If user didn't come from HERE then do not process - How?

Question

I tried to make use of $_SERVER, but it didn't work for me.

What I need is:

In order to access a page on my site, the user must come back from Paypal. If he isn't redirected from Paypal to my site, then don't execute the file but give the user an error instead.

How can I do this?

I tried the following:

 $url = 'paypal';
 if(strstr($_SERVER['HTTP_REFERER'], $url)) {
     // my code
 } else {
    // my error
 }

This didn't work for me, how can I make this work, example link from paypal is (it's pretty long):

https://www.paypal.com/us/cgi-bin/webscr?cmd=_flow&SESSION=39QzTUoR0GugSwdZjeJ5zf4EkFIa2-rlRsdrqxfx4O3ibIMuzY3Eab7y6Dq&dispatch=5885d80a13c0db1f8e263663d3faee8dc60d77e6184470d515cedf52660ea0cd

Please help, this is a security exploit for something I'm working on.

Answer 1

You cannot reliably guarantee that. In general in these scenarios, you could do a server-side check with the payment gateway to see if the transaction id (or whatever is passed back to you) is valid, and that the amount was successfully paid.

You should consider checking out PayPal's Instant Payment Notification service and implement a listener for that. PayPal has some sample code for that in various languages. This is a brief overview of the IPN protocol:

1. PayPal sends your IPN listener a message that notifies you of the event (a received payment, for example).

2. Your listener sends the complete unaltered message back to PayPal; the message must contain the same fields in the same order and be encoded in the same way as the original message.

3. PayPal sends a single word back, which is either VERIFIED if the message originated with PayPal or INVALID if there is any discrepancy with what was originally sent.

4. Once the IPN is verified, you may then unlock the features/options that your users paid for, as @cHao suggested in the other answer.

Further reading:

• PayPal Integration Center: Introducing IPN

Answer 2

Hi. Maybe this snippet can help you at http://www.snipplr.com/view/41575/process-paypal-response/ and the request code is available at http://www.snipplr.com/view/41574/paypal-xclick-payment/

Answer 3

Any method of checking what site the user came from can be fudged by the user, whether for exploit reasons (bypassing the "pay for my stuff" part) or for privacy ("It's none of your business what I was just looking at"). Don't rely on it for critical stuff.

You're better off listening for IPN posts from Paypal and using them to unlock features that people have paid for. There might be a bit of a delay, but it's generally really short. Usually by the time a user's bounced back to a "thanks for your order!" page, and clicked a link to access what they bought, the IPN has come through.

Answer 4

Referrers are not reliable. They get blocked or replaced quite often. And the user client can replace them with whatever he wants.

You trust the client which wrong.

You need to get confirmation directly from paypal, or paypal needs to give the user an unforgeable token.

And you need to validate the payment amount too. Else the user can just pay 1 cent.

Answer 5

Honestly, if you think

 $url = 'paypal';
 if(strstr($_SERVER['HTTP_REFERER'], $url)) {
   // my code
 } else {
   // my error
 }

is going to stop a security exploit, I would recommend you pay somebody more experienced to do this for you, because it is likely you also have other holes in your system. Security in payments is very important.

If you still want to do it yourself, read about PayPal IPN here.