#!/usr/bin/perl

# verify_order.pl version 1.0 21/12/2000 (part 2 of 2)
# Copyright 2000 DirectOne E-Commerce Systems Pty Ltd.
# All rights reserved.

# This script is called by the return_link_url

# workaround for IE 5+ problems with HTTP_REFERER variable. ie.the fact
# that it isn't set when coming from a secure site to a non secure one.

# the workaround utilises the reply_link_url and return_link_url in
# conjunction.  This method, although more complex than a simple referrer
# check, is more secure.  That is not to say it is impossible to defeat
# but it is certainly harder.

# we use the reply_link_url to write an entry to a file on the server's
# disk (this will only work if you are allowed to do this) then the
# return_link_url accesses a page that is protected using the same file.

# Your return_link_url should be set thus:
# <input type=hidden name=return_link_url value="http://yourserver.com.au/cgi-bin/verify_order.pl?vendor_name=&bank_reference=&payment_number=&payment_amount=">

#### NOTES ####
# Depending on what your particular needs are, this may not be exactly the best way to do it.
# If, for example, you wish to give continuing access to your customers, you may be
# better off using record_order to create a htaccess style password file then present the
# user with a written record of username and password (which can be payment numbers, and bank
# references if need be) then direct them to a download page which is protected by a
# normal .htaccess file.


# load the required module
use CGI;
local $query = new CGI;

# read in the cgi fields.
local $input_vendor_name    = $query->param('vendor_name');
local	$input_bank_reference = $query->param('bank_reference');
local $input_payment_number = $query->param('payment_number');
local $input_payment_amount = $query->param('payment_amount');

# this file needs to be in a directory readable by the webserver,
# preferably OUTSIDE the document root.
local $payments_log = 'directone_payments.txt';

open (LOGFILE, "<$payments_log") || die "Unable to read from $payments_log\n";
while ($next_entry = <LOGFILE>) {
	chomp $next_entry;	
	($timestamp,$vendor_name,$bank_reference,$payment_number,$payment_amount) = split /:/,$next_entry;
	if (($payment_number eq $input_payment_number) and ($bank_reference eq $input_bank_reference) and ($vendor_name eq $input_vendor_name)) {
		$authorised = 1;
		last;
	}
}	
if ($authorised) {
	# do whatever they just paid for.
	
}
else {
	print "Content-type: text/plain\n\n";
	print "Unauthorised\n";

	# alternatively, you can redirect them to an error page thus:
	# print "Location: http://yourserver.com.au/path_to_error.html\n\n";
}