I've a security problem.. I've a paypal script that is in a page which get some php variables, those variables are the price of every product and the total of a cart. I have to be sure that the payment is complete but:
when the payment is authorized call a page via ajax that store the order in the database, the fact is that if someone call this page via link..the payment will result complete. I hope that I've explained good..
If users login is needed to access the site, ultimately the page cannot be called by URL. Even if so, it would throw the error that the USER privilege is not accessed. This would solve one problem but the corner case where the logged user tries to access the file then it gives privileges and the same problem might raise.
Have you set the window object to be on-click. So that the ajax is triggered when the on-click event occurs.
Moreover, the code is needed to help you further with the issues.