Jump to content


Photo

Can someone explain whats happening to $e in this

$e $_session == ||

  • Please log in to reply
4 replies to this topic

#1 Kiwiguy51

Kiwiguy51

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 February 2013 - 12:18 AM

Hi,
Can someone explain in english what this is doing to email addresses? Is it validating the users input format?
I've got 2 Buy Now buttons that take people to Paypal but then Paypal says error wrong email address.

Yet above this code $ppe is set as my correct paypal email address. This is from my config.php.

Does the 2nd to last line change $e into my $ppe paypal email?

if ($_SESSION['page'] !== 'index') {}
else {
$e = $_GET['e'];
if (
($e == '') ||
($e == 'paypal@email.com') ||
($e == 'paypal@emailaddress.com') ||
($e == 'PAYPAL@EMAIL.COM') ||
($e == 'PAYPAL@EMAILADDRESS.COM') ||
($e == '-8-email-8-') ||
($e == '-8-paypalemail-8-') ||
($e == '-8-EMAIL-8-') ||
($e == '-8-PAYPALEMAIL-8-') ||
($e == '[={PAYPAL}]') ||
($e == '[={PAYPALEMAIL}]') ||
($e == 'zzzezzz') ||
($e == 'zzzppezzz')
)
$e = $ppe;
$redirect = 'Location: '.$url0;

Thanks in advance ~Rod
PS: I don't code but I do kind of understand what it's doing.

#2 requinix

requinix

    Transforming Moderator

  • Moderators
  • 6,236 posts
  • LocationWA

Posted 15 February 2013 - 04:44 AM

Hard to say for sure without any kind of context or explanation of what this code is about...

If $e (from the URL) is any one of those values then substitute $e=$ppe. Perhaps those are for testing?

#3 Kiwiguy51

Kiwiguy51

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 February 2013 - 02:31 PM

Thanks for that.
I didn't want to paste the whole config.php it's quite long.
Basically the code above what I posted sets some variables one of which is $ppe for my paypal email

Then he sets some page security so you can only get to the download page after signing up on squeeze page

then the code I pasted

then sets some cookies

then does the one time offer and downsell stuff

then he has a way of sending a thankyou graphic to appear on paypals 'pay now' page with the users email loaded.

then he replaces symbols like @ and : with their %40 and %3a equivalents

then he sets the button url which may be where my problem is.

$button_url = 'Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business='.
$paypal2.'&item_name='.$product_name2.'&item_number='.$product_id2.'&amount='.$price2.'&no_shipping=1&return='.
$download_link2.'&cancel_return='.$cancel_link2.'&no_note=1&currency_code=USD&notify_url='.$ipn_link2.'&cpp_header_image='.$ppheader_url2;

That's the link to paypal so on the sales page he just writes $button_url
$paypal2 should be the users email address
$ipn_link don't know what this is (notify url) but he's turned it off (commented it out) previously

I don't see any reference to my paypal account could this be why paypal says error wrong email address to the buyer?

#4 requinix

requinix

    Transforming Moderator

  • Moderators
  • 6,236 posts
  • LocationWA

Posted 15 February 2013 - 02:42 PM

then he replaces symbols like @ and : with their %40 and %3a equivalents

That should be one single call to rawurlencode.

$button_url = 'Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business='.
$paypal2.'&item_name='.$product_name2.'&item_number='.$product_id2.'&amount='.$price2.'&no_shipping=1&return='.
$download_link2.'&cancel_return='.$cancel_link2.'&no_note=1&currency_code=USD&notify_url='.$ipn_link2.'&cpp_header_image='.$ppheader_url2;
I'm not too familiar with this part of PayPal but I believe the business= is your email address, not the customer's.

Separately, it looks like you're putting the notify_url for IPN in the URL you're redirecting too? That should be specified in your account instead. Exposing that location to the user is a risk to your listening code, and though it should not be a problem (because it verifies the request with PayPal) there's always the chance of a malicious user discovering an exploit in the code. I don't know how it was "turned off" so this may not be a problem.

Edited by requinix, 15 February 2013 - 02:43 PM.


#5 Kiwiguy51

Kiwiguy51

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 February 2013 - 03:27 PM

Just went looking through paypal help section and yes looks like business should be my email.
I'll give that a try


And it worked

Thanks

Edited by Kiwiguy51, 15 February 2013 - 03:39 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com