trouble protecting my page with http referer from paypal

[silverglade]

hi, im trying to make sure that the people who just paid for my pages at paypal cant copy and paste the "create account" page for people to make free accounts. here is the code im using but it directs only to the main page of my site. any help greatly appreciated. thanks. derek choose1.php is the "secret " page im trying to protect.

 

include("connect1.php");

////hacker prevent going straight to url without going from paypal
if (strstr($_SERVER['HTTP_REFERER'],"paypal.com")) {
header ("Location: http://mysite.com/choose1.php");
} else {
header ("Location: http://mysite.com");
}

[Adam]

Not entirely sure what you're trying to do, but relying on the HTTP_REFERER for security is never actually secure. Consider that I could easily just modify the PayPal homepage with firebug, creating a link to that page, then the condition would then return true and I'd have access.

 

Edit: Also remember that not everybody uses "paypal.com"...

[silverglade]

im just trying to make sure they came from paypal before coming to my account creation page. otherwise i want to redirect them to my home page. this is only a temporary fix i plan on making a better one when i learn more. any help on the code above id greatly appreciate.

[Adam]

(Note my edit - maybe why it's not working for you)

 

As I said though, this isn't a secure method. Also doesn't allow people to continue later if they get interrupted during registration. Perhaps you should look into generating a kind of 'register key' for each purchase? You send the user a link like register.php?key=1345234nff345r34f34f (something along those lines). During registration this key is checked to make sure it's valid, they're allowed to register, and once complete the key is removed (so they can't forward the address onto anyone else).

[silverglade]

thank you. im not advanced enough to do that. but thanks for helping me. derek

[Adam]

No problem. It may be that PayPal are using header redirects (though obviously not PHP) which is why your condition is failing -- I don't believe they populate the HTTP_REFERER. Have you tried a var_dump on $_SERVER['HTTP_REFERER']?

[silverglade]

no but i will try that thank you.

[mrMarcus]

if you are worried about people redistributing your stuff, don't use the referer option.

 

the way to do this IMO is to have the "account creation" accessible to anyone (or only people who have already registered a simple account).  they fill out the form and that data gets inserted into the database with a field (`status` for example), is set to 0 (0 meaning that their account has not been verified).

 

then they are to click the PayPal button to go pay up.  and with PayPal, there is an option called IPN (Instant Payment Notification), where you can do a postback on a successful or failed transaction.  on a successful transaction, you would have a script that works as the IPN that updates that field in the database `status` to 1.

 

that's it.  people can freely distribute the account creation form all they want, but their content will never go live unless that `status` field in the db is set to 1, which is only done on a successful transaction.  so, you should only hope they are giving away the form since that could generate more traffic to your paypal account

 

it might sound complicated, but it's really not that bad.