Using PayPal with password-protected page

I’m trying to make a password-protected page for my client’s website, which exists to showcase her artwork and allow people to buy any of it using PayPal. The protected page will serve to feature some of her work that most people may find offensive, and she only wants it to be viewed by people she gives the password to. Of course it would be easier to just not link to the page from the website and give people the direct URL instead, but I guess that wouldn’t be as fancy.

Obviously I used a basic IF statement to check if the password is correct, but the problem is with PayPal. When I click the “Add to cart” button below any of the items and I’m brought to the shopping cart on PayPal, then click the button that says “Continue shopping”, it brings me back to the page and I have to enter the password all over again.

Here’s what I’ve come up with, to no avail:

[php]if($_POST[‘password’]==“blahblahblah” || strpos($_SERVER[‘HTTP_REFERER’], “https://www.paypal.com/”) !== FALSE) {

Display content.

} else {

Display error message.

}[/php]

Any ideas?

Your problem is that paypal is redirecting you back to the posted page? So it would require you to re-post the form after paypal redirects?

Exactly.

So instead of using $_POST why not just use $_GET? Would paypal redirect back including the query string? e.g. http://www.domain.com/secret.php?password=X

You mean put the password in the URL? Would that be the most secure option?

I don’t know how secure you really need it, but you could even encode the password in the URL. If you setup your form to use “GET” instead of “POST” and it works with paypal I can show you how to secure the password in the URL.

Would you mind providing an example of the code for that solution? I’m not sure that I completely understand.

I thought of using a session instead, but that didn’t work out either. Unless I did it wrong.

Here is an example of what I mean. I included an md5 encoding of the password (there are many other options available). What happens is you POST the form, it encodes the password field, and redirects changing to a GET variable. From there you authenticate the GET variable.

If paypal redirects to ?password=HASH you should have a working script

[php]

<?php $password = 'blahblahblah'; // this is the required password $token = 'YEja37guzeBARex6'; // this is a random token, it can be anything $valid_hash = md5($token . $password); // this is the md5 hash that must match // the password was encoded and passed to the url, let's verify that it matches $valid_hash if (isset($_GET['password'])) { if ($_GET['password'] == $valid_hash) { echo "The password is valid."; } else { exit("Incorrect Password."); } } // the form was submitted, let's enocde the password for $_GET else if (isset($_POST['password'])) { $password = md5($token . $_POST['password']); // encode the password header('Location: ' . $_SERVER['PHP_SELF'] . '?password=' . $password . ''); // use a header redirect to change $_POST to $_GET } ?> Password: [/php]

That looks good, but… is there a simpler solution?

FYI - The page that asks for the password is an HTML document, then the form submits the info to a PHP document that verifies the password and displays the content (or not).

You might be able to use sessions but I’m not familiar with paypal. If you post the code you used with sessions there could be something wrong.

Here’s what I tried. Didn’t work. Then again I’m not really experienced with Sessions… or PHP for that matter.

[php]
if ($_POST[‘password’]==“blahblahblah”) {
session_start();
$_SESSION[‘verified’]=1;
}

if ($_SESSION[‘verified’]==1) {

Display content;

} else {

Display error message.

}
[/php]

That’s about all there is to it. A much simpler method would be to have an html page that you don’t directly link to. For example

[php]
if (isset($_POST[‘password’]) && $_POST[‘password’] == ‘blahblahblah’) {
// password is valid, redirect to secret html
header(‘Location: secret_page.html’);
}
else {
// redirect back to login
header(‘Location: login.html’);
}
[/php]

This should give paypal an HTTP_REFERER of the secret_page.html instead of the login.html

It is not as secure because secret_page.html could be accessed directly, but without actually linking to it no one would know the name of your html page. It could be “17e19c0f5b613c4d8e33a003c07b418f.html” for example.

Or maybe include a separate PHP file, and put the form on the PHP page instead of a separate HTML document?

[php]
if ($_POST[‘password’]==“blahblahblah”) {

include “protected_page.php”;

} else {

include “denied_message.php”;

}
[/php]

But I don’t know if that would solve the issue with PayPal.

Actually, there is a problem with your session code. session_start() needs to be above the if statement (it should always be the first line of your PHP file)

Because when paypal redirects back, the $_POST variable will not exist. So $_SESSION[‘verified’] will not exist since you only call session_start() on $_POST

The include would not work because you are still relying on a $_POST variable to be present. Paypal isn’t sending a POST

Doing that ruined the password verification.

With your HTML suggestion, would Google be able to index the secret page?

Doing what? Moving session_start() ??

Google bots can only follow links. So long as you never link to secret_page.html it will not be indexed.

Yes, that ruined the password verification.

I think I’ll go with your suggestion of re-directing to an HTML page(s). If the secret page has a static URL and one of the privileged few sees it, they can just book mark it and view it again in the future, without having to log in repeatedly; and sharing the URL would be no different than sharing the password, anyway.

…unless anyone else has a better solution?

Wait a minute: I have one page on my own website that isn’t linked from anywhere, but when I google my name and the name of the document it, shows up in the results. If I were to search for the name of the site and the exact title of the document, wouldn’t it show up in the results, in the same way?