...

View Full Version : securing info visible in 'view source'



cfructose
07-14-2007, 10:27 AM
I'm trying to prevent users accessing a subscribe form until they've completed a payment through paypal.

My paypal form includes the line:


<input type="hidden" name="return" value="http://www.mysite.com/subscribe_step_2.php?id=12345&hash=completed=yes"/>

And subscribe_2.php says:


$payment_received = $_GET["completed"];

if ($payment_received != "yes" && ($include_name == "subscribe_step_2.php" || $include_name == "subscribe_step_3.php")) {
//tell them that access is denied and to return to step 1 (paypal)
}
elseif ($$secure_ka != 1) { // a variable variable to compare $secure_ka (the $secure variable name as data) with a variable name created from that data (which was already definied as either 0 or 1 in config). Prevents direct access to 'members only' files via URL.
//print article
}
else { //the following is printed if direct access to any 'members only' files is attempted through URL
//advise that access is restricted, and please buy blah blah blah
}
The trouble is that clicking on 'view source' shows the "completed=yes" that's appended to the return URL upon completion of the paypal payment (and of course, it's visible in the URL, though that's not such a big deal).

How can I secure this?
Any thoughts?

Thanks a lot

bazz
07-14-2007, 10:40 AM
I think you'll be better off if you look into using 'sessions', where such data can be stored in a server cookie for the duration of, well, the session.

bazz

cfructose
07-14-2007, 11:09 AM
Thanx Bazz,

I am using sessions - I just simplified the code for the last post.

_Aerospace_Eng_
07-14-2007, 11:28 AM
I think you should use Paypal's IPN to get back the data from paypal to be sure the user has actually paid. It returns SUCCESS or FAILED. If SUCCESS then set a session and redirect the user to the form page. On the form page check for the session. If it exists display the form, if not display an error message. A good resource on the subject here. http://www.pdncommunity.com/pdn/board/message?board.id=basicpayments&message.id=368

Unfortunately the PDT option doesn't support paypal subscriptions.

cfructose
07-14-2007, 11:34 AM
I searched the paypal site for something like that but didn't find it.
THANK U SO MUCH!!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum