#!/usr/bin/perl

# record_order.pl version 1.0 21/12/2000
# Copyright 2000 DirectOne E-Commerce Systems Pty Ltd.
# All rights reserved.

# This script is called from the reply_link_url

# workaround for IE 5+ problems with HTTP_REFERER variable. ie.the fact
# that it isn't set when coming from a secure site to a non secure one.

# the workaround utilises the reply_link_url and return_link_url in
# conjunction.  This method, although more complex than a simple referrer
# check, is more secure.  That is not to say it is impossible to defeat
# but it is certainly harder.

# we use the reply_link_url to write an entry to a file on the server's
# disk (this will only work if you are allowed to do this) then the
# return_link_url accesses a page that is protected using the same file.

# Your reply_link_url should be set thus:
# <input type=hidden name=reply_link_url value="http://yourserver.com.au/cgi-bin/record_order.pl?vendor_name=&bank_reference=&payment_number=&payment_amount=">

# load the required module
use CGI;
local $query = new CGI;

# read in the cgi fields.
local $vendor_name    = $query->param('vendor_name');
local	$bank_reference = $query->param('bank_reference');
local $payment_number = $query->param('payment_number');
local $payment_amount = $query->param('payment_amount');

# determine IP address of caller, it must be the IP
# address of the DirectOne secure server. (203.36.199.101)
local $remote_ip = $ENV{'REMOTE_ADDR'};

# print standard output headers
print "Content-type: text/plain\n\n";

# this file needs to be in a directory writeable by the webserver,
# preferably OUTSIDE the document root.
local $payments_log = 'directone_payments.txt';

if ($remote_ip eq '203.36.199.101') {
   open (LOGFILE, ">>$payments_log") || die "Unable to write to $payments_log\n";
	local $timestamp = time;
	print LOGFILE "$timestamp:$vendor_name:$bank_reference:$payment_number:$payment_amount\n";
	close LOGFILE;
	print "Success\n";
}
else {
	print "Unauthorised\n";
}