I've a security problem..
I've a paypal script that is in a page which get some php variables, those variables are the price of every product and the total of a cart. I have to be sure that the payment is complete but:
when the payment is authorized call a page via ajax that store the order in the database, the fact is that if someone call this page via link..the payment will result complete.
I hope that I've explained good..
If users login is needed to access the site, ultimately the page cannot be called by URL. Even if so, it would throw the error that the USER privilege is not accessed. This would solve one problem but the corner case where the logged user tries to access the file then it gives privileges and the same problem might raise.
Have you set the window object to be on-click. So that the ajax is triggered when the on-click event occurs.
Moreover, the code is needed to help you further with the issues.
Related
I'm struggling to complete a Amazon Pay transaction in PHP.
First of all I followed this guide https://developer.amazon.com/de/docs/amazon-pay-checkout/get-set-up-for-integration.html and implemented version 2 of Amazon Pay. For implementation I used the following PHP Amazon Pay SDK: https://github.com/amzn/amazon-pay-api-sdk-php
Up to point 4 (Set payment info) I got everything working. But here I am stuck. 4.2 says that the response contains an amazonPayRedirectUrl to which the user has to be redirected.
My problem is the following:
I am working with a kind of legacy software where there are a lot of forms in an online shop. When these forms are submitted they are always posting to the same url and depending on the payload data different views are loaded to proceed in the checkout process. When I am now redirecting the user via the generated amazonPayRedirectUrl (using header function of PHP) the user is redirected to the shops landing page (due to htaccess config) instead of the page/view which should logically follow in the checkout process because the redirect does not include the payload data of the submit form.
I already tried to save the needed checkout session id (which is appened as a query parameter to the amazonPayRedirectUrl) into the session to complete the transaction without redirecting the user but this does not work. When calling $client->completeCheckoutSession I get an error message in the response: InvalidCheckoutSessionStatus You tried to call an operation on a Checkout Session that is in a state where that operation is not allowed. The status of the checkout session in the response is "open" instead of "completed". I assume this error occurs because I did not redirect the user (not sure though).
What would be the best way to redirect the user to the correct logically following view/page in the checkout process? Do I somehow have to gather the submit data and do an ajax call including this payload data while calling the amazonPayRedirectUrl or how do I prevent being redirected to the shops landing page respectivly load the correct following view/form?
Thanks in advance!
I have a wordpress store with woocommerce which has paypal payments enabled.
I'm developing a plugin that collects some data from the client on the cart page, stores that data in woocommerce session. Then client goes to paypal to pay, then after a successful payment gets redirected back to the site to the order confirmation page where my plugin is supposed to perform additional tasks.
This works well on my test site when I access it from my computer. It does not however work for me when I try it from my android phone.
The session "seems" to be lost when I come back from Paypal and none of the data is accessible through Woocommerce's WC()->session->get
Interestingly, the data is still there in the sessions table in the database, it just doesn't get loaded when I get redirected from Paypal.
In order to try to debug this, I wrote 2 lines of code in index.php where I'm writing to log the Cookie header every time the site is loaded. I can see the cookie data being logged when I navigate around the site.
However when the navigation back from paypal happens, the Cookie header is empty, so no wonder the session doesn't get loaded.
My question is, what can I do about it so that I can access the data after I get redirected back to the site.
PS - the trickiest part is that the issue is intermittent. I managed to find a laptop with a browser which behaved exactly as my android phone so I could inspect the issue easier, but after doing a couple of tests, it started being able to access the session data when navigating back from paypal to the site. So basically now "it's working" and I can't reproduce the issue again even after clearing all site data from the browser. But I know the issue still occurs for some people, outside my office.
I won't pretend to be an expert on third party cookie session preservation, but the bottom line is browsers are being more and more aggressive about dropping cookies when navigating away and back to a site, and so you shouldn't rely on this type of session preservation if the data you are saving is important.
The newest WooCommerce PayPal module uses the Express Checkout API, which generates an EC-################# before redirecting the user away, and you'll have this in the URL when they return from PayPal. So you can use this to keep track of the same user returning. But it also has support for Smart Payment Buttons so your site stays loaded in the background, which is a better experience anyway.
I have a webpage on my website at www.example.com/complete.html
As it is right now, anyone can access this page by visiting the website through the URL.
When I set up my paypal payment buttons on my website, after the payment is successful, the user is redirected to www.example.com/complete.html
I don't want anyone to be able to access this page unless they are sent their by the paypal system. How can I do this?
See:
Auto Return and note the option to override with parameters you can use to check or verify upon return to your site.
Payment Data Transfer - which similarly allows you to check or verify upon return to your site/returnUrl
There are other ways depending on how you implement Paypal, but the idea is similar - you will need to check or verify data, either from Paypal, or something you expect back (as described in the Auto Return custom variable - e.g. Session ID that you check/compare when user comes back) before displaying some page on your site.
Hth..
We have a donation button on our web site that goes to PayPal. The donation gets processed, the user clicks a button on the PayPal success page and is then redirected back to a PHP page with a list of maps to download. I want to limit who can access this page to users coming from PayPal or users coming from our site. I have tried various .htaccess rules and they don't seem to work with users coming from PayPal http_referrer wise. And the referring IP always ends up being my IP address at home. I also tried coding the PHP redirect target form such that it with only renders the page if they are coming from paypal.com or from our site. Otherwise, they get an error page. So can anyone please suggest a better way to restrict access to the redirect page after the PayPal success page? Thanks.
There are many ways to go about it. This is something I have used in the past.
Firstly, you want to give access to users who have made a payment (or donated). Depending on whether you want to give users (who have paid) a one time access or allow multiple visits even after they log out, you can check whether this user, in this session, made a payment or not.
Here's one way to achieve it:
// PAYMENT CONFIRMATION
$payment_success="FALSE"; // DEFAULT to payment failed
$payment=mysql_real_escape_string($_GET['payment']);
$ab=$_REQUEST['ab'];
$tx=$_REQUEST['tx'];
$st=$_REQUEST['st'];
$amt=$_REQUEST['amt'];
if(($tx!="") AND ($st=="Completed") AND ($amt!="")){
$payment_success="TRUE";
}else{
header("location: index.php"); // or wherever you want to send users who haven't paid.
}
If you want to give access to users who have paid even after they have logged out, then you need to either set a cookie on their browser using setcookie(); or track their IP [$_SERVER\['REMOTE_ADDR'\]][2]and add to your DB so every time a user comes to your page, you can run a check to see if they are in your safe list or not.
Good luck
I ended up just adding a static token to the end of the PayPal redirect URL back to my site. I test the token within the target PHP page and let them access the target maps page if the token is correct. And I give them an error screen if it is not. This is a short term fix as I will have to manually change the token every now and then to keep people from bookmarking the page and downloading our maps more than once.
I'm going to experiment with either generating random buttons with different tokens or seeing if PayPal has something that they can send from their end that I can verify.
Thanks for the reply.
I have written a PHP code. When a user submits the form, it saves all information in session and redirect user to PayPal Payment page. When user successfully makes Payment, Paypal sends user to Return path. The return path page gets values from session and enter user in database. But, after submitting the form if user manually visit Return path URL, it will save information in database without getting payment. Any solution for this?
Without sharing your code, it's difficult to give an accurate answer, but based upon what you've provided...
Paypal allows you to provide 2 URLs to it's submission, a return_url and a notify_url.
With the return_url, it should be for display only (e.g. www.website.com/order_complete/), and should NEVER have any functionality behind it, such as updating an order status for the exact reason you've asked the question. Therefore, when you query the order in the DB, it would still be marked as unpaid, and then you can put in the appropriate response.
Validating the order is what the notify_url is for (see https://developer.paypal.com/docs/classic/products/instant-payment-notification/ for more information). Basically, this does a checkback to paypal to confirm that the order you have attempted to make has actually gone through successfully, and then you do your DB updates (setting the order to complete).
The solution for you would be to remove the 'order updating' functionality from the return_url, and implement the IPN.