paypal question

[bm4499]

hi,

 

Does anyone know how to deal with paypal?

 

What I want:

 

Visitors of my site have paid via paypal they need to see a *.php where they can process theirs form.

 

After it has been processed and they got what they wanted, they must NOT be able to copy the URL to give it to theirs friends or use it another time...

 

HOw do I deal with this problem?

[Jnerocorp]

here is something you can do:

 

if you use paypal form on your site with a return url then you can have php generate a random number using rand()

 

then save it in a mysql database along with the users email in a row and use GET for the form so in the return url you can get the inputed random number and then after the user has gotten what they wanted it deletes the random number from the database so it cant be matched anymore on the return page sorry its a bit hard to explain.

 

-John

[Jnerocorp]

ok i have made the script its 3 pages

 

payment.php

proccess.php

 

and

 

confirm.php

 

=================

Create a table in mysql called "any tablename you want" and edit process.php and confirm.php for correct mysql info

 

can create 2 fields in the table called email & token both VARCHAR 100   

 

=========

 

this is payment.php:

<?php
$token = rand(); //This will generate a random number
?>
<form action="process.php" method="get">
<input type="text" name ="email"> <?php // users email ?>
<input type="hidden" name="token" value='<?php echo "$token"; ?>'> <?php // the randomly generated number will be here ?>
<input type="submit" name="submit" value="Process Order">
</form>

 

this is process.php:

<?php
if(isset($_GET['submit'])) {

$email = $_GET['email'];
$token = $_GET['token'];

mysql_connect("localhost", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

mysql_query("INSERT INTO tablename 
(email, token) VALUES('$email', '$token' ) ") 
or die(mysql_error());  
?>

<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> 
<input type="hidden" name="cmd" value="_xclick"> 
<input type="hidden" name="business" value="[email protected]"> 
<input type="hidden" name="item_name" value="hat">
<input type="hidden" name="amount" value="15.00"> 
<INPUT TYPE="hidden" NAME="return" value='http://domain.com/confirm.php?email=<?php echo $email;?>&token=<?php echo $token; ?>'>
<input type="image" name="submit" border="0" src="https://www.paypal.com/en_US/i/btn/btn_buynow_LG.gif" alt="PayPal - The safer, easier way to pay online"> 
</form>

 

and this is confirm.php:

<?php
if(isset($_GET['email'])) { //checks if email is set in url

$email = $_GET['email']; //Gets email from url
$token = $_GET['token']; //Gets token from url

mysql_connect("localhost", "username", "password") or die(mysql_error());
mysql_select_db("database") or die(mysql_error());

$result = mysql_query("SELECT token FROM tablename WHERE email='$email'") //this gets the token from the database
or die(mysql_error());  
$row = mysql_fetch_array( $result )

$realtoken = $row['token']; //This sets the variable for the token

if($realtoken == $token) { // This will check if the token and the token in the database match

//Proceed and do stuff for purchase


//Below here will delete the token from the database
mysql_query("DELETE token FROM tablename WHERE token='$token'")  
or die(mysql_error()); 

} else {
?>
<h1><font color="red">INVALID PURCHASE</font></h1>
<?php
}

} else {

?>
<h1><font color="red">INVALID PURCHASE</font></h1>

 

-John

 

[bm4499]

Thanks Jnerocorp, I'm gonna try tonight after I get home.

 

Do I have to place 'requireonce('****')'  ontop of some scripts?

[bm4499]

is it also possible to open a phppage just ONLY after paypal send feedback that payment is done for that user?