j5uh Posted June 5, 2008 Share Posted June 5, 2008 I have a page where people can subscribe to a subscription service. This page is accessible by the internet if you just typed the url in. What I was wondering, is there a way I can use .htaccess to only allow that page to show if your coming from a paypal website... I know there should be a way to do this... :-X Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 5, 2008 Share Posted June 5, 2008 You can do it w/ php <?php $allowed_referer = array("http://paypal.com", "http://phpfreaks.com"); //add the allowed sites in this array $referal = $_SERVER['HTTP_REFERER']; if (in_array($referal, $allowed_referer)){ //let them hit this page } else{ //send them somewhere } ?> Quote Link to comment Share on other sites More sharing options...
j5uh Posted June 5, 2008 Author Share Posted June 5, 2008 so would i code it this way... <?php $allowed_referer = array("http://paypal.com", "http://phpfreaks.com"); //add the allowed sites in this array $referal = $_SERVER['HTTP_REFERER']; if (in_array($referal, $allowed_referer)){ //let them hit this page all my html code goes here } else{ do I just put a forward script here? } ?> Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 5, 2008 Share Posted June 5, 2008 Keep in mind the end user can disable this, so it might be smart to have an 'if this page isn't working for you...' link Also, the end user can modify the referring url, so if they really wanted to they could access the page and spoof a fake referrer to get past your check. If the referring page is internal, sessions are a GREAT way to combat this Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 5, 2008 Share Posted June 5, 2008 Be aware that HTTP_REFERER can be modified by the user. But generally it would work (if a few users getting "unauthorized" access is OK). If you want to match someone coming from paypal.com, with or without possible sub domains and/or pages aside from the front page, you can use preg_match(): <?php $referal = $_SERVER['HTTP_REFERER']; if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) { //they come from paypal.com } else { //they don't } ?> I don't think the other script posted will work, since the URLs are short of a trailing slash and the "https" scheme. But I guess you were supposed to fill in the exact URLs yourself Quote Link to comment Share on other sites More sharing options...
j5uh Posted June 5, 2008 Author Share Posted June 5, 2008 Be aware that HTTP_REFERER can be modified by the user. But generally it would work (if a few users getting "unauthorized" access is OK). If you want to match someone coming from paypal.com, with or without possible sub domains and/or pages aside from the front page, you can use preg_match(): <?php $referal = $_SERVER['HTTP_REFERER']; if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) { //they come from paypal.com } else { //they don't } ?> I don't think the other script posted will work, since the URLs are short of a trailing slash and the "https" scheme. But I guess you were supposed to fill in the exact URLs yourself So this script here is better with preg_match? so if someone made a payment on paypal, they would be forwarded to this page and it should allow them to access it right? I have no problem with just a few people sneaking by... I will review the list every couple weeks to make sure people have paid... Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 5, 2008 Share Posted June 5, 2008 Yes, it's better if you wanna allow anyone from anywhere on paypal.com. But as discomatt says, it won't work for users who have turned the 'referer' option off (but who have that??). Quote Link to comment Share on other sites More sharing options...
j5uh Posted June 6, 2008 Author Share Posted June 6, 2008 so could I do this? <?php $referal = $_SERVER['HTTP_REFERER']; if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) { <html> <body>paid content here</body> <html> } else { <html> <body>you must pay first... </body> <html> } ?> Quote Link to comment Share on other sites More sharing options...
thebadbad Posted June 6, 2008 Share Posted June 6, 2008 Your syntax is wrong, it could look like this: <?php $referal = $_SERVER['HTTP_REFERER']; if (preg_match('~^https?://(.*?\.)?paypal.com/.*?$~D', $referal)) { ?> <html> <body>paid content here</body> <html> <?php } else { ?> <html> <body>you must pay first... </body> <html> <?php } ?> I'm not very familiar with PayPal, but isn't there some secure way to deal with this? It should be an obvious feature to buy access to certain pages. Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 6, 2008 Share Posted June 6, 2008 Yes, it's better if you wanna allow anyone from anywhere on paypal.com. But as discomatt says, it won't work for users who have turned the 'referer' option off (but who have that??). I do. I don't see why a website should know what page I'm coming from if it's not theirs. Quote Link to comment Share on other sites More sharing options...
j5uh Posted June 6, 2008 Author Share Posted June 6, 2008 honestly, i wish it was easier to integrate paypal into a form.. but i have no experience with API's... Quote Link to comment Share on other sites More sharing options...
anon_login_001 Posted June 6, 2008 Share Posted June 6, 2008 I didn't see a mention of this, and I feel it's important enough to say: 'HTTP_REFERER' can be turned off, and should not be considered trustworthy, not only (as was mentioned) because some users can be denied access, but more importantly because the header can be "spoofed" and a person can gain access without actually having come from the paypal (or other) site. If you are barring access because you are expecting someone to have paid for something, it is well worth your money to look into (or pay someone else to look into) the official PayPal APIs. Quote Link to comment Share on other sites More sharing options...
discomatt Posted June 6, 2008 Share Posted June 6, 2008 honestly, i wish it was easier to integrate paypal into a form.. but i have no experience with API's... It is very easy to integrate PayPal. Have you even looked at their API? I didn't see a mention of this, and I feel it's important enough to say: 'HTTP_REFERER' can be turned off Keep in mind the end user can disable this, so it might be smart to have an 'if this page isn't working for you...' link But as discomatt says, it won't work for users who have turned the 'referer' option off Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.