On 11-07-03 04:17 PM, Kirk Bailey wrote:
ok, here's the deal; we sent someone to the paypal site for their purchase; the site will use the palpal shopping cart. When they come back, there needs to be a way to identify the product and the transaction so they an get the product ONCE. Now for a single purchase, we can just send them to (productname)thankyou.php and attach a magic cookie to the url as a query string. this magic cookie can only be used once. THIS WILL NOT WORK IF WE USE THE FULL SHOPPING CART AND THERE IS MORE THAN ONE PRODUCT TO DOWNLOAD, it only works with a buynow button for one only product. This kind of functionality, if worked out in detail, will lend itself to being adapted to MANY sorts of Eproducts, so I think there's an arguement to be made that this is of benefit to a significant segment of the php community. Well, at th4est them of us who like to get paid reliably, and not get ripped off.
Isn't this broken from the get-go? You don't know for certain that they made the purchase until you get the IPN and verify the IPN. This is why many sites send a URL once the transaction clears.
A ROUGH STAB AT HOW TO DO IT FOR SINGLE ITEMS As for one time only with buynow buttons: Send the customer to paypal with a cookie from the top of a list. When they come back, read the list's first entry. If it's there, make the download link available. the download is in a secured directory, a la Apache's directory securing methods. GIVE THEM THE PASSWORD. The user name is the magic cookie; tell them this. When they go to that page, apache demands the user name and password, which they give, and the page then (thanks to the query string having the item name) makes a download link available. This page also deletes that magic cookie from the list of them,so it can never be used again.
This is also broken... once logged in I can change the name of the item to download. At the very least add a salted MD5 or SHA1 verification to the URL.
Cheers, Rob. -- E-Mail Disclaimer: Information contained in this message and any attached documents is considered confidential and legally protected. This message is intended solely for the addressee(s). Disclosure, copying, and distribution are prohibited unless authorized. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
