PHP页面保护

Question

I am selling digital products on my site, and I want to set up some kind of page protection. My customers are paying through PayPal. I have a link on the "submit" page to PayPal checkout, and have set up my checkout to redirect to the "information" page. The information page is what I want to protect.

Here's the code I have so far, but for some reason it's not working, I keep getting the "else" statement...

<div id="info">
<ul>
<li>
<?php 
if ( $_SERVER['HTTP_REFERER'] == "https://www.paypal.com/" ){

echo 'information...';

}else{
echo 'You need to pay first...';
}
?>
</li>
</ul>
</div>

Anybody see what I'm doing wrong? Or have a better option?

Thanks!

Answer 1

$_SERVER['HTTP_REFERER'] can easily be faked by anyone. How important is your security? If it's crucial that no one accesses the page without paying then do not rely on HTTP_REFERER.

I haven't used paypal for a long time, but when I did they had a callback url that you use to verify payments. The data flow should look like this

  Your Server Paypal User submits payment form <-----------Paypal sends transaction information to your callback url You send the information back-----------------------------------> <---------Paypal sends back confirmation that they sent you that data (The data wasn't faked) 

Now you check what the transaction information says. If the user made a payment you store that record in a database of some sort so that you can verify they paid anytime in the future.

Update

Here is a PHP code sample from Paypal to get you started: https://cms.paypal.com/cms_content/US/en_US/files/developer/IPN_PHP_41.txt

That page becomes a callback/notification page. You don't put any of that code on the page you want to protect. Instead you store information in a database when the payment is verified on that page and then you check that the payment has been verified on the page you're protecting.

Answer 2

Use PayPal's IPN to handle the callback. That will confirm without question that the user purchased. https://www.paypal.com/ipn

Answer 3

<?
$ref=$_SERVER['HTTP_REFERER'];
if (strpos($ref,'https://paypal.com') !== false) {
    echo 'ok';
}else{
    echo 'error';
}
?>

Answer 4

as some have commented, relying on HTTP_REFERER is far from secure

however to get what you are trying to do working i would change your code to something like this

this will detect if the referrer contains "https://www.paypal.com/" rather then == to

if (strpos($_SERVER['HTTP_REFERER'], "https://www.paypal.com/") !== FALSE)) {

Answer 5

When working with PayPal, there are number of ways to handle purchase of goods. I would suggest the option with callback. You specify specific url that will handle the paypal callback data. In that url, you do the data verification as described in PayPal development documentation. In that case, when customer is redirected back to your page, what you do is you lookup in db to see the status of the purchase. If callback data has not been received yet, you wait, and recheck. Once you have received callback from PayPal and you explicitly know if payment happened or no, then based on that you should either give access to your customer or no.

Using Referrer is BAD, as many customers have been seen with this thing disabled. Also, this can be easily changed and your "protected" area would be more than easy to access.

Regards, J.