I'm selling graphix over the web via Paypal credit-card processing.

One thing I've noticed is when it comes time to pay, the php page with sessions has the Paypal button with hidden fields on it. The problem is, anyone could just look at the source code, copy and paste the "thank you" address into the browser, and by-pass the credit-card processing altogether.

I know about includes...but so would they.

What do you suggest?

Thanks ogre2

set the hidden field variables to session vars

How about an example? :classic2:

I do not know how your page looks like. but if your buying script is so insecure i seriously think you should rewrite it

Well, after the form selections, it gets posted to this, my verify page which registers the session and has the Paypal button and code on it. I don't want to use Paypal's IPN (Instant Payment Notification) because it has just too many forms for a $5 purchase. As you can see, the highlighted code is all they have to copy/paste into their browser address which goes to my purchased page and they by-pass Paypal altogether.

<?php

session_start();
$receiver = $_POST[receiver];
$pic = $_POST[pic];
$comments = $_POST[comments];
session_register("receiver");
session_register("pic");
session_register("comments");

?>

<html><head><title>Verify</title></head>
<body>
<br><br><br><br><br><br><br>
<center>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="me@softhome.net">
<input type="hidden" name="item_name" value="Graphix">
<input type="hidden" name="amount" value="4.95">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="success" value="http://myhost.us/zoobie/purchase.php">
<input type="hidden" name="no_note" value="1">
<input type="image" src="https://www.paypal.com/images/x-click-butcc.gif" border="0" name="submit" alt="Z Graphix">
</form></center></body></html>

How would I do what you initially recommended?

Thanks

How about you wait until you actually receive the bloody payment and then show your customers what your selling.

in your purchase.php, u could validate a few basic things first b4 u show anything:

1. that it has a referred page.
2. that (the referred page) it's off paypal.
3. that the session variables are registered.

otherwise send them home...

Originally posted by Daniel
How about you wait until you actually receive the bloody payment and then show your customers what your selling.
Or use Paypals IPN methods. http://paypal.com/ipn

Originally posted by JdS
in your purchase.php, u could validate a few basic things first b4 u show anything:

1. that it has a referred page.
2. that (the referred page) it's off paypal.
3. that the session variables are registered.

otherwise send them home...

Hmm...That's the first interesting thing I've heard. Now, how would I validate that they just came from Paypal and if not...send them home?

Thanks ogre2