When you use the default option to provide a “success” URL to your products or upsells, or the “custom” option if you have an upsell flow, we pass along information about the order via the query string. This can optionally be used to customise the page for your customers.
This information includes the customer’s name, email address, contact and address details, as well as the order info which explains which products were purchased.
We also provide an ‘order ID’, which can be used to uniquely verify each order. You could, for instance, prevent multiple signup’s to your website for a single distinct order ID (though, bear in mind that a customer could press the ‘back’ button to return to ThriveCart’s success page, and then click the link again. We advise that you use some business logic to handle duplicate clicks like this, perhaps by only locking down the URL after their account has been successfully made).
Lastly, we pass along a hash of the information. This hash can be used to verify that the order details have not been tampered with or modified so that you know you are always dealing with a valid order that came from ThriveCart.
Verifying the hash
To verify the hash, you’ll need to collect the data included in the ‘thrivecart’ query string variable, order it while maintaining index association, and then create an MD5 hash of your secret word, followed by ‘__’, followed by an upper-case JSON-encoded version of the array from the query string.
If the hash that you generate matches the one provided by ThriveCart, you can be assured that it has come from us and that the order details have not been modified in transit. Without checking this, someone could add an additional product ID into the array that they did not purchase!
Important: Your secret word can be found by going to the Settings page, then choosing the API section. You can also generate a new secret word from this page at any time, but if you do, you will need to update it in your custom code!
Here is some example code demonstrating how the process works:
[php]
<?php
$my_thrivecart_secret = 'VPHTQE3TU8Q0'; // @todo Change this value to your ThriveCart secret word
$hash = trim($_GET['thrivecart_hash']); // This is the hash as provided by ThriveCart
// Check if the hash exists, and is 32 characters long
if(empty($hash) || strlen($hash) !== 32) {
die('You cannot access this page without a valid order hash.');
}
// Check that some order data has been passed along too
if(empty($_GET['thrivecart']) || !is_array($_GET['thrivecart'])) {
die('You cannot access this page without valid order info from ThriveCart.');
}
// Verify the hash matches the data provided
$thrivecart = $_GET['thrivecart'];
ksort($thrivecart);
array_walk_recursive($thrivecart, function(&$i) { $i =
rawurlencode($i); });
$local_hash = md5(implode('__', array($my_thrivecart_secret, strtoupper(json_encode($thrivecart)))));
if($hash !== $local_hash) {
die('Your hash does not match up; it looks like your order details are invalid.');
}
// If they get this far, the hash is valid and you can provide the products to the customer or run any additional logic that you need to
echo 'Excellent, your hash matches and you are entitled to your products.';
?>
[/php]
Potential query-string parameters
You will receive two query string variables called thrivecart, and thrivecart_hash. Inside the thrivecart array will be the following keys:
- account_id
- account_name
- order_id
- order_total
- product_id (the product ID the order relates to; this does not mean that the product was purchased)
payment_processor - purchases (an array of the product ID, and the string ‘bump’ if the bump offer on that product was purchased)
- customer (an array containing the customer’s email, firstname, lastname, contactno params if they were provided)