joecooper Posted April 7, 2009 Share Posted April 7, 2009 I have setup a script for the sucess page from a paypal payment. it will create a licence for the user upon payment to a MySQL database etc. but a big flaw is that if someone browsed directly to the sucess page without following payment, they could get the script to create licences without payment (suggesting that someone else pays and then tells others the URL...) so how can i stop people accessing the page directly, only if the refer was from paypal? Link to comment https://forums.phpfreaks.com/topic/152916-dont-allow-php-page-to-be-accessed-directly/ Share on other sites More sharing options...
Fruct0se Posted April 7, 2009 Share Posted April 7, 2009 This is a good way to check if the payment came from paypal, you will need to point your paypal ipn to this script, name it whatever you would like. I will try to comment this the best I can: // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; // assign posted variables to local variables // you can use these variables to track the details of the transaction // and validate the purchase $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; $fp = fsockopen('www.paypal.com', 80, $errno, $errstr, 30); if (!$fp) { print "<b>Error Communicating with Paypal.<br>"; print "Please contact</b>"; //Add your contact info here } else { fputs($fp, $header . $req); while (!feof($fp)) { $res = fgets($fp, 1024); if (strcmp($res, "VERIFIED") == 0) { //If the payment came from paypal and is verified then //place your code here } else { //If payment did not work print "<b>We cannot verify your purchase<br>"; } } fclose($fp); } Link to comment https://forums.phpfreaks.com/topic/152916-dont-allow-php-page-to-be-accessed-directly/#findComment-803088 Share on other sites More sharing options...
Cory94bailly Posted April 7, 2009 Share Posted April 7, 2009 I don't have any fancy code or anything but this is what I use: if (!defined('access')) { die("Hacking Attempt."); } Then in any script that you want to access that file, put in this: define("access", "1"); It works well and it's very basic Link to comment https://forums.phpfreaks.com/topic/152916-dont-allow-php-page-to-be-accessed-directly/#findComment-803090 Share on other sites More sharing options...
Fruct0se Posted April 7, 2009 Share Posted April 7, 2009 Even if he defines the referrer as paypal it wont tell if the payment was completed successfully, you need to check the data coming from paypal as well, not just a response. Link to comment https://forums.phpfreaks.com/topic/152916-dont-allow-php-page-to-be-accessed-directly/#findComment-803092 Share on other sites More sharing options...
joecooper Posted April 7, 2009 Author Share Posted April 7, 2009 Thanks Frut0se! i havnt tested yet but i will have a look soon. Thanks. Link to comment https://forums.phpfreaks.com/topic/152916-dont-allow-php-page-to-be-accessed-directly/#findComment-803323 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.