|
PHP - Php Paypal Security Issue!
Hi, i am running an online ecommerce store where i let people list and sell their items.
Howerver the security is to weak. when people click the buy button on a product they are taken to process.php where a session is set to true, and then they are redirected to paypal to complete tehir orders. after their payment is completed they are redirected to success.php where they collect their download from a link to the download url posted by the user who listed the product. now the problem is that all that is required to get access to file download is for the session to be "true", this means that someone could just navigate to process.php and then skip paypal and navigate directly to success.php. Here is what i want to do: instead of the link beeing displayed in the success.php file, i want paypal to navigate directly to the file download instead... Here is my php files: http://www.mediafire.com/?383u89twj197bjg Thank you all for helping me... i would be forever happy if any of you could have a look at the script and correct it as mentioned above, and please send the files back to : vallandepost@gmail.com ... thank you very much! Similar Tutorialstriple posted for some reason. i just discovered a hole in my scripts relating to access . 1. have a simple login form 2. based on the type of user , he is directed to a page for his options . 3. I now realise that altho each page therefter checks for sessions of the user , he can easily change the url to that of another user and there is no way to prevent it. 4. How can i make sure that each time a page is accessed it is only by the user whom it is meant for. Relevant code snippets below . Thanks ! Swati login.php --------- <?php //error_reporting(E_ERROR | E_PARSE | E_CORE_ERROR); //Process this if statement only if form was submitted if($_POST['submit']){ session_start(); $username=$_POST['username']; $password=$_POST['password']; include ("link.php"); // contains db info //Test for login success $sql = "SELECT * FROM Users WHERE Username='$username' AND Password = '$password'"; $result = mysql_query($sql); if ($myrow = mysql_fetch_assoc($result)){ // echo $sql; $login_success = 'Yes'; $userid = $myrow["Userid"]; $usertype = $myrow["UTID"]; $status = "On"; $url = $PHP_SELF."?".$_SERVER['QUERY_STRING'];; $logout = 'logout.php'; $_SESSION['id']=session_id(); $_SESSION['userid']=$userid; $_SESSION['usertype']=$usertype; $sql2= "insert into Log (Sessionid,Userid,IP,Date,File, Status) values('$_SESSION[id]','$userid','$ip','$tm', '$url', '$status')"; $result2 = mysql_query($sql2) or die ('no access to database: ' . mysql_error()); // echo mysql_error(); } } } ?> Each subsequent page has this header ============================== <? header("Cache-Control: public"); include ("log.php"); //db info for DB along with session start if(!isset($_SESSION['userid'])){ echo "<center><font face='Calibri' size='2' color=red>Sorry, Please login and use this page </font></center>"; exit;} ?> The url of each page : Code: [Select] www.abc.com/example/type1.php?Userid=USER1ID and such a user can easily change the url to Code: [Select] www.abc.com/example/type2.php?Userid=USER1ID and access all the options of type2.php Hi I run versions of sites on a local server. For these the path to a mysql connection script is pretty simple: mysql_connec.php On my live server, I put things out of the public directory - so this time the path is ../mysql_connect.php I therefore have to have sections like this in my files = and whilst not complex, its a pain having to uncomment/comment lines depending on which server I am working because I keep forgetting! Code: [Select] // require_once('../../workRecord/mysql_connect.php'); //online require_once('mysql_connect.php'); //local Is there some way I can identify which server I am on so I don't keep having to do this. I was thinking of using something like this: Code: [Select] if ($_SERVER['DOCUMENT_ROOT']=="c:/web_root/blah/blah"){ require_once('mysql_connect.php'); }else{ require_once('../../workRecord/mysql_connect.php'); } I am pretty sure this would work, but does this method present any security issues??? Hi folks, a few days back, we enabled SSL on our office server and the intranet migrated to https. Everything is ok on the intranet. On the public internet, we noticed today that the page on our website, which connects to our office server to fetch and display data was throwing an error, which I presumed was a Security Certificate issue... An area that's like the Dark Side of the Moon for me.. the webpage - https://liveconnections.in/hotjobs.php This is the error from the logs PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed PHP Warning: file_get_contents(): Failed to enable crypto PHP Warning: file_get_contents(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Anycase, the internet was willing to help and so I updated the code to a curl function. The Data is not displaying still... Here's the code... where am i going wrong ?
<?php
//error_reporting(E_ERROR | E_PARSE | E_ALL);
$page="jobs-listing";
?>
<header class="section background-livec text-center">
<h3 class="text-white margin-bottom-0 text-size-40 text-thin text-line-height-1">Current & Hot Jobs</h3>
</header>
<?php
$industry = $_GET['industry'];
$location = $_GET['location'];
$expMin = $_GET['expMin'];
$expMax = $_GET['expMax'];
$sortBy = $_GET['sortBy'];
$cpg = $_GET['page'];
if(empty($cpg) || $cpg==1)
$npl = 1;
else {
//$npl = (($cpg+1)*10) - 9;
$npl = $_GET['startingRowNo'];
}
$industry = str_replace(' ', '%20', $industry);
$location = str_replace(' ', '%20', $location);
$url = "https://xx.xxx.xxx.xxx/WebService/rest/";
function file_get_contents_curl($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); //Set curl to return the data instead of printing it to the browser.
curl_setopt($ch, CURLOPT_URL, $url);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
if(!empty($sortBy)) {
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy='.$sortBy.'&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
} else if(!empty($industry) || !empty($location) || !empty($expMin) || !empty($expMax)) {
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy=&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
} else {
//$json = file_get_contents_curl($url.'getOnlineWebPosting');
$json = file_get_contents_curl($url.'getHeadersBySearch?industry='.$industry.'&location='.$location.'&expMin='.$expMin.'&expMax='.$expMax.'&sortBy=&startingRowNo='.$npl.'&noOfRows=1000000');
$data = json_decode($json);
//if (!$data) echo "Data Not Found" ;
}
if($sortBy=='DESC' || $sortBy=='') {
$aclass = 'down_arrow';
} else {
$aclass = 'up_arrow';
}
$json2 = file_get_contents_curl($url.'getSearchData');
$data2 = json_decode($json2);
$industry = str_replace('%20', ' ', $industry);
$location = str_replace('%20', ' ', $location);
if($industry=='F amp A - BPO') {
$industry = 'F & A - BPO';
}
if($industry=='OIL amp GAS') {
$industry = 'OIL & GAS';
}
?>
<div class="section background-white">
<div class="background-white">
<p class="text-padding-bot text-letter-spacing1">A cross-section of Jobs currently available. We recommend you to contact our Executives for further info. <br />
More details available when the Job is '<strong>View'</strong>ed. </p>
</div>
<?php
//$data='';
//if($data!=''){ ?>
<?php //if ($checkyear>2017) { ?>
<div class="subJobs">
<ul>
<li> Industry <br />
<select name="industry" id="industry" class="sel">
<option value="">Select Industry Name</option>
<?php for($i=0; $i<count($data2[0]); $i++) { ?>
<?php if(isset($industry) && $industry==$data2[0][$i]) { ?>
<option selected value="<?php echo $data2[0][$i];?>"><?php echo $data2[0][$i];?></option>
<?php } else { ?>
<option value="<?php echo $data2[0][$i];?>"><?php echo $data2[0][$i];?></option>
<?php }
} ?>
</select>
</li>
<li>Location<br />
<select name="city" id="city" class="sel">
<option value="">Select City Name</option
><?php $m=0; for($j=0; $j<count($data2[1]); $j++) { ?>
<?php $locat = explode(",",$location); ?>
<?php if($locat[$m]!="" && $locat[$m]==$data2[1][$j]) { ?>
<option selected value="<?php echo $data2[1][$j];?>"><?php echo $data2[1][$j];?></option>
<?php ++$m; } else { ?>
<option value="<?php echo $data2[1][$j];?>"><?php echo $data2[1][$j];?></option>
<?php }
} ?>
</select>
</li>
<li>Experience <br />
<select name="minyear" class="sel2" id="minyear">
<option value="">Min</option>
<?php for($ii=0; $ii<46; $ii++) { ?>
<?php if($expMin!="" && $expMin==$ii) { ?>
<option selected value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php } else { ?>
<option value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php }
} ?>
</select>
<select name="maxyear" class="sel2" id="maxyear" onchange="return select_max();">
<option value="">Max</option>
<?php for($ii=0; $ii<51; $ii++) { ?>
<?php if($expMax!="" && $expMax==$ii) { ?>
<option selected value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php } else { ?>
<option value="<?php echo $ii; ?>"><?php echo $ii; ?></option>
<?php }
} ?>
</select>
<!-- select name="" class="sel2" id="sort">
<option value="">Select</option>
<option value="ASC">ASC</option>
<option value="DESC">DESC</option>
</select -->
</li>
<li class="ser"><button type="button" onclick="search_by_category()" class="btn btn-default" style="margin-top:25px;"><i class="fa fa-search"></i> Search</button></li>
</ul>
</div>
<!-- Selected Jobs Headline Info -->
<div class="line">
<p class="text-dark text-center text-size-16">
<?php if($industry) echo 'Showing ' . '<b>' . $industry .'</b>' . ' Jobs' ; ?>
<?php if($location) echo ' at ' . '<b>' . $location .'</b>' ; ?>
<?php if($expMin) echo ' with Min ' . '<b>' . $expMin .'</b>' ; ?>
<?php if($expMax) echo ' to Max '. '<b>' . $expMax.'</b>' ; ?>
<?php if($expMin | $expMax) echo ' Years Experience' ;?>
</p>
</div>
<!-- Jobs Table -->
<table id="example" class="display" cellspacing="0" width="100%">
<thead>
<tr>
<th class="jobs_noshow text-center" width="5%">S.No</th>
<th class="text-center" width="15%">Posted On</th>
<th class="text-center" width="30%">Job Title</th>
<th class="jobs_noshow text-center" width="15%">Level</th>
<th class="jobs_noshow text-center" width="15%">Location</th>
<th class="jobs_noshow text-center" width="15%">Job Code</th>
<th class="text-center" width="5%">Action</th>
</tr>
</thead>
<tbody>
<?php $ri=1; foreach($data as $kk=>$d) { ?>
<?php
$date_posted = $d->postedDate; // get the Posted Date
$date_posted_year=date("Y",strtotime($date_posted)); // Get the Year from the date and store in a variable
if ($date_posted_year>$jobs_restrict_year) { // Show only Jobs posted after this year ?>
<tr>
<td class="jobs_noshow text-center"><?php echo $ri; ?></td>
<td class="text-center"><?php echo $d->postedDate; ?></td>
<td><?php echo $d->title; ?></td>
<td class="jobs_noshow ctext notreq"><?php echo $d->level; ?></td>
<td class="jobs_noshow text-center notreq"><?php echo $d->location; ?></td>
<td class="jobs_noshow text-center"><?php echo $d->requirementID; ?></td>
<td class="text-center"><a class="button background-livec border-radius text-white" style="color:white" data-fancybox="ajax" href="?contentid=jobs-detail&requirementID=<?php echo $d->requirementID; ?>&requirementSeqNo=<?php echo $d->requirementSeqNo; ?>" data-type="ajax">View</a></td>
</tr>
<?php } ?>
<?php $ri=$ri+1; } ?>
</tbody>
</table>
<script type="text/javascript">
$(document).ready(function () {
var table = $('#example').DataTable( {
"pageLength": 25,
"sPaginationType":"full_numbers",
"oLanguage": {
"sInfo": 'Showing _START_ to _END_ of _TOTAL_ Jobs.',
"sInfoEmpty": '',
"sEmptyTable": "No Jobs found currently",
}
});
$('#example').removeClass( 'display' ).addClass('table table-striped table-bordered');
});
</script>
<style> .dataTables_filter { display: none; } </style>
<!-- End of Table -->
</div>
<?php // } else { ?>
<div style="margin: 20px 0 40px 0px;height:200px;text-align:center;">
<h1 style="font-size:16px;">Server is unavailable at the moment. Please try after some time.</h1>
</div>
<?php //}?>
</div>
<!--jobs end-->
<script type="text/javascript">
function search_by_category() {
industry = $('#industry option:selected').val();
//city1 = $('#city option:selected').val();
minyear = $('#minyear option:selected').val();
maxyear = $('#maxyear option:selected').val();
//sortBy = $('#sort option:selected').val();
var city = $('select#city').val();
var cur_pg = "<?php echo $cpg; ?>";
var tot = "<?php echo $total; ?>";
var tot_pgs = Math.ceil(tot/25);
//if(cur_pg=="")
cur_pg = 1;
var last_pg = tot_pgs - cur_pg;
if(last_pg==0)
records = tot - ((tot_pgs -1) * 25);
else
records = 25;
var strt_val = ((cur_pg-1) * 25) + 1;
if(industry=='F & A - BPO')
industry ='F amp A - BPO';
if(industry=='OIL & GAS')
industry ='OIL amp GAS';
city1 = document.getElementById("city").value;
if(city1=="" || city1=="null") {
city="";
}
if(industry!="" || city!="" || minyear!="" || maxyear!="") {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=&startingRowNo=1"+"&noOfRows="+records+"&page="+cur_pg;
} else {
//alert("Please select any one of the fields");
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=&startingRowNo=1"+"&noOfRows="+records+"&page="+cur_pg;
}
}
function sort_by_location() {
var order = '<?php echo $sortBy; ?>';
industry = $('#industry option:selected').val();
city = $('#city option:selected').val();
minyear = $('#minyear option:selected').val();
maxyear = $('#maxyear option:selected').val();
city1 = document.getElementById("city").value;
if(industry=='F & A - BPO')
industry ='F amp A - BPO';
if(industry=='OIL & GAS')
industry ='OIL amp GAS';
if(city1=="") {
city="";
} else {
city = $('select#city').val();
}
if(order=="" || order=="DESC") {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=ASC"+"&startingRowNo=1&noOfRows=10";
} else {
location.href="hotjobs.php?contentid=hotjobs&industry="+industry+"&location="+city+"&expMin="+minyear+"&expMax="+maxyear+"&sortBy=DESC"+"&startingRowNo=1&noOfRows=10";
}
}
function select_max() {
minyear = document.getElementById("minyear").value;
maxyear = document.getElementById("maxyear").value;
if(parseInt(maxyear)>=parseInt(minyear)) {
return true;
} else {
if(maxyear!="") {
alert("Maximum year must be equal or greater than minimum year");
$('#maxyear').val("");
return false;
}
}
}
</script>
Also, if i change the $url in my code to https:// , no data is displayed... I raised a Support request to the Hosting provider, but they seem to have vanished into the ozone.... Any help would be highly appreciated. Cheers - Murali
Hey guys i have created a paypal IPN script and it takes various info from users via paypal. Anyways i store their info into a database along with their email however i dont want them to be able to purchase again with the same email (long story) anways by the time i receive the info from paypal the payments already gone through so its too late for me to do the checking against the database. Is there anyway i can auto refund the payment do paypal allow this? Hope someone can help. Thanks! I just did the ipn page to store paypal transactions into my database but it doesnt seem to be working. Is there anything else that i need to do other than creating the ipn page? <?php mysql_connect("localhost", "root", "") or die(mysql_error()); mysql_select_db("pbstore") or die(mysql_error()); // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { // PAYMENT VALIDATED & VERIFIED! $email = $_POST['payer_email']; $name = $_POST['item_name']; mysql_query("INSERT into sales (name, email) VALUES('".$name."', '".$email."')")or die(mysql_error()); mysql_query("INSERT INTO users (email, password) VALUES('". mysql_escape_string($email) ."', '".md5($password)."' ) ") or die(mysql_error()); } else if (strcmp ($res, "INVALID") == 0) { // PAYMENT INVALID & INVESTIGATE MANUALY! } } fclose ($fp); } ?> I am trying to get a Paypal IPN working using PHP. I have attached the code I have written that is not working. I have no real way to test it other than nothing is being posted to the databases. The transactions seem to complete with paypal, but I get no information and no emails are generated. Any help would be much appreciated. Hi guys, my code below works with sanbox for paypal IPN but since it has gone live it doesnt do anything, so i made emails to send me where the issue is and it keep sending me $req = 'cmd=_notify-validate'; could you please tell me what im doing wrong here? my db connection should be fine as it does update the users on sanbox. the account im paying with in paypal keep saying payment status unclaimed. it means the reciever has not recieved the money. I checked the paypal account where i recieve the moeny and looked into my ipn history, nothing there. the same ipn address is used for my account when i tested it on sanbox, thanks <?php $email="princeofpersia@hotmail.co.uk"; include 'global.php'; // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30); //$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);//Live // assign posted variables to local variables if (!$fp)// failed to connect to url { //write to file $fh = fopen("logipn.txt", 'a');//open file and create if does not exist fwrite($fh, "\r\n/////////////////////////////////////////\r\n HTTP ERROR \r\n");//Just for spacing in log file fwrite($fh, $errstr);//write data fclose($fh);//close file $mail_From = "From: IPN@tester.com"; $mail_To = $email; $mail_Subject = "HTTP ERROR"; $mail_Body = $errstr;//error string from fsockopen mail($mail_To, $mail_Subject, $mail_Body, $mail_From); } else//successful connect to url { fputs ($fp, $header . $req);//send request while (!feof($fp)) //while not end of file { $res = fgets ($fp, 1024);//get response if (strcmp ($res, "VERIFIED") == 0) { //write to file $fh = fopen("logipn.txt", 'a');//open file and create if does not exist fwrite($fh, "\r\n/////////////////////////////////////////\r\n Verified \r\n");//Just for spacing in log file fwrite($fh, $req);//write data fclose($fh);//close file $mail_From = "From: IPN@tester.com"; $mail_To = $email; $mail_Subject = "VERIFIED IPN"; $mail_Body = $req; mail($mail_To, $mail_Subject, $mail_Body, $mail_From); } else if (strcmp ($res, "INVALID") == 0) { //write to file $fh = fopen("logipn.txt", 'a');//open file and create if does not exist fwrite($fh, "\r\n/////////////////////////////////////////\r\n Invalid \r\n");//Just for spacing in log file fwrite($fh, $req);//write data fclose($fh);//close file $mail_From = "From: IPN@tester.com"; $mail_To = $email; $mail_Subject = "INVALID IPN"; $mail_Body = $req; mail($mail_To, $mail_Subject, $mail_Body, $mail_From); } } fclose ($fp);//close file pointer } $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; //$username=$_POST['username']; if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { if (strtolower($payment_status)=="completed") { if ($payment_amount==0.01&&$payment_currency=="GBP") { $update = mysql_query("UPDATE users SET credit= credit+5 WHERE email='$payer_email'"); } } // check the payment_status is Completed // check that txn_id has not been previously processed // check that receiver_email is your Primary PayPal email // check that payment_amount/payment_currency are correct // process payment } else if (strcmp ($res, "INVALID") == 0) { // log for manual investigation } } fclose ($fp); } ?> Hey All, I have setup a Paypal API to handle the recurring payments on my website, once the payment is completed I get a token id and ba_token id return. I am storing this in a database, but wondered how people link this with a user table? I could use a cookie to store the user's id before payment and then get it once the payment is complete, but this would not work with the subsequent recurring payments. How do you go about sending the user id when a recurring payment happens? Any advise would be appreciated. Edd Hi, I am new here, so hello everyone. I really need some help with getting Paypal IPN working correctly. This is what I am trying to do. I have a user database, when the user logs in, they have the option to upgrade/subscribe to our website. So when they subscribe and payment is validated, I want a specific field in a specific table updated based on the user's unique ID, not based on [payer_email], so how do I pass on that parameter using IPN? right now I added the "userId" to a hidden field in the Paypal subscription form named "on1".... I hope this isn't confusing - would really appreciate your help - I added code below. Code: [Select] <?php DB info -- // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { // PAYMENT VALIDATED & VERIFIED! $email = $_POST['payer_email']; $userId=$_POST['on1']; $membership = '2'; mysql_query("UPDATE users SET membership=".$membership." WHERE userId=".$userId) or die(mysql_error()); $to = $email; $subject = 'subject line'; $message = ' message here '; mail($to, $subject, $message, $headers); } else if (strcmp ($res, "INVALID") == 0) { // PAYMENT INVALID & INVESTIGATE MANUALY! $to = 'my_email'; $subject = 'subject lin'; $message = ' Dear Administrator, A payment has been made but is flagged as INVALID. Please verify the payment manualy and contact the buyer. Buyer Email: '.$email.' '; $headers = 'From:my_email' . "\r\n"; mail($to, $subject, $message, $headers); } } fclose ($fp); } ?> Hi Does any one know of any good tutorials for paypal web payments pro, or recommend books Thanks in advance Hi all I have a quick PayPal IPN question, is this the right group to post the message and does anyone know much about the PayPal IPN? Thanks Hey Guys, i have another problem, i am using paypal IPN, and i want the details of the order to be stored in my orders table of the databse as well as sending me an email. Im pretty sure the code is ok, but it is not working. Can some one please take a look? <?php include('db_fns.php'); // change these to your paypal settings $paypal_email = "benmunns@gmail.com"; $paypal_currency = 'USD'; $shipping = 10.00; /** * checks if paypal trans id is already in database * @param int $trans_id * @return bool */ function no_paypal_trans_id($trans_id) { $connection = db_connect(); $query = sprintf("SELECT id from orders WHERE paypal_trans_id = '%s'", mysql_real_escape_string($trans_id)); $result = mysql_query($query); $num_results = mysql_num_rows($result); if($num_results == 0) { return true; } return false; } /** * checks to make sure that paypal payment amount is correct * @param int $shipping * @param array $params * @return bool */ function payment_amount_correct($shipping, $params) { $amount = 0.00; for ($i=1; $i <= $params['num_cart_items']; $i++) { $query = sprintf("SELECT price from products where id='%s'", mysql_real_escape_string($params["item_number{$i}"])); $result = mysql_query($query); if($result) { $item_price = mysql_result($result, 0, 'price'); $amount += $item_price * $params["quantity{$i}"]; } } if(($amount+$shipping) == $params['mc_gross']) { return true; } else { return false; } } /** * creates order and adds items * @param array $params * @return bool */ function create_order($params) { db_connect(); $query = sprintf("INSERT INTO orders set orders.firstname = '%s', orders.lastname = '%s', orders.email = '%s', orders.country = '%s', orders.address = '%s', orders.city = '%s', orders.zip_code = '%s', orders.state = '%s', orders.status = '%s', orders.amount = '%s', orders.paypal_trans_id = '%s', created_at = NOW() ", mysql_real_escape_string($params['first_name']), mysql_real_escape_string($params['last_name']), mysql_real_escape_string($params['payer_email']), mysql_real_escape_string($params['address_country']), mysql_real_escape_string($params['address_street']), mysql_real_escape_string($params['address_city']), mysql_real_escape_string($params['address_zip']), mysql_real_escape_string($params['address_state']), mysql_real_escape_string($params['payment_status']), mysql_real_escape_string($params['mc_gross']), mysql_real_escape_string($params['txn_id']) ); $result = mysql_query($query); if(!$result) { return false; } $order_id = mysql_insert_id(); for ($i=1; $i <= $params['num_cart_items'] ; $i++) { $product = find_product($params["item_number{$i}"]); $query = sprintf("INSERT INTO items set order_id = '%s', product_id = '%s', title = '%s', price = '%s', qty = '%s' ", mysql_real_escape_string($order_id), mysql_real_escape_string($product['id']), mysql_real_escape_string($product['title']), mysql_real_escape_string($product['price']), mysql_real_escape_string($params["quantity{$i}"]) ); $result = mysql_query($query); if(!$result) { return false; } } return true; } // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $req .= "&$key=$value"; } // post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30); // assign posted variables to local variables $item_name = $_POST['item_name']; $item_number = $_POST['item_number']; $payment_status = $_POST['payment_status']; $payment_amount = $_POST['mc_gross']; $payment_currency = $_POST['mc_currency']; $txn_id = $_POST['txn_id']; $receiver_email = $_POST['receiver_email']; $payer_email = $_POST['payer_email']; if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { if ($_POST['payment_status'] == 'Completed' && no_paypal_trans_id($_POST['txn_id']) && $paypal_email == $_POST['receiver_email'] && $paypal_currency == $_POST['mc_currency'] && payment_amount_correct($shipping, $_POST) ) { // process payment create_order($_POST); } } else if (strcmp ($res, "INVALID") == 0) { // log for manual investigation } } fclose ($fp); } ?> Hi, I have setup my paypal payment method for a shopping cart on my site, all is well but in order for my server to flag an invoice as paid, the user must return to my website after paying and the query string in the url give the script the go ahead to mark it as paid which in turn alerts the appropriate department that its ok to source the order. ~The problem is, if the user for whatever reason skip the redirect back to my site, the invoice is remain 'unpaid' and has to be changed manually when the payment has been checked in the account. As you might imagine this is a bit of a problem because not only can it cause quite a delay, it also requires manually changing values which can lead to other problems. So if there is a better way i would appreciate the info, thanks a lot. Hi, How to get paypal transection id on return after someone pay if i've paypal payment form as following Code: [Select] <form action="https://www.paypal.com/cgi-bin/webscr" method="post"> <input type="hidden" name="cmd" value="_xclick"> <input type="hidden" name="business" value="<?=$line[paypalid]?>"> <input type="hidden" name="item_name" value="Payment Your Hits"> <input type="hidden" name="item_number" value="1"> <input type="hidden" name="amount" value="<?=$usd?>"> <input type="hidden" name="no_shipping" value="0"> <input type="hidden" name="no_note" value="payment from website submittion"> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="lc" value="AU"> <input type="hidden" name="bn" value="PP-BuyNowBF"> <input type="hidden" name="return" value="<?=$site_root?>/return.php?id=<?=$line[id]?>"> <button type="submit" class="clean-green">Pay Now</button> </form> on return i will get it by id which is <?$line[id]?> but i want to get the transection id of payment too how it comes ? hi, I'm trying to integrate paypal integration. it is integrated successfully and I've checked on my test account too. i want that as user purchase package he should able to download the file. to do that i want to set return variable. as user complete the payment process on paypal , it should auto come back to my website. as he'll be back I'll set his flag to paid and allow him to download file. the problem I'm facing is on my test account. when i paid money. i didn't return to my website. so i don't know to set his flag to true. any one know its best solution??? i want immediate response to client to pay online. Please advise... Thanks Hi me need to implement echeck system in my site with paypal using php script with ipn can any one help me out regarding code for paypal echeck payment system. Thanks Hi, I've integrated paypal payment pro over my website. I don't know how can i test it. can any one help me out? my site address is : http://pacific-labs.com/paymybill.php Please help I am writing a listener to handle IPN notifications from paypal, and one thing I cant seemt o find anywhere - How does IPN handle pending payments, that are then completed/denied? For example, if paypal invokes my IPN once the payment is made, but pending, with a particular transaction ID, when the payment completes, does it then invoke my IPN again, with the payment status as 'completed'? If so, will this second IPN have the same transaction ID? It would seem logical that the same transaction ID is sent again, as it is actually the same customer transaction, however reading this on thepaypal website suggests otherwise: "Avoid duplicate IPN messages. Check that you have not already processed the transaction identified by the transaction ID returned in the IPN message. You may need to store transaction IDs returned by IPN messages in a file or database so that you can check for duplicates. If the transaction ID sent by PayPal is a duplicate, you should not process it again. " Help would be appreciated!! Hi Everybody I am doing online education portal. Teachers and students will be registered on this site. Student will search teachers and create schedule to learn subjects. For that student can pay to the teacher some amount. So that student can increase his/her balance. That means he can transfer some money to website company account through credit card or paypal or google checkout. I did credit card part. But i am not getting any idea to do in paypal. That means student can enter amount and click paypal button, it should show paypal page. So that he can login into his paypal account and pay that amount. After pay that amount we can get IPN (Instant Payment Notification). So that we can store that amount into my database under that student ID. Please tell me how can i do this? |
|||||||