Using a Return URL Securely

Question

Hopefully this question isn't too naive...

I'm attempting to implement The Giving Lab API in order to allow users of my site to donate to charity.

Using a URL such a this:

https://www.thegivinglab.org/api/donation/start?donationtype=0&amount=10&charityid=84ed3c54-6d8c-41c5-8090-f8ec800f45a7&returnurl=mywebsite.com/

the user is directed to the donation page and then returned to the returnURL after the donation has been made.

I want to be able to add how much the user donated to my databases if they successfully complete a payment. Would it be possible to use the returnURL to do this? Ie could I use a returnURL in the form of mywebsite.com?q="amount_donated" and then use this to update my databases?

I can see that this would allow someone to update my databases by just entering the returnURL into their browser.

Is there a generally better method, that removes this problem?

Many thanks.

Answer 1

Dutch banks use a thing called a sha-sign (and they're probally not the first)

All you have to do is add a key which only you can know:

function makeSecureCode($var1, $var2){
    $secretCode = 'example';
    $secretKey = '';
    $secretKey.= $var1 .  $secretCode;
    $secretKey.= $var2 .  $secretCode;

    return sha1($secretKey);
}

Then make the url like this: ?var1=foo&var2=bar&key=5e8b73da0b20481c1b4a285fb756958e4faa7ff1

And when you process the code after payment, makeSecureCode( $_GET['var1'], $_GET['var2']) should be equal to $_GET['key']. If not, someone changed it.

This is a simplefied version with only two vars. You can make it have more input arguments, or an array, whichever you prefer.