Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
4
Hi, i am running a e commerce website where i sell digital downloads... anyway, the security i way to weak, when someone click the "buy now" button they are redirected to paypal to complete their order, after their order has succeeded they are redirected to success.php where they collect their downloads. The problem is that a session is set to true and therefore they can manually navigate to success.php and buypass the payment...
Is there a way of securing this success.php file to only allow traffic coming from successful paypal orders? then for example with a htaccess file?? thanks...
I would actually like to avoid htaccess as there would be a security isse because people could create their won buy now buttons and redirect them to my success.php file something that would cheat a htaccess file... anyway, thanks for any replays!
3 replies to this topic
Back to top|
|
|
#2
Posted 29 April 2011 - 02:55 AM
Alexander
-
- Moderators
-
- 4,124 posts
It's Science!
- Location:Vancouver, Eh! Cleverness: 200
A referrer is not a valid option to check their origin, you would have to create a unique token that paypal sends to the client, to access the success page. If the token is expired or does not exist then they are denied access. I have no experience with PayPal's API, although I am very certain that they provide integration of this functionality.
I would recommend consulting their documentation/forums before trying to implement your own possibly insecure method.
I would recommend consulting their documentation/forums before trying to implement your own possibly insecure method.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#3
Posted 29 April 2011 - 03:38 AM
dmanjrod
-
- Members
-
- 7 posts
Newbie
Well you can try using paypal's IPN. It allows you to check for someone's payment as soon as they make it so you can make sure they paid before allowing them to access your downloads. You should check out the API to learn how to use it, i think that's your best bet for this.
#4
Posted 30 April 2011 - 02:59 AM
Mark Wylde
-
- Members
-
- 46 posts
Learning Programmer
Have a look at this post. If you take your time to read through it you can do this fairly easily.
Using PayPal’s Instant Payment Notification with PHP | Nettuts+
Do note you will need a PayPal business account to do this, but from the sounds of it you should be using this anyway as you are selling services to the general public.
By using the IPN PayPal will (when a customer successfully makes a payment) send a request to a file on your server. In the example ipn.php with POST data which you can then connect to the PayPal server to validate the payment. When successful it is up to you what you want to do. The example creates an account for the user which will then give them access to content, however if you want you could probably just have it download a file to the users computer without creating a user account.
Using PayPal’s Instant Payment Notification with PHP | Nettuts+
Do note you will need a PayPal business account to do this, but from the sounds of it you should be using this anyway as you are selling services to the general public.
By using the IPN PayPal will (when a customer successfully makes a payment) send a request to a file on your server. In the example ipn.php with POST data which you can then connect to the PayPal server to validate the payment. When successful it is up to you what you want to do. The example creates an account for the user which will then give them access to content, however if you want you could probably just have it download a file to the users computer without creating a user account.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
