[RESOLVED] URL Verification - I'm well stuck

Chunky

It's been a few years since I briefly dabbled in PHP and now I find myself needing to dip in again.

I have a Thank You page that is called once a customer pays on an order form. I need to read in a code from the URL, verify it and then decided if it's a valid order or if someone has just called the Thank You page in the hope of landing some software.

Here's the script the transaction company provide:

function cbValid()
{ $key='ABCDE';
$rcpt=$REQUEST['cbreceipt'];
$time=$REQUEST['time'];
$item=$REQUEST['item'];
$cbpop=$REQUEST['cbpop'];

$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));

if ($cbpop==$xxpop) return 1;
else return 0;
}

OK. That's the fuction I have to work with. The Key is what I give them and when the transaction is processed it uses the date and time and my Key to encrypt the proof of purchase, cbpop.

All that is fine, but it's how I incorporate this into my web page.

If I call the function this is what I need to happen:

if (cbValid())

 A valid transaction so keep this page up

else

Dodgy transaction, redirect to another URL

All this I'm assuming happens in the <Head> section.

I'm sure this is very straightforward but my rather clumsy attempts to redirect have all ended in failure.

Many thanks

Roger_Ramjet

Well you can redirect or just print a message and exit the script. Either way you have it happen in the page script BEFORE any html or headers.

<?php // thankyou.php

function cbValid()
{ $key='ABCDE';
$rcpt=$_REQUEST['cbreceipt'];
$time=$_REQUEST['time'];
$item=$_REQUEST['item'];
$cbpop=$_REQUEST['cbpop'];

$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));

if ($cbpop==$xxpop) return 1;
else return 0;
}

// deal with the invalid case first
if (!cbValid) {
   // redirect
   header ("Location: http://www.yourdomain.com/get_lost_cheeky.html");
   exit;
}

// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed

// now have the thank you page html
?>
<html>
<head>
... etc

Chunky

I knew I should have kept up my PHP. Sadly I lapsed and wandered more into ASP/VB Script but I'll stay with this forum because I'm looking at incorporating a MySQL database into my web site and I have a feeling I'll be back.

Roger Ramjet, I thank you.

bradgrafelman

Don't forget to mark this thread resolved (if it is).

Chunky

I'm just waiting for an email from my service provider.

The script isn't working at the moment in that good and bad cbpop strings are being accepted. Now I'm sure the script is OK so the problem must lie with mine host. According to my settings, PHP is enabled so my .php Thank You page should be doing its stuff. At the moment it isn't so as soon as that is resolved I can confirm all is well on the script front.

Chunky

Wow! This turned out to be a tad more complicated than I first thought.
However, my web host customer service are brilliant and the script is now working well.

This part of their initial reply explains the problem

register_globals is not enabled, as it shouldn't be, so this won't work. You should always code for this being disabled; as of PHP5 the default state of register_globals is off.

So with a bit of testing and tweaking this is the revised script that did the trick:

<?php // thankyou.php

function cbValid($rcpt, $time, $item, $cbpop){
$key='ABCDE';
$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));

    if ($cbpop==$xxpop){
    return 1;
} else {
    return 0;
}

}

// ===== Sanitise the input (only allow GET for security) =====
$rcpt = trim(addslashes($GET['cbreceipt']));
$time = trim(addslashes($GET['time']));
$item = trim(addslashes($GET['item']));
$cbpop = trim(addslashes($GET['cbpop']));

// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header ("Location: http://thejester.biz/");
exit;
}

// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed

// now have the thank you page html
?>

Anyway, thanks for pointing me in the right direction.

Roger_Ramjet

I'd ask some seriouse questions of the payment provider if I were you - providing a script that requires register globals ??? Must be crazy, or more likely lazy and have not maintained the script since it was written for php 3. About as secure as Paris Hilton's knickers.

Personal;ly, I never read it, just assumed it worked. Glad to hear you've got it working. But I do suggest you now spend a lot of time trying to hack your own site before someone else does, cos that provider is not gonna wear the loss - you are.

Chunky

I think Clickbank just offer the script as a gesture and nothing more. I'll endevour to highlight your warning on various marketing forum I post to.

Thanks