Jump to content


Photo

Hiding download url


  • This topic is locked This topic is locked
22 replies to this topic

#1 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 20 January 2003 - 02:50 AM

What's to keep us from simply using the $HTTP_REFERER to see if the user just came from Paypal and not just having typed in the 'return' url visible in Paypal's single-item purchase button?

Thanks

#2 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 20 January 2003 - 04:54 AM

Most firewalls if set too high block the "HTTP_REFERER", so do a lot of proxy servers and newer versions of Netscape even have an option to switch it off. The "HTTP_REFERER" can therefore not be relied upon and as it it passed to you and dictated by the client (web browser), it is far too easy to spoof. I would say that those determined to view a page being protected in this manner will be able to do so and most of the people who will not be able to view it will unfortunately be your genuine paying customers.

You should protect your return page with IPN instead!


Hope this helped?

Marcus Cicero
EliteWeaver UK


#3 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 20 January 2003 - 12:16 PM

Hmm...I've heard nightmare stories about PP's IPN taking anywhere from a few seconds to 30 minutes which is totally unacceptable. New 3rd party services are popping up using the $HTTP_REFERER and charging $30 setup and $7 a month.

Nobody's been able to show me how to write the php code for PP and no working examples are available in any language. Below is all PP offers. How would this be modified to, upon payment, show the download page without send an email and upon invalid, show them the door? Thanks

if (!$fp) {
// ERROR
echo "$errstr ($errno)";
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is an email address in your PayPal account
// process payment
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
?>

#4 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 20 January 2003 - 01:57 PM

My experience with IPN is that it is 99.9% reliable and I have suffered far more aggravation with other payment processors. All the code on the PayPal website works but they are only examples on how to validate IPN. If you want to expand the code to protect your return page then it is doable. I offer a free IPN handler in both php and asp that maybe of more use to you and I also allow access to our simulated ipn script testing environment to help aid in your development.

URL: http://www.eliteweav...ing/ipntest.php

$30 setup and $7 a month just to protect a page using the HTTP_REFERER is to me both unacceptable and unreliable!

You should either work at perfecting your own code or consider a 3rd party solution. I offer a copyrighted ipn based return page protection script in php and asp for $9.95, so for obvious reasons I'm unable to devulge my source code as it's a commercial product.


Keep at it and best of luck!

#5 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 20 January 2003 - 03:03 PM

Thanks for responding...What I'm confused about are the 3-4 things PP wants/needs us to do before processing. What I'm looking for is total automatic processing. If I have to do anything manually, I'm out.

I just can't stick a header("URL=download_page.php") in there somewhere?

Thanks again

#6 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 20 January 2003 - 03:46 PM

Well after receipt of a valid IPN you could just have your script:

header("Location:http://www.yourdomain.com/thanks.html");

But what's to stop this:

1.) The customer sending the redirected url location to friends?
2.) The customer modifying your web accept code and paying $0.01?
3.) The customer modifying your web accept code to pay another PayPal account?

The likely hood of these events happening are slim but nether the less a possibility, so if you want 100% protection you should do checks on the paid amount, paid account and have your return page html ebedded amongst your php code or dynamically displayed from a template file.

Your idea is 70% secure but it all depends on how much you value the security for the product/service you are selling?

Note: Some types of products are magnets for people trying to obtain freebies, especially membership access and digital goods!


#7 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 20 January 2003 - 06:50 PM

This all sounds pretty crummy for the most popular credit-card accepter. First, PP makes the info easily viewable when they could have just as easily have the seller make the page on their server. Secondly, PP actually endorses those phoney javascript-encrypt 3rd party solutions for hiding download pages with a kick-back no doubt. Thirdly, spending anything over a few minutes probably discourages 95% of members trying to secure the faulty setup encouraging other credit-card accepters. Lucky for PP, not many free ones exist. As you can see, I'm not too thrilled with this whole thing.

Seeing as this is the only help on the web and I appreciate your help, I'll continue:

What happens if I include in the button info an animated "Processing..." return url while it's waiting for a verified payment? Will it then go to the IPN's header("Location:download.php") from the "Processing..." page?

I see a flash button that uses a text file for holding the button info...Is this secure?

This whole thing is totally rediculous...but I guess you get what you pay for...which, in this case, is nothing.

Thanks

#8 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 20 January 2003 - 09:36 PM

It's actually quite clever because it allows merchants far more flexibility over their third-party back end and allows us more seamless integration. Even if PayPal could store your return pages on there end that's a lot of work every time you want to setup a product, especially if you have 1000,s of them. Also, once they have redirected your first customer then that person could tell everyone the url unless they developed a secret word system similar to click bank with an encrypted seed. Incidentally, that's just as much work as IPN and I'm able to reverse engineer click bank's system once I have obtained the first seed via a sale using their own code to generate new compatible seeds, so as you can see that method wouldn't be 100% secure either!

There is no need to have an animated "Processing" button on your return page because a copy of the IPN is sent direct to your return page via a form post when the customer clicks "Continue" after a sale, so it will arrive when they do ;-)

For your information flash buttons can be reverse engineered with a swf decompiler and you can forget javascript based html encryption too because most second grade students could un-encrypt the source!

Trust me, IPN is the only 100% way of protecting a return page. . .

Quote:

"Thirdly, spending anything over a few minutes probably discourages 95% of members trying to secure the faulty setup encouraging other credit-card accepters."

This is not a faulty setup. When you pay for something in a store the shop assistant will confirm you have paid the correct price before allowing you to leave with your purchase. IPN enables you to do exactly that, so I fail to see where the fault is!

BTW: Have you considered trying to modify my free "bare bones" ipn handler as the source code contains plenty of tips ;-)

URL: http://www.eliteweav...ing/ipntest.php

Also, have you considered using PayLoadz for digital delivery of goods though I don't know what you are selling so this advice may not apply?

If you are selling digital "downloadable" goods then you should also protect any download links you will display on your protected page because it's no good protecting a page if your first customer is going to post your direct file links on the nearest warez board!


Hope this helped?

Marcus


#9 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 20 January 2003 - 11:24 PM

I've been reading your links...Is that anti-fraud shield a password-protected script that emails them the password? In my case, that won't work. Any clues on how to hide the pricing? The 'return' page sounds like a dynamic link is created with a time-out somewhere preventing others from using the link.

I've received an offer to beta test that site I mentioned which, I believe, uses the http_referer system...although I could be wrong.

I'm weighing my options.

Thanks for any help. }:^)

#10 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 20 January 2003 - 11:47 PM

Anti-Fraud Shield protects your return page so it cannot be viewed unless your customer has:

1.) Paid your PayPal account.
2.) Paid the asking price.
3.) The sale is completed.
4.) The IPN is VERIFIED.

It will also optionally send a digital file attachment, send a thank you email, update a .htpasswd file and allow a pending echeck.

These features are optional though and do not have to be used ;-)

Your "real" thank you page is dynamically displayed by the script so it can only ever be accessed by a genuine sale so the url cannot be shared!

See: http://www.eliteweav...ield/thanks.php

This is the return page in my PayPal code and is the same url that a customer would be redirected to, except they will see a completely different page providing their payment was sent to my PayPal account and the amount is atleast the price I have set, which is a $1.00. Once setup all you need to do is design your success and denial pages for the script to output. Also, if you put <-first_name-> <-last_name-> in your html code this script will display the customers name for a more personal feel. There is a similar tag for every IPN variable!

Best regards,
Marcus


#11 paypal_pb

paypal_pb

    Advanced Member

  • Members
  • 2,960 posts

Posted 21 January 2003 - 01:12 AM

If you have any specific questions we are happy to help. The PayPal interface is quite easy to set up.

Patrick Breitenbach
PayPal, Inc.
Dev Net: https://www.paypal.com/pdn

#12 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 21 January 2003 - 03:34 AM

ACCESS DENIED!

The thanks.php is a script that's failed because nothings been posted to it, right? At least the transaction wasn't completed or verified so it failed and echoed "Acccess Denied". This is what everyone is missing...the script of if/else statements which is why nobody uses IPN. So the amount and return page url in the buy button probably aren't hidden at all.

Getting there...heh heh...but it'd be pretty difficult for me to write the script without knowing more info.

Btw...I just read an 2001 article mentioning shannon and eliteweaver...and another on 100,000 unanswered complaints about Paypal....skeery stuff when both the seller and buyer have no rights. :(


#13 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 21 January 2003 - 01:25 PM

So, let me get this straight...I turn on the IPN in my account pointing to a php script. PP posts to this script and info goes back and forth until it's verified. Then, after finishing this procedure, a final post of variables is posted to my thankyou.php which is actually another script that runs seperately and checks if the customer paid a certain amount, if verified, paid to right account, and completed. It then creates the page dynamically according to the final processed data (access denied or download page).

Is that right?

Now, where's the help in writing the script? It says this is the Paypal developer support forum...or would this cut into sales? ;^)

#14 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 21 January 2003 - 02:57 PM

Yes that's the basics, but that is how my script works (one of them anyway), but it is up to you to code yours how you want it to operate.

Remember:

If you set your IPN up at PayPal to point to a url then an IPN will be posted to that location. If the purchase is a single item or cart sale then a "duplicate" is posted to the return page which is how my shield script is able to operate. Also, if you specify a "notify_url" variable in your PayPal form code an IPN will be sent there too though it will override the one in your PayPal profile (if you have one set), if you do that but it's good if you have several IPN enabled sites and want the silent posting to go to different locations from the one PayPal account. Yes, there is no reason to hide the "return" varibale if your return page is protected by an IPN script ;-)

Yes, I would do myself out of business if I posted the source to my shield script but if you visit http://www.php.net and download my freebie "bare bones" handler and work from that there is no reason why you can't do this yourself with a little effort!

It's a shame you are not selling .htpasswd based membership subscriptions as I do offer a free script for that situation.

Pass Pal: http://www.eliteweaver.co.uk/passpal/


Good luck!

Marcus Cicero
EliteWeaver UK


#15 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 21 January 2003 - 06:54 PM

Sorry, no documents matched your search for "paypal" at php.net. :^)

I'd buy your script...but seeing as it has a lot of stuff I'm not using and maybe a few lines of code I actually need and unless it had extraordinary documentation, I'd probably be sitting here anyway wondering what to do with it. Heh heh

Plain shame... }:^)

#16 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 21 January 2003 - 10:10 PM

It's really easy too install as all you need to do is set a few variables at the top of the script and it does come with comprehensive documentation and as stated earlier the avanced features are optional. I do free installations if a customer is having trouble but I'm sure you would find it easy.

This is the top of the script:

//* Please Set the following Variables:

$paypal_email = "sales@yourdomain.com"; // Your PayPal E-Mail (must be primary)
$american_usd = "9.95"; // The Price of Your product in USD $ for this Return page
$sterling_gbp = "6.49"; // The Price of Your product in GBP £ for this Return page
$european_eur = "9.99"; // The Price of Your product in EUR € for this Return page
$canadian_cad = "8.95"; // The Price of Your product in CAD $ for this Return page
$japanese_jpy = "5,000"; // The Price of Your product in JPY ¥ for this Return page

//* Leave a currency blank if not being used!


$buffer_limit = "0.00"; // Allow under-payments not Exceeding this Amount
$allow_echeck = "yes"; // If Set to yes a pending echeck will Allow page Viewing
$accept_wpage = "/home/site/xcvbnca.html"; // Absolute path to Your Thank You Web page
$denial_wpage = "/home/site/wyuskqb.html"; // Absolute path to Your Denial Web page

$issue_thanks = "off"; // If Set to on Your customer Will receive a Thanks email
$subject_line = "Thank you for your purchase!"; // Thanks email Subject line
$thanks_email = "/home/site/zbqjwflp.txt"; // Absolute path to Your Thanks email Template
$email_format = "Content-Type: text/plain; charset=iso-8859-1"; // See below

// Content-Type: text/plain; charset=iso-8859-1 = Plain Text
// Content-Type: text/html; charset=iso-8859-1 = Text & HTML

$send_digital = "off"; // If Set to on Your customer Will also Receive a File
$digital_item = "/home/myfile.zip"; // Absolute path to Your digital File

$update_realm = "no"; // If set to "yes" the pass file below will update
$members_file = "/home/site/public_html/members/.htpasswd"; // See below

// Absolute path to Your UNIX password File


//* Switch the Testing Mode to either on or off:

$testmode = "off"; // off = Live Via PayPal Network
// on = Test Via EliteWeaver UK

#17 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 22 January 2003 - 05:14 AM

Guess what? That new start-up company using a script like yours just added me as a beta tester. I guess they don't use the http_referer after all. Competition!

Almost 100 people have viewed this thread...Doesn't that count for something with your increased sales?

What to do...what to do... ;^)

#18 EliteWeaver

EliteWeaver

    Junior Member

  • Members
  • 239 posts

Posted 22 January 2003 - 07:25 AM

I'm a developer and competition is what keeps us developing ;-)

Besides 33 other vendors own re-sale rights for my shield script so competition regarding that product is not an issue for me. It's EW Business Portal that is my main project and no competition exists as of yet because of its complexities and advanced feature list.

Let us know how the beta testing of that new site goes and I'm glad to hear they do not use HTTP_REFERER after all.

Best regards,

- Marcus


#19 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 25 January 2003 - 12:35 AM

Guess who's back? Heh heh...The company that gave me a beta account is really having trubbles (sentrypal.com). It's been 3 days and they're still really messed up...

Anyway, I think I'm going to just buy your script after all and if the site's successful, add a regular credit-card processor. It will save me a big headache. I hope you're going to help me install and customize it to my liking. If Paypal changes their script since they've just been bought by eBay, will you update it?

Thanks

Zoob

#20 zoobie

zoobie

    New Member

  • Members
  • 65 posts

Posted 27 January 2003 - 01:08 AM

Still there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users