Page 1 of 1
use ref to allow print privileges
Posted: Wed Jul 01, 2009 12:58 am
by podarum
Ok, I needed a new topic, cause I'm hoping of a new way.. And I know there's enough experienced people out there that can help...this should be a piece of cake for them.. I'm using Sessions in php to bring over some fields from another page.. I'd like to give viewing (or print) privileges to only those that came from the PayPal site, anyone who came in through anywhere else, no privilages. Someone said something about checking the ref for 'paypal' or something like that, i can't remember... In the case below, if the link came from
http://www.paypal%, they could see the New Score2. otherwise, nothing.... thanks
Code: Select all
<?php
session_start();
$New_Score2 = 1.22*$_SESSION['Score'];
?>
<?php
print "Your new score2 is : " . $New_Score2;
?>
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 11:44 am
by McInfo
Code: Select all
if (1 == preg_match('#http(|s)://([a-z]+\.){0,1}paypal\.com/#', $_SERVER['HTTP_REFERER'])) {
// The request likely came from paypal.com
}
Successfully matches:
Code: Select all
http://www.paypal.com/
http://paypal.com/index.php
https://cms.paypal.com/
Fails to match:
Code: Select all
http://paypal.com - no trailing slash
http://paypal.com.example.com/ - not paypal.com
https://www.pay.paypal.com/ - more than one subdomain
http://www2.paypal.com/ - number in subdomain
Note: I haven't researched the reliability of $_SERVER['HTTP_REFERER']. It may be possible for the client to spoof it.
Edit: This post was recovered from search engine cache.
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 11:48 am
by BornForCode
As a general comment do not trust to much on the $_SERVER['HTTP_REFERER']. You will not always have it.
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 2:07 pm
by podarum
Thank you McInfo.. I would just add this code into my results page...html/php, anywhere? Thanks again.
What do you mean by the client can spoof the $_Server....
Is there another way you can think, that I can achieve my goal...not using frmaes or iFrames.?
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 3:30 pm
by McInfo
podarum wrote:I would just add this code into my results page...html/php, anywhere?
I don't know what else might be in your results page; but, yes, probably. As BornForCode mentioned, $_SERVER['HTTP_REFERER'] might not always be available, so you might need to find some other way to confirm that the user is coming from PayPal.
podarum wrote:What do you mean by the client can spoof the $_Server....
Some of the values that populate the $_SERVER array are determined by what the browser tells the server when a request is made. It is possible for someone to make their browser lie to the server.
podarum wrote:Is there another way you can think, that I can achieve my goal...not using frmaes or iFrames.?
I didn't realize there were frames involved.
Edit: This post was recovered from search engine cache.
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 5:27 pm
by podarum
Do I need it in the php code?
Code: Select all
<?php
if (1 == preg_match('#http(|s)://([a-z]+\.){0,1}paypal\.com/#', $_SERVER['HTTP_REFERER'])) {
// The request likely came from paypal.com }
?>
Re: use ref to allow print privileges
Posted: Wed Jul 01, 2009 5:35 pm
by McInfo
You need to get comfortable with PHP before you start tinkering with systems like PayPal that deal with security and money.
To answer your question: yes, PHP code should be between PHP open and close tags.
Edit: This post was recovered from search engine cache.
Re: use ref to allow print privileges
Posted: Thu Jul 02, 2009 11:14 pm
by podarum
Hi McInfo,
How would your code change for testing paypal's sandbox site? for example link coming from
http://www.sandbox.paypal.com .. thank you..
Re: use ref to allow print privileges
Posted: Thu Jul 02, 2009 11:29 pm
by McInfo
In the pattern, change the max from 1 to 2 in the min/max quantifier.
Code: Select all
'#http(|s)://([a-z]+\.){0,2}paypal\.com/#'
Or change the min/max quantifier to a zero-or-more quantifier.
Code: Select all
'#http(|s)://([a-z]+\.)*paypal\.com/#'
Edit: This post was recovered from search engine cache.
Re: use ref to allow print privileges
Posted: Thu Jul 02, 2009 11:45 pm
by podarum
Thanks alot for the quick response..that's awsome..
You know I went live to paypal with a $0.01 payment and tried the code below: it got directed to yahoo.com in every circumstance when I was expecting my process5.php page (I also tried my full link http://www.*****.com/process5.php).. thanks
Code: Select all
/*if (1 == preg_match('#http(|s)://([a-z]+\.){0,1} paypal\.com/#', $_SERVER['HTTP_REFERER']))
{
header ("Location: process5.php");
}
else {
header ("Location: http://yahoo.com");
}*/
Re: use ref to allow print privileges
Posted: Fri Jul 03, 2009 12:20 am
by McInfo
Confirm that your server has $_SERVER['HTTP_REFERER'] set when the script runs.
Edit: This post was recovered from search engine cache.