Posted by PeacePipe on 10/28/06 08:46

In article <ehu1g8$1t0q$1@ns.felk.cvut.cz>, Petr Vileta
<stoupa@practisoft.cz> wrote:

> "PeacePipe" <peacepipe@last.cum> píse v diskusním príspevku
> news:271020062125161865%peacepipe@last.cum...
> > Oops < must change nick. I see there is another "Happy" already in here.
> >
> > Hello folks. My colleague and I are unable to figure out what is wrong
> > with some code. We can't make it do what we want. Perhaps some kind
> > person can help please.
> >
> > I run a particular pay-to-view web site. For credit card processing, we
> > signed on with PayPal.
> >
> > The process is generally working ok. An interested person clicks the
> > "join" button on the site and is transported to PayPal where he enters
> > his card data and so on.
> >
> > PayPal generates access codes for the new member and emails them to
> > him. PayPal also sends us an email announcing a new join.
> >
> > The problem is that, so far, I must update the .htpasswd file manually
> > to liven up access to the member area.
> >
> > My colleague has good PHP skills and has written code to try to enable
> > PayPal to update the file automatically but all attempts fail so far.
> > The relevant section of the code is reproduced below. (This is not the
> > entire file, only the reelvant lines.)
> >
> > We have proper permissions to write to the .htaccess file (777)
> >
> Hmm, permissions is 777 ... you are running on Lunux. You must use htpasswd
> linux command instead to direct writing to file because passwords in
> .htpasswd file are crypted. Run it as shell_exec() in your PHP code. For
> more info use "man htpasswd".

Peter, you and Geoffrey are very kind to reply.

My colleague and I are in Germany, same time-zone as you. I promised
Geoffrey a more-detailed post when my colleague returns, which should
be tonight.

The reason I don't post is because I'm a PHP moron. I know nothing
about it. My friend is not an expert but he's very good. English is not
his native language though, so I'm the one doing the typing. (Also,
he's a usenet newbie and I'm not.)

His brother _is_ a PHP expert and the two of them will have a
conversation later today.

Meanwhile, pehaps I can contribute some non-technical detail.

I run a pay-to-view web site. It's been live for over ten years. When I
started, I had no difficulty getting a merchant account with my bank
and a contract with a payment gateway so I could process credit card
transactions online, automatically.

Time passes. Other, less-reputable webmasters start to rort the system.
(An Australian invented word similar to "rip off") This spoils things
for the good guys. The card companies introduce new protocols for
card-not-present transactions. Many pay-to-view webmasters cannot
comply.

We were caught up in the general confusion. We lost our processing
facilities and set about structuring alternative solutions.

PayPal is such a solution so we started with them. An intending member
finds himself first on our "join" page where he reads the terms. Then
he clicks ahead and is moved to the PayPal site.

There, he enters card details and other obvious information. PayPal
then charges his card. If that works ok they send him an email
containing username and password that PayPal's server generates. Copy
to us so we know we have a new member.

At that point we must manually add the pair of access codes to the
..htpasswd file that is in the member area on the web site. We think it
should be easy to have PayPal's server do that automatically.

Apparently, it _is_ possible to do but my colleague sees some security
weaknesses. He wants to make it harder or impossible for a hacker to
break in. To do that, he must ignore how PayPal would normally do it.
We don't want PayPal to write direct to the .htpasswd file.

He knows how he wants to do it. I believe it involves getting PayPal's
server to access, not the .htpasswd file direct but, instead, another
file that we will place on our web site, elsewhere than directly in the
member folder, where the .htaccess and .htpasswd files reside.

I think the problem code is meant to be on that other file. He wants
PayPal to write to a special file then have that special file make the
necessary update to the .htpasswd file.

I hope that is helpful background. As soon as my guy returns, he can
dictate more info.

[Back to original message]