开发者

PHP page protection

问答 作者:

I am selling digital products on my site, and I want to set up some kind of page protection. My customers a开发者_JAVA百科re paying through PayPal. I have a link on the "submit" page to PayPal checkout, and have set up my checkout to redirect to the "information" page. The information page is what I want to protect.

Here's the code I have so far, but for some reason it's not working, I keep getting the "else" statement...

<div id="info">
<ul>
<li>
<?php 
if ( $_SERVER['HTTP_REFERER'] == "https://www.paypal.com/" ){

echo 'information...';

}else{
echo 'You need to pay first...';
}
?>
</li>
</ul>
</div>

Anybody see what I'm doing wrong? Or have a better option?

Thanks!

$_SERVER['HTTP_REFERER'] can easily be faked by anyone. How important is your security? If it's crucial that no one accesses the page without paying then do not rely on HTTP_REFERER.

I haven't used paypal for a long time, but when I did they had a callback url that you use to verify payments. The data flow should look like this

 Your Server                                              Paypal

                                                  User submits payment form
      <-----------Paypal sends transaction information to your callback url

    You send the information back----------------------------------->

      <---------Paypal sends back confirmation that they sent you that data
                                                    (The data wasn't faked)

Now you check what the transaction information says. If the user made a payment you store that record in a database of some sort so that you can verify they paid anytime in the future.

Update

Here is a PHP code sample from Paypal to get you started: https://cms.paypal.com/cms_content/US/en_US/files/developer/IPN_PHP_41.txt

That page becomes a callback/notification page. You don't put any of that code on the page you want to protect. Instead you store information in a database when the payment is verified on that page and then you check that the payment has been verified on the page you're protecting.

Use PayPal's IPN to handle the callback. That will confirm without question that the user purchased. https://www.paypal.com/ipn

as some have commented, relying on HTTP_REFERER is far from secure

however to get what you are trying to do working i would change your code to something like this

this will detect if the referrer contains "https://www.paypal.com/" rather then == to

if (strpos($_SERVER['HTTP_REFERER'], "https://www.paypal.com/") !== FALSE)) {

When working with PayPal, there are number of ways to handle purchase of goods. I would suggest the option with callback. You specify specific url that will handle the paypal callback data. In that url, you do the data verification as described in PayPal development documentation. In that case, when customer is redirected back to your page, what you do is you lookup in db to see the status of the purchase. If callback data has not been received yet, you wait, and recheck. Once you have received callback from PayPal and you explicitly know if payment happened or no, then based on that you should either give access to your customer or no.

Using Referrer is BAD, as many customers have been seen with this thing disabled. Also, this can be easily changed and your "protected" area would be more than easy to access.

Regards, J.

<?
$ref=$_SERVER['HTTP_REFERER'];
if (strpos($ref,'https://paypal.com') !== false) {
    echo 'ok';
}else{
    echo 'error';
}
?>

继续阅读:phpprotection

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9