Confirm Page - Security?
The confirmation page is acting rather strangely, and I cannot trace the problem.
Here is my scenerio.
1: My confirm page simply drops the data in a database, no payment gateway at this time.
2: By the time I reach my confirm page, I have a couple of GET Variables in the URL.
3: Confirm submits to "PHP Self" which strips the GET Variables - I still need those :)
4: I replace the "PHP Self" with the appropriate "REQUEST_URI" which now retains all the GET variables. It submits to itself, but with the GET variables in tact.
HOWEVER - now the page will just land back on "confirm.php?blah=blah" but won't process the database insert(s) and won't redirect when done (likely because it doesn't finish successfully).
After looking at the code, I cannot figure out what is stopping it from processing. Is there some security added to this page, like checking for the PHP Self or something? I'm at a loss and any help would be appreciated.
EDIT 1/2 hour later - I believe the problem is in this line:
if (($_SERVER["REQUEST_METHOD"] == "POST") && (isset($_SERVER["HTTP_REFERER"]) && strpos(urldecode($_SERVER["HTTP_REFERER"]), urldecode($_SERVER["SERVER_NAME"].$_SERVER["PHP_SELF"])) > 0) && isset($_POST)) // Trigger
Since I am posting to "REQUEST URI" rather than "SELF" I have even tried to change that line to:
if (($_SERVER["REQUEST_METHOD"] == "POST") && (isset($_SERVER["HTTP_REFERER"]) && strpos(urldecode($_SERVER["HTTP_REFERER"]), urldecode($_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"])) > 0) && isset($_POST)) // Trigger
But I still cannot get it to process!
