Php script paypal-related flaw

On a web site I’m using, the php credit script succeeds when, upon a return from paypal, purchased credits are added to the users account. However, the return location is a success page that has a “click here to return to the home page” link. If a user stays on that success page and refreshes the page, the amount of credits purchased keeps adding that amount to the users account, upon every refresh (without paying for those extras credits).

Rather than find someone to modify the script, I thought one solution might be to add something so that the page never appears and somehow the “click here to return to the home page” link automatically re-directs the successful purchaser to the home page, so he doesn’t have the chance to refresh the success page. Is this a sound solution? Can you suggest what might be nedded to accomplish this? Or suggest a better solution?

That is an error in the logic that needs to corrected. What should happen is the payment should be submitted again but fail since its already been completed. So the return page should be checking whether the response from DoExpressCheckoutPayment has succeeded and is complete. It shouldn’t just assume that hitting that page means the payment went through. That is vastly flawed and a huge security gap. You can than redirect to as SgtLegend suggested when the response from PayPal tells you the payment has already been made and payment again fails.


Use the PayPal IPN system and verify against you saved data.
The return page shouldn’t be used to do things like adding credits to an account.

If you really don’t want to use the IPN, which I still suggest, you could let PayPal pass a unique ID to the return page.
Check that ID against your database, add the credits, remove the ID.
Any refresh would then try to match against an non-existant ID and thus you don’t add credits.
But that’s still an ugly solution…

You could simply use a header redirect

header('Location: index.php');