protect opencart payment callback function from direct access
i have coded a extension for a Frazy IPG (this ia local payment gateway, not famous at all). In their payment gateway we need to pass the values to their server and they encrypt it and send it to MIGS and when the transaction is success or failed it returns to the my site with the status.
the status values are added to the url when its redirected to my site
these are the only values returned after the payment. so i capture the status and the message from the url and update the database accordingly.
the problem im having is when a person adds a product and directly pastes the success url
it updates as the payment has been made. so i tried capturing the order_id and checking its not empty and update accordingly. The problem was when a person selects to pay at the IPG and cancelled it returns to my page saying the payment is cancelled. and then if someone pastes the success url it updates as the user has paid because the order id has been generated.
is there a way to protect the callback function and make sure the users are redirected from the IPG to my site to update the order and not just typed the url in the address bar?
I do not really understand you, this is the third question you make for a payment module you are developing and thus far i have tried to assist you in each of them, but till now i am not even aware if i helped you, although i see you continue further ahead in the development, some feedback would be greatly appreciated...
And for your current question there is a way, you need to check the headers with php variables $_SERVER['HTTP_REFERER'] or some other $_SERVER[''] variable should give the necessary information so you can specify that only data that come from IPG are the ones you will accept.