Page 1 of 1
Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 6:55 pm
by celwell
Hi,
I have a php page that customers are taken to automatically when they cancel their payment. On the back-end, this php page automatically sends me an e-mail notifying me that a payment was cancelled. After that happens, on the front-end the user shown the page that says some things.
My question is: When a web spider crawls to that php page will it trigger an e-mail to me (making me think, incorrectly) that someone cancelled their order?
Thanks.
Re: Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 7:58 pm
by requinix
celwell wrote:My question is: When a web spider crawls to that php page will it trigger an e-mail to me (making me think, incorrectly) that someone cancelled their order?
Not if you code it correctly.
First of all, a spider shouldn't make it there. Spiders are for content, not errors or warnings or cancellation pages.
In your position I'd code the system so that the payment information is stored in sessions and the cancellation page gets the information from there. A spider won't have any session information and so your page shouldn't do anything.
Re: Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 8:24 pm
by Chris Corbyn
As a rule of thumb, don't perform any major operations (e.g. sending an email, inserting a forum thread) on GET requests. Use POST requests.
This is particularly important when it comes to destructive actions such as deleting a forum post. A hyperlink can get you in muddy water since it can be spidered, but a POST request will not. I believe there are browser toolbars that may spider pages you are viewing even if your website requires login.
Re: Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 8:38 pm
by dude81
Even if you think changing all methods of $_GET to $_POST, an alternative to do is implement a captcha, just before confirmation of the process
Re: Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 9:08 pm
by Kieran Huggins
Chris++
Spiders follow <a> hrefs (which are always requested via a GET request).
Following the REST concept, a GET request is always a non-destructive view of data. Anything that performs a create, update, or delete should be performed with either a POST, PUT or DELETE request via a form.
Read:
http://en.wikipedia.org/wiki/Representa ... e_Transfer
And:
http://en.wikipedia.org/wiki/Web_crawler
Also, to restrict certain files and/or directories from being crawled, you can either use a
robots.txt file. Be careful not to use <a
rel="nofollow"> as a replacement, as
Google does follow these links and simply excludes the contents from its index / pagerank.
Re: Will a web spider trigger my php mail() function?
Posted: Sat Dec 06, 2008 10:02 pm
by celwell
Thank you all for your replies.
However, let me further define my situation:
The user clicks on "Make Payment", which takes them to PayPal.
PayPal has an option to "Cancel this order."
I've configured my PayPal seller account to take the user to cancelledPayment.php when they click on "Cancel this order."
php pseudo-code for cancelledPayment.php:
Code: Select all
<?php
send() email to me saying "Someone has cancelled their payment"
?>
<html>
Payment Cancelled.
</html>
Now, I'm worried that a spider might go to cancelledPayment.php and then that would send me an email incidentally. And then my records would be thrown out of sync. Now, here's an easy fix: I check http_refferer for paypal domain and only send email if true.
And that would work.
But my curiosity wants to know if I didn't put that conditional of the refferer, would the spider cause an email to be sent to me?
Also note that there is are no link pointing to this page (except the one at paypal).
What would happen if there was a link somewhere else on my site to the page?
And, what happens in view that there is no link?
Thanks!
Re: Will a web spider trigger my php mail() function?
Posted: Sun Dec 07, 2008 12:33 am
by Chris Corbyn
PayPal integration is a pet-peeve of mine since it's the only place I end up having to perform a write on a GET request.
You need some serious sanity checks in there:
1) When you send the user to PayPal make sure you specify a notify_url parameter for an IPN (a given really)
2) Make sure you register an unfulfilled transaction somewhere (DB?) with a unique ID
3) Make sure you include the ID in the cancel and return URLs for PayPal, as well as in the IPN.
4) When a user hits the cancel URL, make sure the ID matches an unfulfilled txn, and if it does, act. Otherwise take some other action.
There are various ways to define "user". If the person is not logged in you may need to use a cookie with a unique id in it.
So basically the bottom line is check to make sure the payment that's being cancelled is actually a payment that can be cancelled before you act

Re: Will a web spider trigger my php mail() function?
Posted: Sun Dec 07, 2008 5:46 pm
by celwell
I'm not bothering to mess with IPN for this single "Buy It Now" button transaction.
Do anyone have answers to my two questions in post #6?
Re: Will a web spider trigger my php mail() function?
Posted: Sun Dec 07, 2008 8:42 pm
by dude81
$_SERVER['http_referer'] is generlly not a trustable resource. As bots or spiders they wont access the web via browsers, there are high chances of that conditional testing of HTTP_REFERER failing. You need to look for some other work around.