Professional Web Applications Themes

making sure user gets the same values when they refresh - PHP Development

hi group! I am new to PHP and so far managed to find my answers by searching this group instead of posting repeating questions, but I don't know what to search for to get answer to this question: I want to sell pin numbers. I have a script called display.php that gets a pin number from MySQL database table, displays it in the browser and deletes the row it got that pin from in the database table. To get to that, the user has to go through a credit card verification script getpaid.php, which contacts the bank and confirms that ...

  1. #1

    Default making sure user gets the same values when they refresh

    hi group!

    I am new to PHP and so far managed to find my answers by searching
    this group instead of posting repeating questions, but I don't know
    what to search for to get answer to this question:

    I want to sell pin numbers.
    I have a script called display.php that gets a pin number from MySQL
    database table, displays it in the browser and deletes the row it got
    that pin from in the database table.
    To get to that, the user has to go through a credit card verification
    script getpaid.php, which contacts the bank and confirms that the card
    has available funds and then runs my display.php and tells it via POST
    that it is ok to display the pin number. If the script is run directly
    by typing its address in the browser, it will redirect the user to
    getpaid.php because it won't have the required POST data passed to it.

    The problem is that after the user gets the pin from display.php and
    refresh the page, the script will run again and as the value that has
    been sold first time has already been deleted, it will take the next
    pin number in the database and display it to the user again. That is
    something I don't want to happen. I want the user to get the same pin
    number that it got the first time every time they refresh the page.

    The only solution I can come up with is to generate randomly named
    html doent with the pin number, something like
    ipwhf2ji3op5wlsj7vxz.htm and relocate the user's browser to that
    doent. Does anyone can advise me with a better solution?
    droog Guest

  2. #2

    Default Re: making sure user gets the same values when they refresh



    > I am new to PHP
    >
    > To get to that, the user has to go through a credit card verification
    > script getpaid.php, which contacts the bank and confirms that the card
    > has available funds
    I hope you are not too new to PHP that you are fully aware of the security
    implications of your work with this sort of application. I'm not trying to
    be patronising, just pointing out that application security generally
    requires experience, because you should be aware of all the things that
    can go wrong or ways in which data can be faked. I hope that's not an
    unfair comment.

    > The problem is that after the user gets the pin from display.php and
    > refresh the page, the script will run again and as the value that has
    > been sold first time has already been deleted, it will take the next pin
    > number in the database and display it to the user again. That is
    > something I don't want to happen. I want the user to get the same pin
    > number that it got the first time every time they refresh the page.
    The usual solution is to issue a header containing a 301 redirect to a new
    page immediately the post transaction has been verified and completed. The
    user won't even know that they're being redirected, but it guarantees that
    pressing refresh won't repeat the transaction.

    I don't have a working example to hand, but I hope this gives you enough
    to go on.


    Martin Lucas-Smith [url]www.geog.cam.ac.uk/~mvl22[/url]
    [url]www.lucas-smith.co.uk[/url]

    Senior Computing Technician (Web Technician)
    Department of Geography, University of Cambridge (01223 3)33390

    & Webmaster, SPRI
    Scott Polar Research Institute, University of Cambridge


    Martin Lucas-Smith Guest

  3. #3

    Default Re: making sure user gets the same values when they refresh

    Martin Lucas-Smith <mvl22cam.ac.uk> wrote in message news:<Pine.SOL.4.44.0308271530590.13210-100000orange.csi.cam.ac.uk>...
    > > I am new to PHP
    > >
    > > To get to that, the user has to go through a credit card verification
    > > script getpaid.php, which contacts the bank and confirms that the card
    > > has available funds
    >
    > I hope you are not too new to PHP that you are fully aware of the security
    > implications of your work with this sort of application. I'm not trying to
    > be patronising, just pointing out that application security generally
    > requires experience, because you should be aware of all the things that
    > can go wrong or ways in which data can be faked. I hope that's not an
    > unfair comment.
    Oh, yeah, I won't be dealing with the security stuff myself, I know
    I'm not ready for it. I'll have the user redirected to my bank's
    website and it will then process their credit card details and return
    either yes or no to my script, which is rather ugly as my website and
    banks website will have different designs, but I need real-time funds
    deduction and i don't know if its even possible without involving the
    bank, and I better go the safer way, as I only touched PHP two weeks
    ago for the first time.
    > > The problem is that after the user gets the pin from display.php and
    > > refresh the page, the script will run again and as the value that has
    > > been sold first time has already been deleted, it will take the next pin
    > > number in the database and display it to the user again. That is
    > > something I don't want to happen. I want the user to get the same pin
    > > number that it got the first time every time they refresh the page.
    >
    > The usual solution is to issue a header containing a 301 redirect to a new
    > page immediately the post transaction has been verified and completed. The
    > user won't even know that they're being redirected, but it guarantees that
    > pressing refresh won't repeat the transaction.
    Thanks, Martin, I'll work in this direction then.
    > I don't have a working example to hand, but I hope this gives you enough
    > to go on.
    >
    >
    > Martin Lucas-Smith [url]www.geog.cam.ac.uk/~mvl22[/url]
    > [url]www.lucas-smith.co.uk[/url]
    >
    > Senior Computing Technician (Web Technician)
    > Department of Geography, University of Cambridge (01223 3)33390
    >
    > & Webmaster, SPRI
    > Scott Polar Research Institute, University of Cambridge
    droog Guest

  4. #4

    Default Re: making sure user gets the same values when they refresh



    "droog" <pelmeshkinhotmail.com> wrote in message
    news:bc4396a3.0308271623.2aacfd37posting.google.c om...
    > Martin Lucas-Smith <mvl22cam.ac.uk> wrote in message
    news:<Pine.SOL.4.44.0308271530590.13210-100000orange.csi.cam.ac.uk>...

    [snip]
    > > I hope you are not too new to PHP that you are fully aware of the
    security
    > > implications of your work with this sort of application. I'm not trying
    to

    [snip]
    > Oh, yeah, I won't be dealing with the security stuff myself, I know
    > I'm not ready for it. I'll have the user redirected to my bank's
    I think by security here Martin was also refering to the security of your
    application as a whole.
    You business is selling these "pins", so this data must be protected, you
    challenge is to ensure
    your script is secure in that is does not contain code that would allow an
    attacker to compromise
    your pin database or worse.

    > website and it will then process their credit card details and return
    > either yes or no to my script, which is rather ugly as my website and
    > banks website will have different designs, but I need real-time funds
    > deduction and i don't know if its even possible without involving the
    There is nothing wrong with this. I know some people comment that the change
    in layouts scares
    customers, well, I don't know, I haven't found this. But pushing the cc
    processing onto a third-party
    means the burden of protecting card numbers is not wholly on your shoulders,
    it also means you may
    not need an SSL on your site.

    [snip]

    Thanks,
    Mark
    ---------------------------------------------------------------------------
    Windows, Linux and Internet Development Consultant
    Email: [email]corporatescriptsmiths.com[/email]
    Web: [url]http://www.scriptsmiths.com[/url]
    ---------------------------------------------------------------------------
    > >
    > >
    > > Martin Lucas-Smith
    [url]www.geog.cam.ac.uk/~mvl22[/url]
    > > [url]www.lucas-smith.co.uk[/url]
    > >
    > > Senior Computing Technician (Web Technician)
    > > Department of Geography, University of Cambridge (01223
    3)33390
    > >
    > > & Webmaster, SPRI
    > > Scott Polar Research Institute, University of Cambridge

    Mark Hewitt Guest

  5. #5

    Default Re: making sure user gets the same values when they refresh


    "droog" <pelmeshkinhotmail.com> wrote in message
    news:bc4396a3.0308270122.21de9e8aposting.google.c om...
    > hi group!
    [snip]
    > The problem is that after the user gets the pin from display.php and
    > refresh the page, the script will run again and as the value that has
    > been sold first time has already been deleted, it will take the next
    > pin number in the database and display it to the user again. That is
    > something I don't want to happen. I want the user to get the same pin
    > number that it got the first time every time they refresh the page.
    >
    I might try something like this, if I understand correctly what you are
    trying:

    1. display.php
    Purpose: select a PIN for user to purchase

    Here you want to reserve one for the user, and maybe display it to him, but
    if
    the pin is a number, and this number is what you are selling, like the PIN
    number of
    mobile phone pre-paid vouchers here in South Africa, then you can;t display
    it until he's paid!!
    But you must reserve one.... so...

    a) Generate a unique tag, *dont* rely on time(), remember two people could
    make the purchase
    at the same time, the server executing the code in the same second.
    b) Write this unique tag to the record of the PIN that is free
    c) use this as the transaction reference for your post to payment gateway
    d) use cURL or something similar to initiate the POST to the banks payment
    page, this
    ensures you do not expose the transaction id (tag).

    2 <bank step>

    3 bank_callback.php
    Purpose: Script the bank executes after success/failure of cc transaction

    Here you check the banks response code, if it is failure, display "sorry,
    you loose" page!
    If its success:

    a) make sure banks transaction reference exists in your pin database
    b) if it does:
    i) remove the pin record
    ii) display the pin to the user
    c) else, if not:
    i) display an error of an invalid transaction, don't print transaction
    id, etc, keep these things secret.
    ii) write this to a log file _outside_ your doent root, include the t
    ransaction id and other information
    so you can follow up on it later, it could be a valid problem for a
    valid customer, or an attempt to
    "hack" your site.


    Thats the general idea, of course the actual implementations, etc depened on
    the exact nature of your
    product, which banking gateway you use, etc etc etc ad nauseum.

    Thanks
    Mark
    ---------------------------------------------------------------------------
    Windows, Linux and Internet Development Consultant
    Email: [email]corporatescriptsmiths.com[/email]
    Web: [url]http://www.scriptsmiths.com[/url]
    ---------------------------------------------------------------------------

    [snip]




    Mark Hewitt Guest

Similar Threads

  1. Making a page values of list and send mail
    By dr_PETE in forum Macromedia Dynamic HTML
    Replies: 0
    Last Post: September 29th, 02:43 PM
  2. Refresh information based on user's login
    By Unamailer in forum Macromedia ColdFusion
    Replies: 2
    Last Post: May 24th, 06:54 PM
  3. Auto Refresh code that doesn't take the user back to thetop of the page
    By JaredScott in forum Coldfusion - Getting Started
    Replies: 3
    Last Post: April 18th, 06:07 PM
  4. Handle user auto-repeating refresh in browser
    By Jordan Marton in forum ASP.NET General
    Replies: 2
    Last Post: August 1st, 02:00 AM
  5. ReRender/Reload/Refresh User Control
    By wsmall in forum ASP.NET
    Replies: 0
    Last Post: July 2nd, 02:35 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139