Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts

    securing info visible in 'view source'

    I'm trying to prevent users accessing a subscribe form until they've completed a payment through paypal.

    My paypal form includes the line:

    Code:
    <input type="hidden" name="return" value="http://www.mysite.com/subscribe_step_2.php?id=12345&hash=completed=yes"/>
    And subscribe_2.php says:

    PHP Code:
    $payment_received $_GET["completed"];

    if (
    $payment_received != "yes" && ($include_name == "subscribe_step_2.php" || $include_name == "subscribe_step_3.php")) {
            
    //tell them that access is denied and to return to step 1 (paypal)
                    
    }
                    elseif ($
    $secure_ka != 1) {        // a variable variable to compare $secure_ka (the $secure variable name as data) with a variable name created from that data (which was already definied as either 0 or 1 in config). Prevents direct access to 'members only' files via URL.
                        //print article
    }
                    else {    
    //the following is printed if direct access to any 'members only' files is attempted through URL
                        //advise that access is restricted, and please buy blah blah blah
                    

    The trouble is that clicking on 'view source' shows the "completed=yes" that's appended to the return URL upon completion of the paypal payment (and of course, it's visible in the URL, though that's not such a big deal).

    How can I secure this?
    Any thoughts?

    Thanks a lot

  • #2
    Master Coder
    Join Date
    Apr 2003
    Location
    in my house
    Posts
    5,211
    Thanks
    39
    Thanked 201 Times in 197 Posts
    I think you'll be better off if you look into using 'sessions', where such data can be stored in a server cookie for the duration of, well, the session.

    bazz

  • #3
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    Thanx Bazz,

    I am using sessions - I just simplified the code for the last post.

  • #4
    Supreme Master coder! _Aerospace_Eng_'s Avatar
    Join Date
    Dec 2004
    Location
    In a place far, far away...
    Posts
    19,291
    Thanks
    2
    Thanked 1,043 Times in 1,019 Posts
    I think you should use Paypal's IPN to get back the data from paypal to be sure the user has actually paid. It returns SUCCESS or FAILED. If SUCCESS then set a session and redirect the user to the form page. On the form page check for the session. If it exists display the form, if not display an error message. A good resource on the subject here. http://www.pdncommunity.com/pdn/boar...message.id=368

    Unfortunately the PDT option doesn't support paypal subscriptions.
    ||||If you are getting paid to do a job, don't ask for help on it!||||

  • #5
    Regular Coder
    Join Date
    Feb 2007
    Location
    London
    Posts
    225
    Thanks
    16
    Thanked 2 Times in 2 Posts
    I searched the paypal site for something like that but didn't find it.
    THANK U SO MUCH!!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •