diff --git a/htdocs/public/paypal/newpayment.php b/htdocs/public/paypal/newpayment.php
index 065de28665d..c540cdd3030 100755
--- a/htdocs/public/paypal/newpayment.php
+++ b/htdocs/public/paypal/newpayment.php
@@ -87,7 +87,7 @@ $SOURCE=GETPOST("source",'alpha');
$ref=$REF=GETPOST('ref','alpha');
$TAG=GETPOST("tag",'alpha');
$FULLTAG=GETPOST("fulltag",'alpha'); // fulltag is tag with more informations
-$SECUREKEY=GETPOST("securekey"); // Secure key
+$SECUREKEY=GETPOST("securekey",'alpha'); // Secure key
if (! empty($SOURCE))
{
@@ -138,35 +138,10 @@ if (empty($PAYPAL_API_SIGNATURE))
return -1;
}
-// Check security token
-$valid=true;
-if (! empty($conf->global->PAYPAL_SECURITY_TOKEN))
-{
- if (! empty($conf->global->PAYPAL_SECURITY_TOKEN_UNIQUE))
- {
- if ($REF) $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . $REF); // REF always defined if SOURCE is defined
- else $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN);
- }
- else
- {
- $token = $conf->global->PAYPAL_SECURITY_TOKEN;
- }
- if ($SECUREKEY != $token) $valid=false;
-
- if (! $valid)
- {
- print 'Bad value for key.
';
- //print 'SECUREKEY='.$SECUREKEY.' token='.$token.' valid='.$valid;
- exit;
- }
-}
-
-
/*
* Actions
*/
-
if (GETPOST("action") == 'dopayment')
{
$PAYPAL_API_PRICE=price2num(GETPOST("newamount"),'MT');
@@ -262,7 +237,6 @@ print ''."\n";
print ''."\n";
print ''."\n";
print ''."\n";
-print ''."\n";
print "\n";
print ''."\n";
print ''."\n";
@@ -329,8 +303,16 @@ $found=false;
$error=0;
$var=false;
+// Check security token
+$valid=true;
+if (! empty($conf->global->PAYPAL_SECURITY_TOKEN) )
+{
+ $token = dol_hash($conf->global->PAYPAL_SECURITY_TOKEN . $SOURCE . $ref, 2);
+ if ($SECUREKEY != $token) $valid=false;
+}
+
// Free payment
-if (! GETPOST("source") && $valid)
+if (! GETPOST("source"))
{
$found=true;
$tag=GETPOST("tag");