Implementing Payment methods to my site

[MemphiS]

Just recently ive come across DAOpay and have a few questions.

 

Is this script secure? It is a free script given by them.  I have never dealt with fopen etc and am not sure about security issues.

 

 

<?

 

// this sample provides a download of a binary mp3 file if the PIN code is valid

$prd = $_GET["prodcode"];

$pin = $_GET["pin"];

 

$err = "";

 

if ($prd && $prd != "" && $pin && $pin != "") {

    $handle = fopen("http://daopay.com/svc/pincheck?appcode=40454&subkey=".$prd."&pin=".$pin, "r");

    if ($handle) {

        $reply = fgets($handle);

        if (substr($reply,0,2) == "ok") {

            $file = "/home/apache/resources/".$prd.".mp3";  // serve the file

            $resource = fopen($file, "rb");

            if ($resource) {

                header( "Content-type: ‘.

‘text/html\nContent-length: ".

(string)(filesize($file)) );

                fpassthru($resource);

                exit;

            }

            else {

                echo "An error occurred: could not open resource";

                exit;

            }

        }

        else {

            $err = "The PIN code you entered is not valid!";

        }

    }

    else {

        $err = "Could not validate the PIN code";

    }

}

 

?>

[discomatt]

PIN ? Is this a sensitive piece of info? Cause you're sending it over a non-secure steam right in the URI. If pin is in any way important, please don't.

 

Let someone else deal with payments. I really like paypal's and google checkout's web services