niedziela, 21 października 2012

wladca's PayGol script

Wladca posted on Otland.net script to allow people to pay with PayGol services.

Code:
<?php
/*


Note:Before starting you have to create an account at http://www.paygol.com/register?affiliatecode=T8Y7-LK0M-NY0R-Y6O3


*/


// check that the request comes from PayGol server
if(!in_array($_SERVER['REMOTE_ADDR'],
  array('109.70.3.48', '109.70.3.146', '109.70.3.58'))) {
  header("HTTP/1.0 403 Forbidden");
  die("Error: Unknown IP");
}
  

// get the variables from PayGol system
$message_id = $_GET['message_id'];
$service_id = $_GET['service_id'];
$shortcode = $_GET['shortcode'];
$keyword = $_GET['keyword'];
$message = $_GET['message'];
$sender = $_GET['sender'];
$operator = $_GET['operator'];
$country = $_GET['country'];
$custom = $_GET['custom'];
$points = $_GET['points'];
$price = $_GET['price'];
$currency = $_GET['currency'];

//Replace these parameters by your database details
$dbhost     = "localhost"; //Your database domain
$dbuser     = "root"; //Database username
$dbpassword = "dbpass"; //Database password
$db         = "dbname"; //Database name

//Connect to Database
$conn = mysql_connect($dbhost, $dbuser, $dbpassword);
mysql_select_db($db);

$sql = "UPDATE accounts SET premium_points = premium_points+$points WHERE name = '$custom'";
mysql_query($sql);

mysql_close($conn);

?>
He was sure that this script is secure because it allows connection only from IP's of PayGol.
I explained him that user provides the 'custom' GET parameter, so as his account name he can put anything, also something what will for example add points to all users. I fixed that for him but today I came with another idea.

I've created PayGol account, created own multiprice service with price 1 euro, 9000000 points for that and IPN URL pointing to... wladca's website.
Than I turned on testing mode, made the purchase in testing mode and on wladca's server I had 9000000 points :)


So what is the solution for this problem?
Check if parameters passed to your IPN script match the values you obtained from PayGol (especially service_id, price and points).

Brak komentarzy:

Prześlij komentarz