Forum Moderators: coopster
I have to build script for a project website that will accept payment using paypal/another gateway.
here are steps:
1.display form so user can enter info
2.form data collected using POST,validated & processed
3.form data is inserted "partly" in MySql..what it means is i will enter user name,password and other needed info in mysql and will have a column 'status' which will be set to "unpaid" at this time
4.user will be redirected to paypal or another gateway site
5.payment info entered and processed
6.user will be redirected to a script on mysite
7.i will have a button to presss"confirm payment" that will send a hidden input to update mysql column to "paid"
everything working fine.But here is my question:
a hacker can follow steps 1 through 4 and skip step 5.He can learn the redirected script address and enter it into browser and he will see "conform payment"button.Once he clicks that,his data will STILL get updated to"paid" status.
I am trying to use sessions to "remember" same browser and ip and userid,but hacker can do it in same browser,logged in with same IP.
my question:
1.What Do I need to do to "break" the link when somebody skips step 5&6?
2.can I do something so that "some"data needs to b processed once user gets redirected from gateway website that can ONLY happen when somebody actually follows steps 1 through 7.
anyhelp greately appreciated.
thanks
NN
Posts that involve syntax type errors needing very general knowledge will typically get quicker, higher quantity responses because more of the membership can help. With a post such as this, you immediately limit yourself to responses from members who have direct experience with payment gateways, which is a much smaller subset of the membership; response will depend a whole lot more on who happens to wander by and think 'oh I know how to do that'.
If it makes you feel better, just about any time I've started a thread I get no response because what I'm doing is so bloody esoteric and downright weird that no one wants to touch it! <grin>
NameNick's [edit: and barns101's] reply is exactly on point: what you want to use is PayPal's Instant Payment Notification or Payment Data something-or-other (I can't remember what the last word is). They used to have a PDF on it, but now I think it's only in an online HTML format - log in to your developer account and go down the 'help' path. After you're familiar with it, search their developer's forum - there's a couple of good posts that clarify what the docs don't.
You also should strongly consider using encrypted buttons. That learning curve is steep but worthwhile.
The only other gateway I've used is authorize.net, which also gives you a definitive response that is virtually hacker-proof.
This is an awesome forum, you just have to have patience sometmies - there's no conspiracy to keep anyone in the dark, we love to help any time we feel that we can, but we don't post many 'hmm, I dono', which, to me, is a plus.
