<?phprequire_once('inc/config.inc.php'); // just a bunch of define() statements$pageID = 'download';session_start();session_destroy();print_r($_POST); // prints empty Array ()print_r($_GET); // dittoprint_r($_REQUEST); // as a last resort, I tried $_REQUEST, which I don't like // for security reasons -- still no dice/* Right now I'm using this stopgap measure: I add my 'custom' value on as a querystring component in the return URL; e.g., return=http://okanaganhistory.com/store/download.php?custom=xxxxx Fortunately, PayPal does not mess with the querystring, so I get my secret key in the end. But I'd like to use PayPal's built-in feature for that. I know that passing a nonce as a secret key doesn't stop a motivated thief from accessing the paid content at the return URL, but I feel like referring to someone's order with a querystring makes it even easier to do so. Note: in this case, print_r($_GET); now does display something, but only because I actually formed it into the return URL.*/if (isset($_REQUEST['custom'])) { $nonce = $_REQUEST['custom']; $noncesH = fopen(NONCE_PATH, 'r+'); $nonces = fread($noncesH, filesize(NONCE_PATH)); $nonces = explode("\n",$nonces); $noncesNew = array (); $match = false; foreach ($nonces as $v) { $vbits = explode('#.#.#', $v); if (count($vbits) == 3) { if ($vbits[0] == $nonce) { $match = true; $order = unserialize($vbits[2]); } if ((int) $vbits[1] > time() - 60*60) { $noncesNew[] = $v; } } } rewind($noncesH); ftruncate($noncesH, 0); fwrite($noncesH, implode("\n", $noncesNew)); fwrite($noncesH, "\n"); fclose($noncesH); if ($match) { $downloads = array (); $ships = array (); foreach ($order as $itemID => $options) { foreach ($options as $optionID => $qty) if (isset($items[$itemID]) && isset($items[$itemID]['options'][$optionID]) && isset($items[$itemID]['options'][$optionID]['file'])) { array_push($downloads, $items[$itemID]); } else { array_push($ships, $items[$itemID]); } } require_once(TPL_PATH.'/thankyou.tpl.php'); die(); }}require_once(TPL_PATH.'/error.tpl.php');?>