By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
437,614 Members | 1,662 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 437,614 IT Pros & Developers. It's quick & easy.

making sure user gets the same values when they refresh

P: n/a
hi group!

I am new to PHP and so far managed to find my answers by searching
this group instead of posting repeating questions, but I don't know
what to search for to get answer to this question:

I want to sell pin numbers.
I have a script called display.php that gets a pin number from MySQL
database table, displays it in the browser and deletes the row it got
that pin from in the database table.
To get to that, the user has to go through a credit card verification
script getpaid.php, which contacts the bank and confirms that the card
has available funds and then runs my display.php and tells it via POST
that it is ok to display the pin number. If the script is run directly
by typing its address in the browser, it will redirect the user to
getpaid.php because it won't have the required POST data passed to it.

The problem is that after the user gets the pin from display.php and
refresh the page, the script will run again and as the value that has
been sold first time has already been deleted, it will take the next
pin number in the database and display it to the user again. That is
something I don't want to happen. I want the user to get the same pin
number that it got the first time every time they refresh the page.

The only solution I can come up with is to generate randomly named
html document with the pin number, something like
ipwhf2ji3op5wlsj7vxz.htm and relocate the user's browser to that
document. Does anyone can advise me with a better solution?
Jul 16 '05 #1
Share this Question
Share on Google+
4 Replies


P: n/a


I am new to PHP

To get to that, the user has to go through a credit card verification
script getpaid.php, which contacts the bank and confirms that the card
has available funds
I hope you are not too new to PHP that you are fully aware of the security
implications of your work with this sort of application. I'm not trying to
be patronising, just pointing out that application security generally
requires experience, because you should be aware of all the things that
can go wrong or ways in which data can be faked. I hope that's not an
unfair comment.

The problem is that after the user gets the pin from display.php and
refresh the page, the script will run again and as the value that has
been sold first time has already been deleted, it will take the next pin
number in the database and display it to the user again. That is
something I don't want to happen. I want the user to get the same pin
number that it got the first time every time they refresh the page.


The usual solution is to issue a header containing a 301 redirect to a new
page immediately the post transaction has been verified and completed. The
user won't even know that they're being redirected, but it guarantees that
pressing refresh won't repeat the transaction.

I don't have a working example to hand, but I hope this gives you enough
to go on.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk

Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390

& Webmaster, SPRI
Scott Polar Research Institute, University of Cambridge
Jul 16 '05 #2

P: n/a
Martin Lucas-Smith <mv***@cam.ac.uk> wrote in message news:<Pi**************************************@ora nge.csi.cam.ac.uk>...
I am new to PHP

To get to that, the user has to go through a credit card verification
script getpaid.php, which contacts the bank and confirms that the card
has available funds
I hope you are not too new to PHP that you are fully aware of the security
implications of your work with this sort of application. I'm not trying to
be patronising, just pointing out that application security generally
requires experience, because you should be aware of all the things that
can go wrong or ways in which data can be faked. I hope that's not an
unfair comment.


Oh, yeah, I won't be dealing with the security stuff myself, I know
I'm not ready for it. I'll have the user redirected to my bank's
website and it will then process their credit card details and return
either yes or no to my script, which is rather ugly as my website and
banks website will have different designs, but I need real-time funds
deduction and i don't know if its even possible without involving the
bank, and I better go the safer way, as I only touched PHP two weeks
ago for the first time.
The problem is that after the user gets the pin from display.php and
refresh the page, the script will run again and as the value that has
been sold first time has already been deleted, it will take the next pin
number in the database and display it to the user again. That is
something I don't want to happen. I want the user to get the same pin
number that it got the first time every time they refresh the page.


The usual solution is to issue a header containing a 301 redirect to a new
page immediately the post transaction has been verified and completed. The
user won't even know that they're being redirected, but it guarantees that
pressing refresh won't repeat the transaction.


Thanks, Martin, I'll work in this direction then.
I don't have a working example to hand, but I hope this gives you enough
to go on.
Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22
www.lucas-smith.co.uk

Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390

& Webmaster, SPRI
Scott Polar Research Institute, University of Cambridge

Jul 16 '05 #3

P: n/a


"droog" <pe********@hotmail.com> wrote in message
news:bc**************************@posting.google.c om...
Martin Lucas-Smith <mv***@cam.ac.uk> wrote in message news:<Pi**************************************@ora nge.csi.cam.ac.uk>...

[snip]
I hope you are not too new to PHP that you are fully aware of the security implications of your work with this sort of application. I'm not trying to

[snip]
Oh, yeah, I won't be dealing with the security stuff myself, I know
I'm not ready for it. I'll have the user redirected to my bank's
I think by security here Martin was also refering to the security of your
application as a whole.
You business is selling these "pins", so this data must be protected, you
challenge is to ensure
your script is secure in that is does not contain code that would allow an
attacker to compromise
your pin database or worse.

website and it will then process their credit card details and return
either yes or no to my script, which is rather ugly as my website and
banks website will have different designs, but I need real-time funds
deduction and i don't know if its even possible without involving the


There is nothing wrong with this. I know some people comment that the change
in layouts scares
customers, well, I don't know, I haven't found this. But pushing the cc
processing onto a third-party
means the burden of protecting card numbers is not wholly on your shoulders,
it also means you may
not need an SSL on your site.

[snip]

Thanks,
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------


Martin Lucas-Smith www.geog.cam.ac.uk/~mvl22 www.lucas-smith.co.uk

Senior Computing Technician (Web Technician)
Department of Geography, University of Cambridge (01223 3)33390
& Webmaster, SPRI
Scott Polar Research Institute, University of Cambridge

Jul 16 '05 #4

P: n/a

"droog" <pe********@hotmail.com> wrote in message
news:bc**************************@posting.google.c om...
hi group!
[snip]
The problem is that after the user gets the pin from display.php and
refresh the page, the script will run again and as the value that has
been sold first time has already been deleted, it will take the next
pin number in the database and display it to the user again. That is
something I don't want to happen. I want the user to get the same pin
number that it got the first time every time they refresh the page.


I might try something like this, if I understand correctly what you are
trying:

1. display.php
Purpose: select a PIN for user to purchase

Here you want to reserve one for the user, and maybe display it to him, but
if
the pin is a number, and this number is what you are selling, like the PIN
number of
mobile phone pre-paid vouchers here in South Africa, then you can;t display
it until he's paid!!
But you must reserve one.... so...

a) Generate a unique tag, *dont* rely on time(), remember two people could
make the purchase
at the same time, the server executing the code in the same second.
b) Write this unique tag to the record of the PIN that is free
c) use this as the transaction reference for your post to payment gateway
d) use cURL or something similar to initiate the POST to the banks payment
page, this
ensures you do not expose the transaction id (tag).

2 <bank step>

3 bank_callback.php
Purpose: Script the bank executes after success/failure of cc transaction

Here you check the banks response code, if it is failure, display "sorry,
you loose" page!
If its success:

a) make sure banks transaction reference exists in your pin database
b) if it does:
i) remove the pin record
ii) display the pin to the user
c) else, if not:
i) display an error of an invalid transaction, don't print transaction
id, etc, keep these things secret.
ii) write this to a log file _outside_ your document root, include the t
ransaction id and other information
so you can follow up on it later, it could be a valid problem for a
valid customer, or an attempt to
"hack" your site.
Thats the general idea, of course the actual implementations, etc depened on
the exact nature of your
product, which banking gateway you use, etc etc etc ad nauseum.

Thanks
Mark
---------------------------------------------------------------------------
Windows, Linux and Internet Development Consultant
Email: co*******@scriptsmiths.com
Web: http://www.scriptsmiths.com
---------------------------------------------------------------------------

[snip]


Jul 16 '05 #5

This discussion thread is closed

Replies have been disabled for this discussion.