How do I stop users circumventing payment?

Question

Hi

I have a site that uses paypal to collect payments for electronically displayed data. Variables can't be passed with the URL through paypal (or I can't get them to work) so I have used cookies to pass the item number. However, a crafty user could, after the cookie writing part, enter the paypal redirect URL directly into the address bar and get the e-data for free. Bypassing paypal. How can I get around this?

Here is some of the code. You will see I have tried to make it difficult for the user by passing straight through the cookie writing (pre_contact.php) and the paypal redirect URL (step.php).

//pre_contact.php
<?PHP
global $id;
setcookie("property", $id, time()+1800);
echo "<META HTTP-EQUIV=Refresh CONTENT=\"0; URL=contact.php\">";
?>

//contact.php - paypal pay button
echo "<form action='https://www.paypal.com/cgi-bin/webscr' method='post'>";
echo "<input type='hidden' name='cmd' value='_s-xclick'>";
echo "<input type='hidden' name='hosted_button_id' value='156320'>";
echo "<input type='image'
src='https://www.paypal.com/en_GB/i/btn/btn_paynowCC_LG.gif' border='0' name='submit' 
alt='Click to pay'>";
echo "<img alt='' border='0' src='https://www.paypal.com/en_GB/i/scr/pixel.gif'  width='1' height='1'>";
echo "</form>";

//step.php - paypal redirect on successful payment
<?PHP
require("generate_url.php");
?>

//generate_url.php - This generates a unique URL so the info can only be accessed once
<?PHP
if (eregi("generate_url.php", $_SERVER['SCRIPT_NAME'])) {
Header("Location: index.php"); die();
}
$token = md5(uniqid(rand(),1));
setcookie("token", $token, time()+4);
$cwd = substr($_SERVER['PHP_SELF'],0,strrpos($_SERVER['PHP_SELF'],"/"));
Header("Location: $cwd/get_file.php?q=$token"); die();
?>

//get_file.php - displays the file after payment
$qtoken = $_GET['q'];
if ($qtoken===$_COOKIE["token"]){
$id=$_COOKIE["property"];
DISPLAY FILE HERE!!

Thanks in advance

Answer 1

I don't think you're going to be able to do what you want in a single step with the approach you're taking because your code has no way of knowing if the transaction actually finished successfully or not.

I think the only way the above approach will work is if you don't automatically send them over to the file they paid for.

Instead, they have to wait for you to verify their transaction through Paypal and then email them a download link.

---

It could probably all be done automatically using the Paypal API. I'm not that familiar with the Paypal API but it should work something like this.

1. User decides to buy something from you
2. You start a transaction which sends the user over to Paypal and, presumably, generates some sort of transaction id.
3. The user pays (or decides to cancel and/or not pay)
4. The user comes back to your site
5. You take the transaction id and verify that the payment was successful
6. If the payment was successful, give the user the stuff they paid for.

---

Paypal API Reference

Answer 2

What your probably looking for is called Paypal IPN (Instant payment notification).. basically someone buys a product from you.. Paypal POSTS data to a script/url that you specify (only you and them know it).. Then what you do is post back data to paypal to confirm that the post they sent is real and not simulated/faked by someone.. At this point you know the transaction is valid.

Once you get notified of a valid payment, you can do something like send a download url via email, or wrap all that into a small login/password system using something simple like HTACCESS auth, and you've good to go.

Good luck.

Answer 3

DreamWerx could you please answer me.. that how should i get this paypal IPN...Sorry I'm new to payment gateways..but you logic seems to what i thot.. but i dont know to code it... Please help

Answer 4

There is plenty of information about PayPal IPN in other questions, start with http://stackoverflow.com/questions/1115822/setting-up-paypal-to-connect-to-script