On my site I'm trying to make a paid membership side. I can get the paypal to work and stuff, but the problem is that people can also see the url where paypal takes you to after payment has been made. How can I make sure that the user has gone through paypal to get to the final url?

I thought about using a session, but that'll be executed as soon as the paylpal form is shown - meaning they can skip to the final url avoiding paypal and still be a "paid" member.

I've read that checking the referrer of the user may not work on a few people, with some browsers not holding the referrer info...so the question is, how do I secure it?

Check out the paypal developer network. They have features for this:

http://www.paypal.com/cgi-bin/webscr?cmd=p/acc/ipn-info-outside

sends data back to your page confirming the payment. Just check for the confirmation.

Thanks :) I'll get reading

:( I'm using this script off pay-pals site

<?
include("includes/header.php");
show_header();
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($HTTP_POST_VARS as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= 'Content-Length: ' . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
// note: additional IPN variables also available -- see IPN documentation
$item_name = $HTTP_POST_VARS['item_name'];
$receiver_email = $HTTP_POST_VARS['receiver_email'];
$item_number = $HTTP_POST_VARS['item_number'];
$invoice = $HTTP_POST_VARS['invoice'];
$payment_status = $HTTP_POST_VARS['payment_status'];
$payment_gross = $HTTP_POST_VARS['payment_gross'];
$txn_id = $HTTP_POST_VARS['txn_id'];
$payer_email = $HTTP_POST_VARS['payer_email'];

if (!$fp) {
// ERROR
echo "$errstr ($errno)";
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is an email address in your PayPal account
// process payment
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
show_footer();
?>


But it's taking ages for it to do anything. It takes that long I get an explorer time out popup show - 4 minutes? On my PC this takes no more than 3 seconds for the page to do something.

Is it coz it's opening a socket to paypal?

Is there another way to do this? I don't think anyone is gonna hang around for that long just to see if they're a member.

Got it working :)

I went thru this 3 months ago and found Paypal's IPN email confirm with password just a tad too much to ask for a $1.95 purchase.

Actually, the user would have to be familiar with Paypal to see the shortcut to your 'finish' page...and even then, wouldn't really know it's to continue the transaction. Unfortunately, Paypal has dynamically disabled the $HTTP_REFERER so this can't be used either. Just why...nobody knows.

I'm having to wait for a remote post to https script kinda like cURL to be written that avoids using Paypals IPN. That way, the variables are hidden. It was in the process of being written the last time I checked.

The only thing I've found to use in the meantime would be to use a long url with the variables perhaps triggered by an onload event handler or php header.:rolleyes: