PHP- How to make it so someone can't change parameters in url and dont run script again on refresh on a page?

Question

I have a page where any user gets directed to after a payment was made, and in that page there is PHP code to send a confirmation email and some certain other tasks. So I don't want user to be able to refresh that page so the script is run again and I also don't want them to be able to change the parameters in the url for example: www.idk.com?name=eij&age=39 I had this working before but that was when there were only 2 pages I could use

if ( !isset( $_SESSION["origURL"] ) )
$_SESSION["origURL"] = $_SERVER["HTTP_REFERER"];

And used the if user is from ... then run script and if they refreshed it wouldn't run and also couldn't change the url. the problem is that i made a 3rd page the url didn't show up anymore with this code there was nog http referer found.

I really need this to work i hope that anyone can help me

Answer 1

One way to prevent to load the same page twice after a payment is like:

• Your customer makes de payment and is redirected to your page
• At that point you should have some payment data like: payment id, order id, etc...
• Store in Data Base that payment has been paid
• If user tries to access to the same page again with the same data (after resend the POST data for instance) you have to check if that payment was processed before, if was already processed redirect him to another page

For that you need a unique identifier and validate that the payment is legit, that depends in your payment provider.

Answer 2

Sounds like a design problem.

A quick fix:

Use POST instead of GET to prevent people from changing parameters and redirect them as soon as they are done to a new page or the same with no POST parameters.

You could look into checksums so you can validate the request is coming from your site.

its as easy as

$checksum = md5(json_encode($array));

just make sure you have some secret element in the array.