if statement help (I think)

[robsworld]

Hi, I'm wondering if anyone can help with some code, I can't figure it out.

 

What I'm trying to do is have a piece of code only execute when a customer comes from paypal. If you go to that page without coming from paypal the code won't run.

 

I'm selling an ebook on my site and I have some code that will generate a unique url to download the item which expires when I want it to, this is so the customer doesn't know where the file is stored and doesn't know the actual file name on the server. That part works fine.

 

The problem is after the customer pays for the item on paypals site, paypal will redirect them where I want, so I made a page that tells the customer the purchase is complete and in that page is the code to generate the unique url for downloading the package.

 

The real problem is the page the customer lands on from paypal to get the link is always the same so all you need to do is remember that url and you can generate a unique url anytime you want. So I need some kind of "if" statement around the url generating code in that page, that will allow it to only generate a url when the customer comes from paypal. If the customer refreshes the landing page that paypal sent them to then the unique url will be gone and no way to get another unless you rebuy or email me.

 

I hope all this makes sense, any ideas would be appreciated.

 

Thanks

[tbare]

$refURI = getenv("HTTP_REFERER");
echo $refURI;

if($refURI == "http://www.paypal.com/xxxxyyy")
  {
  //code to execute
  }
?>

 

hope this helps

[samshel]

just check if paypal redirects to this only in case of payment success and not when payment fails or is cancelled, i m sure u must have thought about this, but just double checking

[redarrow]

no no no no no no ....

 

Your way sounds very insecure no way man.

 

A user clicks to pay for something, it is added to a cart, and the user adds or deletes the current chosen product.

 

or the user press a link to buy a product of some think.

 

when the user cheeks out, or goes straight to pay pal to pay for some think,

 

you set a variable to the pay pal form to be sent back to the updatting page,

 

the variable what was set in the pay pal form will be some think like  a secret number and it hashed md5 and salt i suspect is best.

 

once the user has paid you send them to a page, that was set from the pay pal form,

 

you cheek against the paid item in the database and make sure the secret number matches then show a form to enter a reference.

 

pay pal sends ipn information to a table in your database , you then ask the user to enter, the refrence info from the pay pal email,

 

 

if the reference from the email pay pal sent them, matches your ipn information then show them a link to download the product.

 

only my opinion (( sorry long process but it worth the go as it money.

 

 

ps.

 

also remember pay pal use there own php / html encryption methods and all

forms or php data should only encrypted via there methods only.

 

pps. you can find loads off php scripts from pay pal community and there helpers, are fantastic.

 

i personally was in a rush to get money from papal then i studied ever think there was to no from pay pal community web site,

 

this enables me today to integrate any project with pay pal easily, there are hundreds off pros and cons getting it right as security is of such essence.

 

 

 

 

 

 

 

 

 

 

 

[robsworld]

Hi, thanks for all the replys, I didn't think this would be so difficult. I want to do this right but that small code tbare posted looks tempting.

 

I did try the IPN thing but it didn't work. I have a script that handles digital downloads and suppose to work with paypal. It has a file called IPN.php that is suppose to do all this but when it runs it comes up with a blank page, all that code for a white screen? I wonder how much is needed for a blue screen.

 

In paypals sandbox they have an IPN tester, I entered the url to the ipn.php file I have and paypal said it was ok so why a white screen. Here's the code that's in the ipn.php file, does it look good? In paypal settings I linked to that file in the IPN settings and in the auto return to website but still nothing.

 

<?php

include('variables.php');

 

$connect = mysql_connect($host,$username,$password);

if (!$connect) {

  die('Could not connect: ' . mysql_error());

}

@mysql_select_db($database) or die( "Unable to select database");

 

 

function doTheCurl ()

{

$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value)

{

$value = urlencode(stripslashes($value));

$req .= "&$key=$value";

}

$ch = curl_init();

 

// check to see if this is sandbox or not

if ($_POST["test_ipn"] == 1)

{

curl_setopt($ch, CURLOPT_URL, "https://www.sandbox.paypal.com/cgi-bin/webscr");

}

else

{

curl_setopt($ch, CURLOPT_URL, "https://www.paypal.com/cgi-bin/webscr");

}

 

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS, $req);

curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);

$paypal_response = curl_exec ($ch);

curl_close($ch);

return $paypal_response;

}

 

function doTheHttp ()

{

$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value)

{

$value = urlencode(stripslashes($value));

$req .= "&$key=$value";

}

// post back to PayPal system to validate

$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";

$header .= "Content-Type: application/x-www-form-urlencoded\r\n";

$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

 

// check to see if this is sandbox or not.

if ($_POST["test_ipn"] == 1)

{

$paypal_response = fsockopen ('www.sandbox.paypal.com', 80, $errno, $errstr, 30);

}

else

{

$paypal_response = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

}

 

if (!$paypal_response) {

return "ERROR";

}

else

{

fputs ($paypal_response, $header . $req);

while (!feof($paypal_response))

{

$res = fgets ($paypal_response, 1024);

if (strcmp ($res, "VERIFIED") == 0)

{

return "VERIFIED";

}

else if (strcmp ($res, "INVALID") == 0)

{

return "INVALID";

}

}

fclose ($paypal_response);

}

return "ERROR";

}

 

 

$paypal_response = doTheCurl();

if (!$paypal_response)

{

 

$paypal_response = doTheHttp();

 

}

else

{

 

}

 

 

//get variables

$receiver_email = $_POST['receiver_email'];

$first_name = $_POST['first_name'];

$last_name = $_POST['last_name'];

$payer_email = $_POST['payer_email'];

$item_name = $_POST['item_name'];

$amount = $_POST['mc_gross'];

$payment_status = $_POST['payment_status'];

$txn_type = $_POST['txn_type'];

 

if ($first_name != "")

$message = "Customer First Name: " . $first_name . "\n";

if ($last_name != "")

$message .= "Customer Last Name: " . $last_name . "\n";

if ($payer_email != "")

$message .= "Customer Email: " . $payer_email . "\n";

if ($item_name != "")

$message .= "Item: " . $item_name . "\n";

if ($amount != "")

$message .= "Amount: " . $amount . "\n";

if ($txn_type != "")

$message .= "Transaction Type: " . $txn_type . "\n";

if ($payer_status != "")

$message .= "Payment Status: " . $payment_status . "\n";

 

 

if (ereg('VERIFIED',$paypal_response)) {

$response_verified = 1;

$ipn_result = 'VERIFIED';

if ($payment_status == "Completed")

{

 

$checkquery = "SELECT * FROM files WHERE paypalname = '$item_name'";

$checkresult = mysql_query($checkquery);

 

$checkrow=mysql_fetch_assoc($checkresult);

 

$price = $checkrow["price"];

$filename = $checkrow["filename"];

 

if ($price == $amount)

{

//send email to buyer

$random = rand();

$string = md5($random);

 

 

$query = "INSERT INTO links (getfilename, link, dltimes) VALUES ('$filename', '$string', '3')";

mysql_query($query);

mysql_close($connect);

 

 

 

$to = $payer_email;

$subject = $storename . " Order";

$body = "Your download url:\n" . $scriptpath . "send_url.php?q=" . $string . "\n\nIf you cannot download, please contact us at " . $email . ".";

 

mail($to, $subject, $body,

    "To: " . $to . "\n" .

    "From: ". $email ."\n" .

    "X-Mailer: PHP 4.x");

 

 

mail($email, "Order Received", $message, "From: ". $email);

 

}

else

{

mail($email, "Order Payment Amount Invalid", $message, "From: ". $email);

 

}

}

 

} else if (ereg('INVALID',$paypal_response)) {

$response_invalid = 1;

$ipn_result = 'INVALID';

 

$message .= "IPN returned invalid\n";

 

mail($email, "Order Received - Invalid IPN", $message, "From: ". $email);

 

$to = $payer_email;

$subject = $storename . " Order";

$body = "Your download was not completed, please contact us at " . $email . ".";

 

mail($to, $subject, $body,

    "To: " . $to . "\n" .

    "From: " . $email . "\n" .

    "X-Mailer: PHP 4.x");

 

 

} else {

echo 'Error: no valid $paypal_response received.';

 

$message .= "No response from Paypal\n";

 

mail($email, "Order Received - No IPN Response", $message, "From: " . $email);

 

$to = $payer_email;

$subject = $storename . " Order";

$body = "Your download was not completed, please contact us at " . $email . ".";

 

mail($to, $subject, $body,

    "To: " . $to . "\n" .

    "From: " . $email . "\n" .

    "X-Mailer: PHP 4.x");

}

 

 

?>

[robsworld]

well I manged to get the script working with the IPN which triggers an email to the customer with a unique url to download. Now the problem is the code isn't finding the file on the server, its allowing the user to download the file thats generating the code.

 

This is how it all works.

 

There's a mysql database which has 2 tables, "files" and "links"

 

There's an admin area to upload the file, the file sits on the server but the database holds info about the file. The "files" table has 4 fields, "id" "paypalname" "filename" and "price". The "paypalname" is the title of the download and the filename is the actual filename of the download and price is the of course the price I'm selling it for.

 

Once a customer makes a payment the IPN tells the script that payment was made, the script looks to see that $price == $payment_amount is a match ($price is the price I have in the database and $payment_amount is how much was paid through paypal) and if it is a match it will execute the file "send_url.php".

 

So I run tests and everything goes as it reads in the script, if the payment amount sent through paypal is different then whats in the database no url is given. When both match it does send an email to the customer using the customers paypal email address with a different url everytime, sounds good.

 

Here's the problem, when I click the url thats in the email a download window opens but instead of calling "$filename" like it should it presents the "send_url.php" file for downloading. That's the file that generated the url.

 

Once there's a match for price the "ipn.php" file attempts to fill in the "links" table in the database. There's 4 fields in the "links" table. "id" "getfilename" "link" and "dltimes". All the fields are being filled except "getfilename" which must be the reason the link can't point to a specific file so it presents "send_url.php" instead.

 

I cannot understand why 3 or the 4 fields in "links" table get filled but "getfilename" doesn't. Here's part of the "ipn.php" file that files the "links" table.

 

//send email to buyer
$random = rand();
$string = md5($random);

$query = "INSERT INTO links (getfilename, link, dltimes) VALUES ('$filename', '$string', '3')";
mysql_query($query);
mysql_close($connect);

$to = $payer_email;
$subject = $storename . " Order";
$body = "Your download url:\n" . $scriptpath . "send_url.php?q=" . $string . "\n\nIf you cannot download, please contact us at " . $email . ".";

mail($to, $subject, $body,
    "To: " . $to . "\n" .
    "From: ". $email ."\n" .
    "X-Mailer: PHP 4.x");

mail($email, "Order Received", $message, "From: ". $email);

}
else
{
mail($email, "Order Payment Amount Invalid", $message, "From: ". $email);

}