i have coded a extension for a Frazy IPG (this ia local payment gateway, not famous at all). In their payment gateway we need to pass the values to their server and they encrypt it and send it to MIGS and when the transaction is success or failed it returns to the my site with the status.
the status values are added to the url when its redirected to my site
if success
index.php?route=payment/frazyiph/callback/&?status=success&message=transaction_success
if failed
index.php?route=payment/frazyiph/callback/&?status=failed&message=invalid_card
these are the only values returned after the payment. so i capture the status and the message from the url and update the database accordingly.
the problem im having is when a person adds a product and directly pastes the success url
index.php?route=payment/frazyiph/callback/&?status=success&message=transaction_success
it updates as the payment has been made. so i tried capturing the order_id and checking its not empty and update accordingly. The problem was when a person selects to pay at the IPG and cancelled it returns to my page saying the payment is cancelled. and then if someone pastes the success url it updates as the user has paid because the order id has been generated.
is there a way to protect the callback function and make sure the users are redirected from the IPG to my site to update the order and not just typed the url in the address bar?
