Masking Or Redirecting Url In .htaccess

[podarum]

Hi, I'm in dire need for help.I'm trying to direct users if they came from paypal.com to one of my sites and if they did not come from paypal.com to another site.. I tried the $_SERVER and for some weird reason that didn't work, all my users were going to the not paypal.com site, even if they did come from there.. I'm hoping someone knows any other way or how this can be done in .htaccess..This is the code I used for $_SERVER :

<?phpif (1==(preg_match('#http(|s)://([a-z]+\.)*paypal\.com/#', $_SERVER['HTTP_REFERER'])){header ("Location: http://www.aaaa.ca/process5.php");}else {header ("Location: http://www.aaaa.ca/Disagree.html");}?>

Or even

<?phpif (1 == preg_match('#http(|s)://([a-z]+\.)*paypal\.com/#', $_SERVER['HTTP_REFERER'])){echo "<body onload=\"document.location.href='http://www.aaaa.ca/process5.php'\">";}else {echo "<body onload=\"document.location.href='http://yahoo.com'\">";}?>

[justsomeguy]

Print out the referer header to see what it actually is. The referer header is the only way to find out where they came from, but not all browsers may send it, some security software removes it, and it never gets sent when you go from HTTPS to HTTP.

[podarum]

how would I go about getting the referer header ? Do you know how I can achieve this in .htaccess ?

[justsomeguy]

htaccess isn't going to do anything that you can't do in PHP. The referer header is $_SERVER['HTTP_REFERER'], print that out to see what it actually is when you come from PayPal.

[podarum]

Ok...So I just insert this code (below) to my output page from paypal ?

<?phpprint  $_SERVER['HTTP_REFERER']?>

The other thing is, that I've heard that using $_SERVER['HTTP_REFERER'] is not so reliable as is .htaccess..could that be a reason for chosing one over the other?

[justsomeguy]

Both PHP and Apache have access to the same referer header, you aren't going to get different values in PHP vs. htaccess. htaccess is more useful than PHP for other things, but you're just dealing with a request header here, which is going to have the same value no matter where you access it.

[podarum]

I got you. See I did not know that.. ThanksAs for my other question is doing the print $_SERVER[HTTP_REFFERER] part what I should do and then post what I get back ? Like what should I be looking for... I don;t have access to my web host at this moment, I woun't be able to do it until later tonight.

[justsomeguy]

Yeah, create a page that just prints the referer like that. Since the code you posted is checking the referer to decide where to redirect, verify that the referer is non-empty and contains "paypal.com".

[podarum]

OK I'm back... I put up the page linked from PayPal with just simply <? print php $_SERVER['HTTP_REFERER'] ?> and I got a blank page back ... unless I have to look somewhere else...

[justsomeguy]

I'm not sure if that was a typo, but the code should be this:<?php print $_SERVER['HTTP_REFERER']; ?>You can also do this:<?php var_dump($_SERVER['HTTP_REFERER']); ?>or, to see the entire $_SERVER array:

<pre><?php var_dump($_SERVER); ?></pre>

[podarum]

OK,doing <?php print $_SERVER['HTTP_REFERER']; ?> I got a blank page.doing <?php var_dump($_SERVER['HTTP_REFERER']); ?> I got the word "NULL"and for :

<pre><?php var_dump($_SERVER); ?></pre>

I got the whole dump, what should I be looking for?

[justsomeguy]

If it's null then it's simply undefined, that means the browser didn't even send a referer header. You can look through the rest of the $_SERVER array to see if you can find something identifying that they came from PayPal, but I don't think there's going to be anything there. You might want to have PayPal link to a HTTPS URL on your site instead of HTTP, and see if the referer gets sent that way. Like I said, the referer never gets sent if you go from HTTPS to HTTP. I assume the PayPal page is going through HTTPS.

[podarum]

Ahhh, very good my friend I think we're on to something here... I beleive PayPal is running wiht Https, now my questions are:1) How can I change a page from http to https on my site. and.2) I need to get back to a process page that is http (I suppose I can make it https)3) I'm basically trying to make Process Page avaialble to only those that confirmed a successfull payment through PayPal, and I don't want them to be able to view that page if they come from anywhere else including typing in the [url="http://www....."]http://www.....[/url]. what will be available is a page that is full of information with SESSIONS from the Form that the user started off along other things.. So like the USer types in Age=68, then go to PayPal and through a series of Fails/Successful payment, then the user would see a process page Age=68, is Hgh Risk or something like that.

[justsomeguy]

Just try to access the page via https, if it shows up then it's working. If not, you may need to install an SSL certificate or enable security for the file or directory. Your host should be able to help with that.

I need to get back to a process page that is http (I suppose I can make it https)

You don't need http for anything, it's the same as https except the communication is sent in plain text instead of encrypted.

[podarum]

I don't know now... I'm also looking at using iFrames in my process page, this way I'll let PayPal direct the success/fail page to it and the user can't see the URL (preventing him from typing it in without paying). The only thing he'll see is the frame URL.. I don't even know if that'll work with SESSIONS and php...

[justsomeguy]

That's not going to work, you can't load a page into a frame on an external page that isn't open yet. You can't send a request to open one page that contains a frameset, and then another request to load another page inside one of the frames on that page. PayPal would need custom coding just to work with your specific setup.You can always just set a session value when you redirect the user to PayPal, and check for the session value on your processing page. If it's not there, then they didn't go through your process.

[podarum]

I know I've thought of that, but maybe I looked at it the wrong way. The session value would be set on user's form before they hit Paypal and now he has it, so once he checks the URL to the process page, that page would recognize it and open..being able to bypass the PayPal process... maybe I'm not seeing something here, but how can I intergrate this into PayPal? so the user has this session value only if it came form paypal?

[justsomeguy]

PayPal will send data to the processing page. If they get to the processing page and have the session value but there is no data from PayPal, then they didn't come from PayPal.

[podarum]

You're talking about using IPN with PayPal? right now I'm using Auto Return

[justsomeguy]

Does PayPal not send anything? If you use var_dump with $_POST is there nothing there?

[podarum]

Good question... I'll try it and see...let you know once I get it. I can always use PayPal's IP address, the only problem is it has more than one, and they change often.

[podarum]

Ok, I came up with an idea.... Once the customer pays, he has to press the 'Return to Merchant' button (or something like 'Return to Company ABC').. all this shows up in the return URL something like this..... How can I put in a code that says if the the URL has the 'merchant_return_link=Return+to+CompanyABC, then allow user to see process5.php if not Dismiss.php .... I'm thinking the only way to validate if the customer came from that 'paid' page, because it's really the last page of te PayPal process, technically the customer finalized his pay..Thanks

[justsomeguy]

That's just another URL check, if you want to do that you can find that data in $_GET. But someone can just type that also, or copy and paste the link and give it to someone else. The best way to validate is to get PayPal to send data back to your site other than in the query string. Check the PayPal documentation and see if there's a process that does that.