Can someone explain whats happening to $e in this

[Kiwiguy51]

Hi,

Can someone explain in english what this is doing to email addresses? Is it validating the users input format?

I've got 2 Buy Now buttons that take people to Paypal but then Paypal says error wrong email address.

 

Yet above this code $ppe is set as my correct paypal email address. This is from my config.php.

 

Does the 2nd to last line change $e into my $ppe paypal email?

 

if ($_SESSION['page'] !== 'index') {}
else {
$e = $_GET['e'];
if (
($e == '') ||
($e == 'paypal@email.com') ||
($e == 'paypal@emailaddress.com') ||
($e == 'PAYPAL@EMAIL.COM') ||
($e == 'PAYPAL@EMAILADDRESS.COM') ||
($e == '-8-email-8-') ||
($e == '-8-paypalemail-8-') ||
($e == '-8-EMAIL-8-') ||
($e == '-8-PAYPALEMAIL-8-') ||
($e == '[={PAYPAL}]') ||
($e == '[={PAYPALEMAIL}]') ||
($e == 'zzzezzz') ||
($e == 'zzzppezzz')
)
$e = $ppe;
$redirect = 'Location: '.$url0;

 

Thanks in advance ~Rod

PS: I don't code but I do kind of understand what it's doing.

[requinix]

Hard to say for sure without any kind of context or explanation of what this code is about...

 

If $e (from the URL) is any one of those values then substitute $e=$ppe. Perhaps those are for testing?

[Kiwiguy51]

Thanks for that.

I didn't want to paste the whole config.php it's quite long.

Basically the code above what I posted sets some variables one of which is $ppe for my paypal email

 

Then he sets some page security so you can only get to the download page after signing up on squeeze page

 

then the code I pasted

 

then sets some cookies

 

then does the one time offer and downsell stuff

 

then he has a way of sending a thankyou graphic to appear on paypals 'pay now' page with the users email loaded.

 

then he replaces symbols like @ and : with their %40 and %3a equivalents

 

then he sets the button url which may be where my problem is.

 

$button_url = 'Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business='.
$paypal2.'&item_name='.$product_name2.'&item_number='.$product_id2.'&amount='.$price2.'&no_shipping=1&return='.
$download_link2.'&cancel_return='.$cancel_link2.'&no_note=1&currency_code=USD&notify_url='.$ipn_link2.'&cpp_header_image='.$ppheader_url2;

 

That's the link to paypal so on the sales page he just writes $button_url

$paypal2 should be the users email address

$ipn_link don't know what this is (notify url) but he's turned it off (commented it out) previously

 

I don't see any reference to my paypal account could this be why paypal says error wrong email address to the buyer?

[requinix]

then he replaces symbols like @ and : with their %40 and %3a equivalents

That should be one single call to rawurlencode.

 

$button_url = 'Location: https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business='.
$paypal2.'&item_name='.$product_name2.'&item_number='.$product_id2.'&amount='.$price2.'&no_shipping=1&return='.
$download_link2.'&cancel_return='.$cancel_link2.'&no_note=1&currency_code=USD&notify_url='.$ipn_link2.'&cpp_header_image='.$ppheader_url2;

I'm not too familiar with this part of PayPal but I believe the business= is your email address, not the customer's.

 

Separately, it looks like you're putting the notify_url for IPN in the URL you're redirecting too? That should be specified in your account instead. Exposing that location to the user is a risk to your listening code, and though it should not be a problem (because it verifies the request with PayPal) there's always the chance of a malicious user discovering an exploit in the code. I don't know how it was "turned off" so this may not be a problem.

Edited February 15, 2013 by requinix

[Kiwiguy51]

Just went looking through paypal help section and yes looks like business should be my email.

I'll give that a try

 

 

And it worked

 

Thanks

Edited February 15, 2013 by Kiwiguy51