Hi,
Please I want PHP code can be used to verify that the passback to to my site was initiated by 2Checkout?

There is 1 in 2CO .. but its in perl .. i want in php please

Thank ypu

I don't know it myself but PHP code for it exists! Try contacting 2CO for it.

$valid_domains = array("www.2checkout.com", "2checkout.com", "www2.2checkout.com");
$invalid = false;
if ($_SERVER['HTTP_REFERER'] != "")
{
$bits = parse_url($_SERVER['HTTP_REFERER']);
if (!in_array($bits['host'],$valid_domains)) { $invalid = true; }
}
$invalid = true;
if ($invalid) { echo "Referer doesn't match"; }

Thank you alot

I tried your code ,,, but it always do the command echo "Referer doesn't match";

I don't know why?!

Does the domain that is being passed back from (the 2 checkout domain) match the ones that are listed in the first array of the code?

it is :
https://www.2checkout.com/cgi-bin/crbuyers/recpurchase1.2c

Take out the $invalid = true; line before the if() condition.

IMO there is no sense to check HTTP_REFERER, because this environment variable generates by browser, and a "hacker" can change it as he want.

Its a superglobal, so cant be hacked.

$_SERVER['HTTP_REFERER']

http://www.php.net/manual/en/reserved.variables.php

what is the best way?

Use the code fyrestrtr has mentioned, it will work. Getting into passback is not a simple task, it requires a lot of time and effort to get it working the way you require but once it works, it works well!

Originally posted by barrywien
Its a superglobal, so cant be hacked.

$_SERVER['HTTP_REFERER']

http://www.php.net/manual/en/reserved.variables.php

This is a very wrong way of thinking. Just because a variable is a super-global doesn't mean that it can't be compromised.

HTTP_REFERER is set by the browser. Some browsers allow you to change/customize this setting. Any competent programmer can send you a fake HTTP_REFERER header by simply opening a socket to your server.

I taked out $invalid = true;
and when it works.. i tried using my browser FILENAME.php?credit_card_processed=Y
and it doesn't appearse Referer doesn't match.. it continue like the browser was from 2checkout site..

So .. there is something wrong in the code

I don't think you understand how referer works.

Replace all the code with echo "<pre>"; print_r($_SERVER['HTTP_REFERER']); echo "</pre>"; to find out what actually is in the array.

i've never seen anyone checking HTTP_REFERER for serious stuff...

i do not use 2co myself but i do believe in the POST there will be some params you can specify in the 2co website to validate it comes from 2co but not others, validate using ips are also non-sense since ips can be spoofed just like HTTP_REFERER

paypal does this in a more robust way, you receive the notification from paypal, POST it back to paypal, and paypal will send you a status code like OK/FAILED