PayPal Purchase Validation
When a purchase is made via PayPal, the buyer is generally returned to a download or other purchase confirmation page. Should the URL of that page be obtained by the unscrupulous, product may be lost to theft.
PayPal provides several purchase validation methods that require some programming expertise to set up.
If you have insufficient programming experience and prefer not to hire someone right now to do it for you, there is another way. Validation with a cookie.
It's not as secure as what PayPal provides. Get better validation when you have the time and funds to do so. Still, the cookie method is better than no validation at all. Which is why I'm going to show you how to it.
I made implementation as easy as I possibly could.
When the buyer clicks the Buy Now button, a cookie is set in the browser before it goes to PayPal. When the browser returns from PayPal and lands on the after-purchase thank-you page, the presence of the cookie validates the purchase. The cookie's absence blocks delivery of the product.
The system can be bypassed by clicking the Buy Now button and not actually paying for the product. Just going to the download page. Yet, it is better than letting non-buyers go straight to the download page with no purchase validation at all.
The cookie method is intended to thwart casual thieves, not the persistent, skilled, or professional. This same method may be applied to purchases made via other payment gateways.
Implementing Cookie Purchase Validation
Part I - Setting the cookie (before PayPal)
Step 1.
Somewhere in the source code of the web page containing the PayPal Buy Now button, insert the JavaScript in the box below. It can be in the HEAD area or in the BODY area. It may also be imported into the web page from an external file.
<script type="text/javascript"> function SetPayPalPurchaseCookie() { var CookieName = "PayPalPurchase"; // Cookie's name document.cookie = CookieName + "=" + escape(document.URL) + "; path=/"; return true; } </script>
Note: If you change the cookie's name in the JavaScript, a corresponding change needs to be made as noted in Part II of Implementing Cookie Purchase Validation.
Step 2.
A bit of code needs to be inserted into the Buy Now button form's action tag.
Here is the code of an example Buy Now form.
<form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="hidden" name="hosted_button_id" value="85NQZ5T78S7EG"> <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> </form>
The Buy Now button form's action tag is the first line of the above code. You'll be inserting something between the word "form" and the word "action".
This is what to insert:
onsubmit="return SetPayPalPurchaseCookie()"
When the above code is inserted into the Buy Now button form's action tag, the code of the Buy Now form will look like this (using the previous example).
<form onsubmit="return SetPayPalPurchaseCookie()" action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_s-xclick"> <input type="hidden" name="hosted_button_id" value="85NQZ5T78S7EG"> <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"> <img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1"> </form>
Part I is now complete.
Part II - Reading the cookie (after PayPal)
The after-purchase thank-you page needs to be a PHP web page. The cookie read can be done with JavaScript instead of PHP. But with JavaScript it could be obvious to anyone looking at the web page source code that a cookie is required to get the product.
Therefore, let's make the after-purchase thank-you page a PHP web page.
Three code snippets need to be inserted into the page.
Snippet 1.
The PHP code in the box below needs to be inserted somewhere toward the top of the source code of the after-purchase thank-you page, perhaps in the head area or above the <html> tag.
<?php $CookieName = "PayPalPurchase"; // Cookie's name $Authenticated = (isset($_COOKIE[$CookieName]) and strpos($_COOKIE[$CookieName],'http')===0) ? true : false; ?>
Note: If you change the cookie's name in the above PHP code, a corresponding change needs to be made to the cookie name in the JavaScript as noted in Part I of Implementing Cookie Purchase Validation.
Snippet 2.
The PHP code in the box below needs to be inserted at the location in the after-purchase thank-you page where the after-purchase content is to be published (needs to be somewhere below where snippet 1 was inserted).
<?php if( $Authenticated ): ?> The content to publish if the browser has the cookie. <?php endif; ?>
Replace "The content to publish if the browser has the cookie." with whatever content you want to publish for those who have completed the purchase.
Snippet 3.
The PHP code in the box below needs to be inserted at the location in the after-purchase thank-you page where the after-purchase content is to be published, anywhere above or below snippet 2 (needs to be somewhere below where snippet 1 was inserted).
<?php if( ! $Authenticated ): ?> The content to publish if the browser does NOT have the cookie. <?php endif; ?>
Replace "The content to publish if the browser does NOT have the cookie." with whatever content you want to publish for those with browsers that do not have the purchase cookie.
Part II is now complete.
The PayPal purchase validation with a cookie is implemented.
Use
When the Buy Now button is clicked to pay at PayPal, a cookie is set. (The cookie automatically deletes when the browser is closed.)
The download/confirmation page checks to see if the cookie is available. If yes, it provides relevant after-purchase content. If no, it provides other content.
The system has the fault that a cracker may determine that a cookie is used for validation. The system is not intended to stop the persistent, skilled, or professional.
If no validation is currently done, the cookie validation is an improvement. Don't let them grab your product unless the browser has the purchase cookie.
Will Bontrager