Doing something like this is really foolish. (sorry I don't mean to offend but Paypal is really insecure. You can post what ever values you want to the site then continue... They can take the form that you use to sends info to paypal, change the cost value and submit that, and the system would not know the difference. There are better options out there offered by banks that are more secure. I know that you will be able to find out who they are when they goto the conference but it is a headache you might want to avoid. If you do want to use Paypal or any of the 50 + processors with 30 + drivers, the company I work for has a fantastic product. OPayC. http://www.opayc.com/ You drop in the code to connect to a driver, if you want a different driver you drop in a different file that we provide. and bam ... new your new credit card processor is up and running. Also if you want advice as to which processors are secure we can help you with that too. Rick At 03:05 AM 6/17/01, you wrote:
--On 06/15/01 16:18:14 -0500 Anthony Monta chiseled:
Hi. I'm trying to set up a website that registers people for a conference. I'd like to restrict access to the conference registry form to people who have already paid to a PayPal account (i.e., registered). What's the most effective way to do this?
The solution I've come up with so far (I'm not a programmer by profession) is to have PayPal send customers who have paid to a dtml script that sets a cookie value and then redirects the customer to a form viewable only if the cookie has the correct value.
You can also get http_referrer which will either be paypal or the last page.
What I do is set the cookie *before* i send them to paypal, then I update an object in the ZODB when they come back from paypal (checking the HTTP_REFERRER). From then on I check the object in the ZODB to see if they've paid, usually keyed on AUTHENTICATED_USER.
This still allows someone to construct the right HTTP POST and make it look as if they paid paypal.
If you really need to prevent that, you should probably use a session (from Core Session Tracking) that starts right before they get to paypal and expires right after they get back. Stuff all the information into the session tracking object, that way you know they're not making it up- the information was never on their end.
This way, the cookie that stores the session id will be unique to that session, and no amount of premeditation will allow them to generate a false page.
Hope that helps, -- emf "something witty" mindlace@imeme.net
_______________________________________________ Zope maillist - Zope@zope.org http://lists.zope.org/mailman/listinfo/zope ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope-dev )
########################################################## # Rick St Jean, # rstjean@internet.look.ca # President of Design Shark, # http://www.designshark.com/, http://www.phpmailer.com/ # Quick Contact: http://www.designshark.com/messaging.ihtml # Tel: 905-684-2952 ##########################################################