diff --git a/htdocs/public/paypal/newpayment.php b/htdocs/public/paypal/newpayment.php
index c540cdd3030..065de28665d 100755
--- a/htdocs/public/paypal/newpayment.php
+++ b/htdocs/public/paypal/newpayment.php
@@ -87,7 +87,7 @@ $SOURCE=GETPOST("source",'alpha');
$ref=$REF=GETPOST('ref','alpha');
$TAG=GETPOST("tag",'alpha');
$FULLTAG=GETPOST("fulltag",'alpha'); // fulltag is tag with more informations
-$SECUREKEY=GETPOST("securekey",'alpha'); // Secure key
+$SECUREKEY=GETPOST("securekey"); // Secure key
if (! empty($SOURCE))
{
@@ -138,10 +138,35 @@ if (empty($PAYPAL_API_SIGNATURE))
return -1;
}
+// Check security token
+$valid=true;
+if (! empty($conf->global->PAYPAL_SECURITY_TOKEN))
+{
+ if (! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE))
+ {
+ if ($REF) $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . $REF); // REF always defined if SOURCE is defined
+ else $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN);
+ }
+ else
+ {
+ $token = $conf->global->PAYPAL_SECURITY_TOKEN;
+ }
+ if ($SECUREKEY != $token) $valid=false;
+
+ if (! $valid)
+ {
+ print 'Bad value for key.
';
+ //print 'SECUREKEY='.$SECUREKEY.' token='.$token.' valid='.$valid;
+ exit;
+ }
+}
+
+
/*
* Actions
*/
+
if (GETPOST("action") == 'dopayment')
{
$PAYPAL_API_PRICE=price2num(GETPOST("newamount"),'MT');
@@ -237,6 +262,7 @@ print ''."\n";
print ''."\n";
print ''."\n";
print ''."\n";
+print ''."\n";
print "\n";
print ''."\n";
print ''."\n";
@@ -303,16 +329,8 @@ $found=false;
$error=0;
$var=false;
-// Check security token
-$valid=true;
-if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) )
-{
- $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . $SOURCE . $ref, 2);
- if ($SECUREKEY != $token) $valid=false;
-}
-
// Free payment
-if (! GETPOST("source"))
+if (! GETPOST("source") && $valid)
{
$found=true;
$tag=GETPOST("tag");