• Howdy! Welcome to our community of more than 130.000 members devoted to web hosting. This is a great place to get special offers from web hosts and post your own requests or ads. To start posting sign up here. Cheers! /Peo, FreeWebSpace.net
managed wordpress hosting

My Security Hole

zoobie

zoobie

Mile High Club
NLC
I'm selling graphix over the web via Paypal credit-card processing.

One thing I've noticed is when it comes time to pay, the php page with sessions has the Paypal button with hidden fields on it. The problem is, anyone could just look at the source code, copy and paste the "thank you" address into the browser, and by-pass the credit-card processing altogether.

I know about includes...but so would they.

What do you suggest?

Thanks ogre2
 
I do not know how your page looks like. but if your buying script is so insecure i seriously think you should rewrite it
 
Well, after the form selections, it gets posted to this, my verify page which registers the session and has the Paypal button and code on it. I don't want to use Paypal's IPN (Instant Payment Notification) because it has just too many forms for a $5 purchase. As you can see, the highlighted code is all they have to copy/paste into their browser address which goes to my purchased page and they by-pass Paypal altogether.

<?php

session_start();
$receiver = $_POST[receiver];
$pic = $_POST[pic];
$comments = $_POST[comments];
session_register("receiver");
session_register("pic");
session_register("comments");

?>

<html><head><title>Verify</title></head>
<body>
<br><br><br><br><br><br><br>
<center>
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="me@softhome.net">
<input type="hidden" name="item_name" value="Graphix">
<input type="hidden" name="amount" value="4.95">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="success" value="http://myhost.us/zoobie/purchase.php">
<input type="hidden" name="no_note" value="1">
<input type="image" src="https://www.paypal.com/images/x-click-butcc.gif" border="0" name="submit" alt="Z Graphix">
</form></center></body></html>

How would I do what you initially recommended?

Thanks
 
How about you wait until you actually receive the bloody payment and then show your customers what your selling.
 
in your purchase.php, u could validate a few basic things first b4 u show anything:

1. that it has a referred page.
2. that (the referred page) it's off paypal.
3. that the session variables are registered.

otherwise send them home...
 
Originally posted by JdS
in your purchase.php, u could validate a few basic things first b4 u show anything:

1. that it has a referred page.
2. that (the referred page) it's off paypal.
3. that the session variables are registered.

otherwise send them home...
Click to expand...

Hmm...That's the first interesting thing I've heard. Now, how would I validate that they just came from Paypal and if not...send them home?

Thanks ogre2
 
You must log in or register to reply here.
Back
Top