PHP page protection
I am selling digital products on my site, and I want to set up some kind of page protection. My customers a开发者_JAVA百科re paying through PayPal. I have a link on the "submit" page to PayPal checkout, and have set up my checkout to redirect to the "information" page. The information page is what I want to protect.
Here's the code I have so far, but for some reason it's not working, I keep getting the "else" statement...
<div id="info">
<ul>
<li>
<?php
if ( $_SERVER['HTTP_REFERER'] == "https://www.paypal.com/" ){
echo 'information...';
}else{
echo 'You need to pay first...';
}
?>
</li>
</ul>
</div>
Anybody see what I'm doing wrong? Or have a better option?
Thanks!
$_SERVER['HTTP_REFERER']
can easily be faked by anyone. How important is your security? If it's crucial that no one accesses the page without paying then do not rely on HTTP_REFERER.
I haven't used paypal for a long time, but when I did they had a callback url that you use to verify payments. The data flow should look like this
Your Server Paypal User submits payment form <-----------Paypal sends transaction information to your callback url You send the information back-----------------------------------> <---------Paypal sends back confirmation that they sent you that data (The data wasn't faked)
Now you check what the transaction information says. If the user made a payment you store that record in a database of some sort so that you can verify they paid anytime in the future.
Update
Here is a PHP code sample from Paypal to get you started: https://cms.paypal.com/cms_content/US/en_US/files/developer/IPN_PHP_41.txt
That page becomes a callback/notification page. You don't put any of that code on the page you want to protect. Instead you store information in a database when the payment is verified on that page and then you check that the payment has been verified on the page you're protecting.
Use PayPal's IPN to handle the callback. That will confirm without question that the user purchased. https://www.paypal.com/ipn
as some have commented, relying on HTTP_REFERER is far from secure
however to get what you are trying to do working i would change your code to something like this
this will detect if the referrer contains "https://www.paypal.com/" rather then == to
if (strpos($_SERVER['HTTP_REFERER'], "https://www.paypal.com/") !== FALSE)) {
When working with PayPal, there are number of ways to handle purchase of goods. I would suggest the option with callback. You specify specific url that will handle the paypal callback data. In that url, you do the data verification as described in PayPal development documentation. In that case, when customer is redirected back to your page, what you do is you lookup in db to see the status of the purchase. If callback data has not been received yet, you wait, and recheck. Once you have received callback from PayPal and you explicitly know if payment happened or no, then based on that you should either give access to your customer or no.
Using Referrer is BAD, as many customers have been seen with this thing disabled. Also, this can be easily changed and your "protected" area would be more than easy to access.
Regards, J.
<?
$ref=$_SERVER['HTTP_REFERER'];
if (strpos($ref,'https://paypal.com') !== false) {
echo 'ok';
}else{
echo 'error';
}
?>
精彩评论