PHP PAYPAL SECURITY ISSUE!

[napap]

Hi, i am running an online ecommerce store where i let people list and sell their items.

 

Howerver the security is to weak.  when people click the buy button on a product they are taken to process.php where a session is set to true, and then they are redirected to paypal to complete tehir orders. after their payment is completed they are redirected to success.php where they collect their download from a link to the download url posted by the user who listed the product.

 

now the problem is that all that is required to get access to file download is for the session to be "true", this means that someone could just navigate to process.php and then skip paypal and navigate directly to success.php.

 

 

Here is what i want to do: instead of the link beeing displayed in the success.php file, i want paypal to navigate directly to the file download instead...

 

 

Here is my php files: http://www.mediafire.com/?383u89twj197bjg

Thank you all for helping me...  i would be forever happy if any of you could have a look at the script and correct it as mentioned above, and please send the files back to : vallandepost@gmail.com ... thank you very much!

 

[PFMaBiSmAd]

Just because paypal redirects the visitor back to your site (or the visitor directly browses to pages on your site), does not mean that the payment was successful and completed. You should read the paypal documentation for Payment Data Transfer (PDT) and Instant Payment Notification (IPN). You would only consider items as being purchased if the transaction is successful.