstate#"
	    ZIP			= "#Form.cczip#"

Setup recurring billing profile:

                HOSTADDRESS   	= "#cfg_pfp_host#"
                HOSTPORT       	= "443"
                TIMEOUT        	= "30"
                TRXTYPE        	= "R"
                TENDER         	= "C"
                PARTNER 	= "PayPal"
            	VENDOR 		= ""
           	USER    	= "your_username"
            	PWD            	= "your_password"
                ACCT           	= "#Arguments.ccnum#"
                EXPDATE        	= "#Arguments.ccexpmo##Arguments.ccexpyr#"
                AMT            	= "#lcfg_services[Arguments.subtype].cost#"
                COMMENT1       	= ""
		ACTION		= "A"
		EMAIL		= "#qryuser.email#"
		NAME		= "#Arguments.name#"
		STREET		= "#Arguments.address#"
		CITY		= "#Arguments.city#"
		STATE		= "#Arguments.state#"
		ZIP		= "#Arguments.zip#"
		START		= "#startChargeDate#"
		PROFILENAME	= "#qryuser.email#"
		OPTIONALTRX	= "#optionaltrx#"
		OPTIONALTRXAMT	= "#optionaltrxamt#"
		TERM		= "0"

Update for CF5 users: For those of you on CF5, I’ve come up with a version that should work for you. This will work on Windows only, unfortunately. It uses a COM object to do the http call. You shouldn’t need to install anything, I think the COM object its using is part of Windows. You can download this version of the tag from here: PayPal payflowpro for CF5.

Update: Several people have asked me to put up a paypal donation button so they could give something to thank me for the time I’ve saved them. So here it is:


  1. Glen says:

    Good news!  

    For those of you wondering if Ryan's CF5 solution resolves to the new Client Version number in PayPal Manager… it does!

    Our transactions are now showing
    Client Type:  Z    
    Client Version:

    Per the PayPal Migration Tech I just spoke too, this is golden.  The SDK and .NET solutions should show Client Version 4.3 or greater, but the above client type and version are expected for the HTTP solution.

    Ryan's the man…

  2. Ryan says:

    Chuck, thanks for pointing out that issue.  I've moved the line that defaults attributes.parmlist, it should work now.

    For those that are experiencing the connection failure – Have you restarted ColdFusion lately?  CF caches (actually its the JVM) hostname lookups, so if PayPal has changed IPs at all recently, you may be connecting to the wrong IP.  Restart CF and see if that helps.  Also – have you imported any certificates for the paypal.com domain into your keystore?  If so that may be part of the problem.  You shouldn't need to import any certificates for this to work.

  3. stevadro says:

    Need another help:

    I can connect to paypal but when paypal return my contact data I get this error. I'm usign CF8 on Win2003.

    ACTION = G




    Field format error: Invalid Token 7 RESULT=7&RESPMSG=Field format error: Invalid Token

    help me help me 😉

  4. Chuck says:


    I used the new code for CF5 and it ran fine, but when I went into the paypal manager the Client Version still shows : , do I need to restart the CF server or remove the old sdk?? not sure what to do?

  5. Ryan says:

    Chuck the version number would be the correct one.  Dig around on the PayPal developer forums for more details.  They say the https interface will show up as 4.0 or

  6. Chuck says:


    Just to let everyone else know, Paypals forums state this:

    Anything with Client Type = Z (which would have client version or means you are using the HTTPS Interface and you are good to go.

    I thank everyone here for their help and Ryan, I would suggest placing a PayPal donate button here so we can give back to the person who made this work.

  7. stevadro says:


    Aside the cf_payflowpro code update, I need to update anything in the paypal management console?

  8. Kassim says:

    I am getting connection failure error when I use https://pilot-payflowpro.paypal.com/transaction

        <cfhttpparam type="body" value="USER[4]=test&PWD[4]=test">
    <cfdump var="#cfhttp#">

    Charset     [empty string]
    ErrorDetail     I/O Exception: peer not authenticated
    Filecontent     Connection Failure
    Header     [undefined struct element]
    Mimetype     Unable to determine MIME type of file.
    struct [empty]
    Statuscode     Connection Failure. Status code unavailable.
    Text     YES

    When I use https://pilot-payflowpro.verisign.com/transaction it is working fine. From one of the comments it looks like this url will be deprecated as of 09/01/09.

        <cfhttpparam type="body" value="USER[4]=test&PWD[4]=test">
    <cfdump var="#cfhttp#">

    Charset     [empty string]
    ErrorDetail     [empty string]
    Filecontent     RESULT=1&RESPMSG=User authentication failed
    Header     HTTP/1.1 200 OK Content-type: text/namevalue Connection: close Date: Tue, 25 Aug 2009 15:16:39 GMT Content-length: 43 Server: VPS-3.033.00
    Mimetype     text/namevalue
    verisign – struct
    Connection     close
    Content-length     43
    Content-type     text/namevalue
    Date     Tue, 25 Aug 2009 15:16:39 GMT
    Explanation     OK
    Http_Version     HTTP/1.1
    Server     VPS-3.033.00
    Status_Code     200
    Statuscode     200 OK
    Text     YES

    Please provide me details how to fix it.

  9. EstebanD says:

    Hi Ryan, thank you for taking the time to share this code.

    Reading the latest documentation on PayFlow Pro I noticed that double quotes are forbidden from parameter values. So I did little changes in the block of code that creates the parameters list, so now it complies with the previous constraint and other minor improvements to improve the overall stability and readability of the code.

    <cfset ParmList = "">
        <cfif StructKeyExists(Attributes,field) AND Len(Trim(Attributes[field]))>
            <cfset attributeField = Replace(Trim(Attributes[field]),Chr(34),"","all")>
            <cfif Len(attributeField) GT 0>
                <cfset ParmList = ListAppend(ParmList,"#field#[#Len(attributeField)#]=#attributeField#","&")>

  10. Dale Sutcliffe says:

    Found a problem with the program — fails on pilot-payflowpro.paypal.com works on payflowpro.paypal.com

  11. Dale Sutcliffe says:


  12. Mike Murdy says:

    Dale –

    We have come to the same conclusion. Follow this thread on the PayPal Dev forum:




  13. Steve says:

    CF8: I can connect to paypal but when paypal return my billing data I receibe this error:

    Using Action : G


    Paypal return:

    Field format error: Invalid Token 7 RESULT=7&RESPMSG=Field format error: Invalid Token

  14. Andy says:

    Hi All, I'm using this tag to replace CFX_PAYFLOW on our CFMX (6.1) system.  The CF_PAYFLOW tag works great with our paypal account when calling it directly, but we're having a problem with the main client system, which is a remote PHP4 server.  

    The PAYFLOW functionality is exposed via a CF-based API that accepts WDDX packets (which contain all of the relevant paypal params), takes them apart, and passes the params down to the PAYFLOW tag, and then returns the results as another WDDX packet.  The return packet contains the RESULTSTR from PAYFLOW, as well as a few other values.  

    The problem is that the PHP code on the client system is blowing up when trying to deserialize the WDDX packet constructed from the CF_PAYFLOW results, but it works fine with the packet constructed from the CF*X*_PAYFLOW results.  All I've done is replace the one CFX_PAYFLOW call we have in the code with CF_PAYFLOW, so I think CF_PAYFLOW may be doing something (when creating the tmpResponse query, or when adding the cfhttp.FileContent from the paypal call to the query) that formats RESULTSTR in a way that's slightly different from what CF*X*_PAYFLOW is doing.  

    The CF_PAYFLOW code is very straightforward, and I've done numerous debugging tests trying to figure out exactly what the issue is (cfdumps of the return data/packet look the same to me for CFX_ and CF_PAYFLOW when I eyeball them), so I'm not sure where to look next.  Any suggestions/help would be greatly appreciated —


  15. Vern says:

    This may be really lame, if so, I apologize, but, I've been struggling to get to the bottom of all this… I'm using the java based CFX_PayFlowPro that I got from Verisign not all that long ago. I just want to make sure that I correctly understand that the java version of this going away all together, and that the CF_PayFlowPro provided by by RIAforge is designed to replace that, and not some earlier version of their own CFX tag. Whew… Is that correct?


  16. Ryan says:

    Vern you are correct.  The connection method used by CFX_PayFlowPro will no longer be supported.  There is no update to CFX_PayFlowPro to support the new method.  Instead, use my CF_PayFlowPro tag.  You can delete the CFX_PayFlowPro tag from your system after migrating off of it.  If you need help, I'm available for consulting.

  17. Jammie says:

    I am getting a connection failure message using the CF5 tag.  Any thoughts??

  18. Jammie says:

    On line 65 of PayProFlow.cfm I am getting this error now:
    The server name or address could not be resolved

  19. Ryan says:

    I've received several requests to add a PayPal donate button, so people could send me a contribution for helping them out.  I've added a button on the bottom right sidebar of this site.  Thanks!

  20. Jeff says:

    I've got a couple of sites where the live hostaddress, payflowpro.verisign.com works fine but pilot-payflowpro.verisign.com generates the connection failure error:

    The column name "Connection Failure" is invalid.

    Column names must be valid variable names. They must start with a letter and can only include letters, numbers, and underscores.

    Anybody else running into this? Any ideas why?


  21. Melinda says:

    We have 3 servers that run our website – I think MS Server Manager with IIS.  2 servers work correctly and the 3rd constantly returns connection failure.  I've trapped the connection failure error and it is always the 3rd server.  

    I added the suggested header changes to cfhttp <cfhttpparam type="Header" name="Accept-Encoding" value="*"> and   <cfhttpparam type="Header" name="TE" value="deflate;q=0">.  I also requested our server admin turn off compression until we can get the problem figured out.  Nothing seems to work in getting the request out from our 3rd server.

    We also have a proxy server that all 3 servers use, but I don't understand why 2 would work flawlessly and the 3rd is always a bomb???  I've been told the servers are exact duplicates in hardware and image.

    Any thoughts for what we should be looking into?


  22. Melinda says:

    My server issue turned out to be a Windows update that wiped out the proxy settings on the 3rd server…. working for now.  Our server admins are looking into the proxy server.

  23. Ryan says:

    Melinda, I'm glad you got it worked out.

  24. Melinda says:

    Thanks Ryan! I have a better idea what to troubleshoot now with our server admins.

    I apprecate all the work you've done with this cfc!

  25. Rick Anthony says:

    Thanks for the tag!

    This worked beautifully as a drop-in replacement, as advertised.

    One slight tweak I made that might be useful to others: The way you have the tag set up, PayPal will pass the entire name into the "Billing First Name" field (in PayPal Manager, for reporting).

    If you simply add FIRSTNAME and LASTNAME after NAME to the list of fields in PayFlowPro.cfm (line 35), then add those parameters to your call to the tag, everything will be passed in to PayPal as expected.


    Tag call:
    <cf_payflowpro QUERY          = ""
                        HOSTADDRESS    = ""
                        HOSTPORT       = "443"
                        TIMEOUT        = "30"
                        PROXYADDRESS   = ""
                        PROXYPORT      = ""
                        PROXYLOGON     = ""
                        PROXYPASSWORD  = ""
                        TRXTYPE        = "S"
                        TENDER         = "C"
                        PARTNER        = ""
                        USER           = ""
                        PWD            = ""
                        ACCT           = ""
                        EXPDATE        = ""
                        AMT            = ""
                        COMMENT1       = ""
                        COMMENT2       = ""
                        NAME        = ""
                        FIRSTNAME         = ""
                        LASTNAME        = ""
                        EMAIL        = ""
                        STREET        = ""
                        CITY        = ""
                        STATE        = ""
                        ZIP            = ""
                        BILLTOCOUNTRY = ""
                        PARMLIST = ""

  26. ben says:


    this tag is working well for me using CF7. However, I cannot get it to process test transactions.
    I've used every URL suggested by paypal, and have tried to follow links to posted solutions (all are deal links so far)

    Has anyone gotten this tag to work with any test URL?

    I'm simply getting:

    Result is undefined in result.

    Using a live URL works fine of course (payflowpro.paypal.com)
    the test URL fails: pilot-payflowpro.paypal.com

    paypal is no help. (surprise, surprise)
    they keep suggesting the same test URL, which I've told them is not working for this tag. OUSTSOURCE EVERYTHING TO INDIA! they sound so nice telling you that they haven't got a clue. ballywood for everyone! more dancing and colors! just nothing useful as far as technical info!

    surely someone who speaks english, has run into this issue with this tag and paypal.

  27. EstebanD says:


    I just retested the tag using pilot-payflowpro.paypal.com and it worked fine. Try the following.
    1) Make sure you are using https for the test site.
    2) Make sure your paypal manager is in test mode.

  28. ben says:


    thanks for that.

    1. the https:// seems to be hardcoded in the payflowpro drop in tag.
    2. if I put the paypal manager in test mode, won't it interfere with live transactions for the same account?
       (I know thats not a tag specific question, but …)

  29. EstebanD says:


    Sorry I don't know the answer to (2). We have a independent test account for this purpose.
    I think you can quickly create a new account for testing.

    Maybe before that put a cfdump fter the block that handles the post <cfhtt /> to see what is returning.

    <cfhttp method="POST" url="https://#Attributes.hostaddress#/transaction&quot; resolveurl="no" timeout="#Attributes.TIMEOUT#" port="#Attributes.HOSTPORT#">
       <cfhttpparam type="header" name="Content-Type" VALUE="text/namevalue">
       <cfhttpparam type="header" name="Content-Length" VALUE="#Len(ParmList)#">
       <cfhttpparam type="header" name="Host" value="#Attributes.hostaddress#">
       <cfhttpparam type="header" name="X-VPS-REQUEST-ID" VALUE="#Attributes.requestID#">
       <cfhttpparam type="header" name="X-VPS-CLIENT-TIMEOUT" VALUE="#Attributes.TIMEOUT#">
       <cfhttpparam type="header" name="X-VPS-VITCLIENTCERTIFICATION-ID" VALUE="#Attributes.PARTNER##Attributes.USER#">
       <cfhttpparam type="body" value="#ParmList#">
    <cfdump var="#cfhttp#">

  30. BradB says:

    Hi – thanks for the great tag.  Up until a couple days ago (Friday the 11th) it was a flawless dropin for the CFX_Payflowpro.  It appears to have stopped working, though the code had not been touched at all since mid-February and the code in question has been the same for years.  Using CFMX 7:

    <CF_PAYFLOWPRO QUERY                = "myRESULT"                HOSTADDRESS            = "payflowpro.paypal.com"
            HOSTPORT            = "443"
            TIMEOUT                = "30"
            PROXYADDRESS        = ""
            PROXYPORT            = ""
            PROXYLOGON            = ""
            PROXYPASSWORD        = ""
            TRXTYPE                = "S"
            TENDER                = "C"
            PARTNER                = "VeriSign"
            USER                = ********
            PWD                = ********
            ACCT                = "#cardnumb#"
            EXPDATE                = "#expdate#"
            AMT                = "#fee#"
            CERTPATH            = ********
            QTY                    = "1"
            NAME            = "#cardname#"
            STREET                = "#st1#"
            BILLTOSTREET2        = "#st2#"
            CITY                = "#city#"
            STATE                = "#state#"
            ZIP                    = "#zip#"
            COUNTRY                = "#country#"
            PHONENUM            = "#tempphone#"
            EMAIL                = "#email#"
            SHIPTOFIRSTNAME        = ""
            SHIPTOMIDDLENAME    = ""
            SHIPTOLASTNAME        = ""
            SHIPTOSTREET        = "#sst1#"
            SHIPTOSTREET2        = "#sst2#"
            SHIPTOCITY            = "#scity#"
            SHIPTOSTATE            = "#sstate#"
            SHIPTOZIP            = "#szip#"
            SHIPTOCOUNTRY        = "#scountry#"
    COMMENT1            = "#seasonWord# #year# Registration"

    The above no longer appears to be passing to Verisign, though the CF error is on the next line (usually if the CF hangs on something else the card will be charged but there's no evidence of a transaction):

    <CFIF myRESULT.result IS 0>

    Results in an thrown "Element RESULT is undefined in MYRESULT."

    As I say we've been doing things this way for 4-5 years without a change in this code or any errors.

    I rolled back any recent updates to Server 2003 and Java but no luck.  I was hoping there was some sort of "big" change and this would be happening to loads of folks but so far i have found no mention on any boards.



  31. Ryan says:

    Hi BradB, I'm sorry but this is the first I've heard of that problem.

    You'll need to do some more debugging to see what exactly is being returned from PayPal.  Start by just dumping out myRESULT, and if thats blank you'll need to put some dumps in the tag itself.

  32. BradB says:

    Are these in a CFOUTPUT QUERY enough?
            <p><b>PARMLIST:</b> #PARMLIST#<BR>
            <p><b>RESULTSTR:</b> #RESULTSTR#<BR>
            <p><b>VERSION:</b> #VERSION#<BR><BR>


  33. ben says:

    in response to BradB.

    Paypal just updated their root SSL certificates a few days ago, and it screwed a lot of folks up. Ryan's tag still works fine, its just that your host may need to update their root certs and add them to the java keystore in cfmx7.
    I had the same issue. it worked fine for years then it failed.

    basically, until you update the certs on your machine with at least G2 certs from verisign, paypal won't answer a http request from coldfusion.

    hope that helps

  34. BradB says:

    Thanks Ryan and ben.  It clearly seems to be related to the cert update, though so far the G2 update (I am also the host) does not seem to resolve the problem.  The folks at Paypal seem to be willing to reluctanty admit an issue, but appear to have no method of resolution.  It may be complicated by the fact that I buy my certs from Comodo and there are G2 root certs from different authorities (Verisign, Thawte, etc.) but Comodo does not seem to even understand what they are and I'm haing trouble getting a Comodo root kit that is compatible with the new Paypal system.

  35. Eleni Hailu says:

    BradB:  I had the same issue like you but after multiple call to paypal I managed to fix the problem.  You need to update the certificate not only in the root but also inside the Coldfusion folder – YOU HAVE TO DO IT IN BOTH PLACES.  Below is the information they provide in connection with this:

    1. Download the certs from VeriSign at

    2. Open zip and location the Cert file that needs to be updated.
    In this case the "VeriSign Class 3 – G2". Take note of it's location
    on the server. Recommend renaming it to have no spaces and then
    putting it in the "C:\CFusiomMX7\runtime\jre\lib\security" folder.

    3. Open command prompt and type "cd c:\CFusionmx7\runtime\jre\bin"
    or the location of the "keytool.exe" file and hit enter.
    Don't try to run the keytool.exe without the next step. It won't
    hurt anything, but it won't do anything either.

    4. Now type the following replacing what it necessary
    (such as the cert file name from step 2 above and alias name)

    keytool -import -trustcacerts – keystore c:/cfusionmx7/runtime/jre/lib/security/cacerts -file c:/cfusionmx7/runtime/jre/lib/security/Class_3_Public_Primary_Certification_Authority_G2.cer -alias VeriSignG2

    5. You'll be prompted for a password and as long as you haven't
    ever changed it, it should be "changeit", which is the default.

    6. You'll be prompted to approve the request. Type "yes"
    without the quotes and hit enter

    7. A bunch of text should appear validating the installation. If you
    get an error, make sure your path and file names are correct in
    the step above.

    8. To verify, go to the jre\lib\security directory in Windows Explorer
    and make sure the files modified date is today's date.

    Hope this will help.



  36. Chuck says:

    A couple of days ago our CF5 server stopped processing credit cards, is the paypal root cert update why? nothing has changed.. and if so what procedure do I use.. running IIS6.. Thanks

  37. ben says:

    Hi Chuck:

    Have you updated the root certs? That fixed my problem the last time this tag, "stopped" working.   The only time I've seen this tag stop working, is when paypal changes something without telling anyone (like the URL, or requiring the cert update)

    Lemme see if I can't find my post with what I did to update certs.
    also running IIS6

  38. ben says:

    here is one link of paypal helping my confused head:

    here is the other link after I figured it out and posted the steps that worked for me:

    I can't say if this will help with CF5, or if this is really your issue, but last time it "stopped" working .. this was the fix.

    good luck.

  39. Chuck says:

    thanks, yes nothing changed on our box except it just stopping processing.. could paypal changed their url?

  40. Melinda says:

    Not sure this will help, but when this happened to me it was related to changes made to our proxy server… the dns name did not work, but fixed by changing to proxy server ip.

  41. Palawan Hotels says:

    I think you can change the url for the paypal

  42. Chuck says:

    to what?

Leave a Reply

You must be logged in to post a comment.