Jump to content

HTTP_REFER HELP PHP

desjardins

By desjardins
in PHP Coding Help

 Share

Recommended Posts

desjardins Member

desjardins

Posted
Posted

Hi, guys/gals

 

I have a site that offers a download/thankyoupage after purchase with paypal. I'm wanting to secure that page so that it checks to make sure the user came from paypal prior to letting him enter the page if not it would go to main page.

 

is this possible?

Link to comment
Share on other sites
radar Regular Member

radar

Posted
Posted

Well if you are using paypal's IPN you can use that to determine if they've come to that page from paypal..

 

otherwise $referer = $_SERVER['HTTP_REFERER']; will get you what you need.  but you'll have to echo that out on the page when it comes back from paypal to see exactly what it says or if you'll need to do any extra data handling on it.

 

paypal has a developer zone that you can use to test your code, without having to actually use the live paypal service.

Link to comment
Share on other sites
desjardins Member

desjardins

Posted
  • Author
Posted

I appreciate your help on this topic. I tried to understand the whole IPN feature however It's above me. with the http_refer how would this be setup?

 

the download.html page would have an echo script ? if all is well show the page and if fails send to main page

Link to comment
Share on other sites
radar Regular Member

radar

Posted
Posted

do something like this

 

$referer = $_SERVER['HTTP_REFERER'];

$domain = parse_url($referer);

 

if($domain['host'] == 'paypal.com') {

 

//Run your dowloading code here normally

 

} else {

 

//The referrer is not paypal, we redirect to your home page

header("Location: http://yoursite.com");

exit(); //Stop running the script

 

}

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

You cannot rely on $_SERVER['HTTP_REFERER'] for any security purpose. It is an optional header that anyone can set to make it look like they came from paypal. Soon after you start doing what you are attempting, you will find that all kinds of people and scripts will access the page on your site for free.

 

You must check and record the information that the paypal IPN sends back to you to determine if the visitor actually paid. There are countless php/ipn scripts that you can use to capture this information into a database. It would then only be necessary to put code on your protected page to check against the database information if the visitor has paid.

Link to comment
Share on other sites
radar Regular Member

radar

Posted
Posted

Well granted that information, I just gave him the options he wanted. 

 

Though definately checking the IPN is going to be the most secure method of figuring it out... 

 

go to: https://developer.paypal.com/

 

register for a developer account, it will have some php code available for you and you can test the code to ensure its functionality.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.