Shopping cart help.

[begamer26]

For selling a game: I am using PayPal shopping cart buttons, and am redirecting (On success) to a page which will ask them for their e-mail to send them a random code which will be added to a MySQL database, once the person opens the game (no help needed) it will go to the MySQL database and check if the users mac-address is in there, if not it will ask for the code they received in the e-mail, it will then check if it is in the MySQL database and then add the persons mac-address to it. THEN it will check if the mac-adress is in the database, if it is, it will let them to proceed to play the game. if not it will automaticaly close.

*Deep breath* What I need help with is to somehow protect the page that they get redirected to, so they can only give the e-mail if they were 're-directed' by PayPal. (Not if the previous page they were on was PayPal.)

Any help?

[Anna]

I have no idea on the coding part, but there's potentially another problem with that scenario, if they are to open the game on their own computer, they will not be able to connect to the database if it is on one of our free accounts for verification. Access is restricted to content on our servers only. I notice you don't have a hosting account at this time, but wanted to point that out.

I guess there'd be a way to check for http referrer, and set a "if not from paypal clause" that gives them information on how to buy the game? I'm sure someone more experienced in coding can suggest something better, and possibly also bash that idea for being insecure

[callumacrae]

Re the first part, that sounds kinda tricky. I think I understood it, anyway You can't connect to MySQL remotely, and even if you could that would be a security flaw, as someone could reverse engineer your code, get the login info, and modify the database. It would be better to build something where you query the website, then it returns true or false, eg the game could query example.com/verify.php?cine7d84joj367dubv=vhhd6865ycgbb864 would return either true or false.

You don't want to host that on free hosting, as you need a very fast server to do that. You would probably want VPS.

Anyway, why not use the conventional enter code, play game?

~Callum

[begamer26]

@Anna I plan to get my site paid hosting and on a different website. : P

@Callum You can connect to a MySQL through a game, It basically sends information to a php code which does the query. : P I'm not sure how someone could reverse engineer a .exe though. If there is a way, is there any way I could secure it?

If they enter the code, play game. ANYONE could play the game for free. :/ Thats what I want to prevent. :C

[callumacrae]

They don't even have to reverse engineer the game, they can just sandbox it and see what it connects to. It really isn't a good idea.

Have a database of lots of random codes. Each code can be used three times, after that it becomes deactivated and the user has to ask you to reactivate it. Distribute one code with each copy of the game, and tell them that if they install it more than three times they will need to contact you. I'm not sure exactly how it should validate the code, but I'm thinking validate.php?code=longcomplexcodehere, which will then return true or false. In order to prevent hackers from brute forcing the code, you should restrict them to 3 attempts every 5 minutes, and then they have to contact you to get their IP unblacklisted.

I think all that would work

~Callum

[begamer26]

They don't even have to reverse engineer the game, they can just sandbox it and see what it connects to. It really isn't a good idea.

Have a database of lots of random codes. Each code can be used three times, after that it becomes deactivated and the user has to ask you to reactivate it. Distribute one code with each copy of the game, and tell them that if they install it more than three times they will need to contact you. I'm not sure exactly how it should validate the code, but I'm thinking validate.php?code=longcomplexcodehere, which will then return true or false. In order to prevent hackers from brute forcing the code, you should restrict them to 3 attempts every 5 minutes, and then they have to contact you to get their IP unblacklisted.

I think all that would work :)

~Callum

C: Good idea! But I think something else than their IP should be blacklisted as people can spoof them quite easily. Overall Great idea! :D

[callumacrae]

They can spoof anything if they want to, just use their IP

~Callum

[begamer26]

They can spoof anything if they want to, just use their IP

~Callum

Yeah, but the IP changes all the time with a few ISP's. They would be able to play the game for a day, turn off their router, turn it back on, they'de get ripped off. :C The mac-address always stays the same though. C:

Anyway, how would I make sure that the person got redirected from PayPal on the page where it askes them for their e-mail address? I want to make sure that you can only get the code if you payed for it. :B

[callumacrae]

Nonono I meant that during installation they would have to enter the code, their copy isn't validated when the game is opened. If the server went down they wouldn't be able to play

It's as easy to change or forge your mac address as it is to change your IP if you know how.

I dont know about the paypal bit, sorry

~Callum

[begamer26]

Nonono I meant that during installation they would have to enter the code, their copy isn't validated when the game is opened. If the server went down they wouldn't be able to play

It's as easy to change or forge your mac address as it is to change your IP if you know how.

I dont know about the paypal bit, sorry

~Callum

I'm not sure how I would do that though?