How to make a PHP protected page ?

chrisj

I'm using a PHP script and am adding a Paypal link, so when the user/purchaser returns to the PHP script he is routed to a protected page that only users who have made the payment can access.

Can someone help me with the protected page part?
Some clues, any help would be appreciated.

etully

You should be using the PayPal system called IPN. Instant Payment Notification.

When you build the form pointing to PayPal, there are two fields that you can use for your own purposes. (That is, what you put in those fields will have no effect on the PayPal payment process). The fields are "invoice" and "custom". When the payment is accepted at PayPal, they will hit a callback URL on your site and pass you a message that says the payment was accepted and they will also pass back whatever you sent them for "invoice" and "custom".

When you display the form, embed a unique and unguessable secret in the invoice or custom field in the form. Also write that same code to a database with a flag saying "UNPAID".

When PayPal hits your callback URL telling you that the payment was accepted, take the secret code in the invoice or custom field and update flag in the database for that code to "PAID".

So I do something like this:

<?php
//  replace "gibberish" with 10-20 random characters  (like ASDasd123!@#)
$secret = "GIBBERISH" . $userid . time() . $invoice_id ;

$query = "insert into payments (code,flag) values ('$secret','UNPAID')";
$result = mysql_query($query);
?>
<input type="hidden" name="invoice" value="<?php echo md5($secret); ?>">

Now, all you have to do is modify your protected page to check the database to see if that flag is marked "PAID". If not, then display a message like, "Go away deadbeat".

If you want to grant access for a certain time period, change your callback URL page so that when it updates the flag to "PAID", it also writes the current time. Then in your protected page, you can see when the payment was made and whether or not that falls in or outside the allowed time frame.

chrisj

Thank you for your informative reply. That sounds pretty good.

When you say "take the secret code in the invoice or custom field and update flag in the database for that code to "PAID" that's sounds like it has to be done manually. Is it done automatically?

Also, how does someone create a page in php that is protected from other's accessing it?

Thanks again.

etully

There is going to be a secret page that only you and PayPal know about. Name it something silly like: ipn_333_reSPONses.php

Something nobody is going to accidentally find.

When a user leaves your site to go to PayPal, they pay over on that other web site. When the payment is complete, PayPal has to have some way of INSTANTLY NOTIFYING you of the PAYMENT. That's why they call it IPN - Instant Payment Notification. The way they notify you is that they hit your secret php script (with the silly name from above). They will pass you about 20 variables just like it was a form on your web site. When you look at those variables, you will be able to know which user made a payment, $$ amount, success/failed, and other stuff like dates and such. And of course, one of the variables is going to be the custom field that you passed them. They are simply passing it back to you so that you can know which user gets permission to see the protected page.

So now you know that user 123 actually paid for invoice #1000 and their secret code was GT45sd#$ef#$fdweAS23wfrg5@#fed67.

Now remember, BEFORE you sent them to PayPal, you wrote that secret code to your database... but at that time, they hadn't been to PayPal yet so you flagged the code as unpaid. Now you are getting a callback from PayPal telling you that the payment for GT45sd#$ef#$fdweAS23wfrg5@#fed67 was successful.

You make your PHP callback script alter the flag in the database for that code.

Then you have your protected page (or pages) check the database to see if that code is marked paid. If yes, show them the page. If no, tell them to go away.

etully

You can either cookie the code or embed it in a URL (or both) so that the protected page knows which user is trying to access the page.

http://foo.bar.com/protected_page.php?code=GT45sd#$ef#$fdweAS23wfrg5@#fed67