Jump to content

PHP Paypal IPN


dezkit

Recommended Posts

I have these two codes:

 

index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>PIN shop</title>
<link rel="stylesheet" type="text/css" media="All" href="css/style.css" />
</head>
<body>

<div id="wrap">
	<h3>Purchase PINs</h3>
	<p>Please click the button below to receive login details for the download area. <br />
	   Already have an account? <a href="login.php">Login</a> here.</p>
	  	<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
		<input type="hidden" name="cmd" value="_xclick">
		<input type="hidden" name="business" value="dezkit@yahoo.com">
		<input type="hidden" name="lc" value="US">
		<input type="hidden" name="item_name" value="PIN Number">
		<input type="hidden" name="amount" value="0.01">
		<input type="hidden" name="currency_code" value="USD">
		<input type="hidden" name="button_subtype" value="services">
		<input type="hidden" name="notify_url" value="http://newzonemedia.com/henry/ipn.php" />
		<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHosted">
		<table>
		<tr><td><input type="hidden" name="on0" value="Sythe Username">Sythe Username</td></tr><tr><td><input type="text" name="os0" maxlength="60"></td></tr>
		<tr><td><input type="hidden" name="on1" value="Email Address">Email Address</td></tr><tr><td><input type="text" name="os1" maxlength="60"></td></tr>
		</table>
		<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
		<img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
		</form>

</div>

</body>
</html>

 

ipn.php

<?php

mysql_connect("localhost", "dima1989_max", "xxxxx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!

$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());

}

else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

echo "The payment is invalid.";

}
}
fclose ($fp);
}
?>

 

No matter what I do, the debug (Insert 1 into database) never does it, and I never get returned to the main page ipn.php. Help? Thanks

Link to comment
Share on other sites

You probably want the fsockopen in the ipn.php page to point to www.sandbox.paypal.com  as well.

he's right.  url's must match.

 

and you see this:

 

if (!$fp) {
// HTTP ERROR
}

 

instead of //HTTP ERROR, perhaps you should actually log this so you know if the fsockopen() function is failing or not.  Either log to file or have an email sent to you with error.

Link to comment
Share on other sites

Hey, thanks for the replies,

 

I just changed both of them to have sandbox url, but i still won't get an updated database, can somebody please look into this code?

 

index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>PIN shop</title>
<link rel="stylesheet" type="text/css" media="All" href="css/style.css" />
</head>
<body>

<div id="wrap">
	<h3>Purchase PINs</h3>
	<p>Please click the button below to receive login details for the download area. <br />
	   Already have an account? <a href="login.php">Login</a> here.</p>
	  	<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
		<input type="hidden" name="cmd" value="_xclick">
		<input type="hidden" name="business" value="dezkit@yahoo.com">
		<input type="hidden" name="lc" value="US">
		<input type="hidden" name="item_name" value="PIN Number">
		<input type="hidden" name="amount" value="0.01">
		<input type="hidden" name="currency_code" value="USD">
		<input type="hidden" name="button_subtype" value="services">
		<input type="hidden" name="notify_url" value="http://xxx.com/henry/ipn.php" />
		<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHosted">
		<table>
		<tr><td><input type="hidden" name="on0" value="Sythe Username">Sythe Username</td></tr><tr><td><input type="text" name="os0" maxlength="60"></td></tr>
		<tr><td><input type="hidden" name="on1" value="Email Address">Email Address</td></tr><tr><td><input type="text" name="os1" maxlength="60"></td></tr>
		</table>
		<input type="image" src="https://www.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
		<img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
		</form>

</div>

</body>
</html>

 

ipn.php

<?php

mysql_connect("localhost", "dima1989_max", "xx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('https://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!

$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());

}

else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

echo "The payment is invalid.";

}
}
fclose ($fp);
}
?>

Link to comment
Share on other sites

Your script could be failing anywhere.  Since this is being executed "behind the scenes", echo's will not help you whatsoever.

 

As I stated earlier, you need to implement error logging so you know where your script is failing.

 

For example, or die(mysql_error()); will never display.  You need to do this:

 

if (!@mysql_query("INSERT INTO tes (test) VALUES('1') "))
{
@mail('your-email@email.com', 'Error at line# (enter line number of script here)', mysql_error());
}

 

And so on for each if/else so you can determine where the script is failing.  You could be missing a field in the db for all anybody knows, and we could all just waste our time while that was the problem all the while.  Handle your errors, then we'll talk.

Link to comment
Share on other sites

Thanks for the post,

I have implemented your idea into debugging it

<?php

mysql_connect("localhost", "dima1989_max", "xxx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('https://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!
/*
$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());
*/

if (!@mysql_query("INSERT INTO tes (test) VALUES('1') "))
{
	@mail('dezkit@yahoo.com', 'Error at 47', mysql_error());
} else {
	@mail('dezkit@yahoo.com', 'Success at 49', mysql_error());
}

else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

	@mail('dezkit@yahoo.com', 'Success at 56', mysql_error());


}
}
fclose ($fp);
}
?>

I had received NO email. What can be the problem here?

 

Link to comment
Share on other sites

change out existing to:

 

if (!$fp)
{
$mail = mail('dezkit@yahoo.com', 'Error', "{$errnum}: {$errstr}");
}

 

and change out:

 

$fp = fsockopen ('https://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

 

to:

 

$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

 

*note the https:// change to ssl://

Link to comment
Share on other sites

<?php

mysql_connect("localhost", "dima1989_max", "xxx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30)

if (!$fp) {

$mail = mail('dezkit@yahoo.com', 'Error at 21', "{$errnum}: {$errstr}");


} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!
/*
$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());
*/

if (!@mysql_query("INSERT INTO tes (test) VALUES('1') "))
{
	@mail('dezkit@yahoo.com', 'Error at 47', mysql_error());
} else {
	@mail('dezkit@yahoo.com', 'Success at 49', mysql_error());
}

else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

	@mail('dezkit@yahoo.com', 'Success at 56', mysql_error());


}
}
fclose ($fp);
}
?>

 

No email's at all, emails work on my server I used a test php file and it works.

Does paypal not read the file at all? Is it because I have to turn on the IPN settings in the sandbox seller account? Oh and is the hidden inputs in the form correct? I don't think it are correct, Please help me, Thanks :)

Link to comment
Share on other sites

BTW:

I receive two errors upon entering the ipn.php manually

I also turned on the IPN in sandbox seller account.

Warning: fsockopen() [function.fsockopen]: php_network_getaddresses: getaddrinfo failed: Name or service not known in /home/dima1989/public_html/henry/ipn.php on line 17

Warning: fsockopen() [function.fsockopen]: unable to connect to ssl://www.sandbox.paypal.com/:443 (php_network_getaddresses: getaddrinfo failed: Name or service not known) in /home/dima1989/public_html/henry/ipn.php on line 17

 

Current code:

<?php

mysql_connect("localhost", "dima1989_max", "xxx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

if (!$fp) {

$mail = mail('dezkit@yahoo.com', 'Error at 21', "{$errnum}: {$errstr}");


} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!
/*
$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());
*/

if (!@mysql_query("INSERT INTO tes (test) VALUES('1') "))
{
	@mail('dezkit@yahoo.com', 'Error at 47', mysql_error());
} else {
	@mail('dezkit@yahoo.com', 'Success at 49', mysql_error());
}

}else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

	@mail('dezkit@yahoo.com', 'Success at 56', mysql_error());


}
}
fclose ($fp);
}
?>

 

Link to comment
Share on other sites

After googling for a fix, I had seen that changing the $fp would do the fix

<?php

mysql_connect("localhost", "dima1989_max", "xxx") or die(mysql_error());
mysql_select_db("dima1989_henry") or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

//$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);
$fp = fsockopen ('www.sandbox.paypal.com', 80, $errno, $errstr, 30);
if (!$fp) {

$mail = mail('dezkit@yahoo.com', 'Error at 21', "{$errnum}: {$errstr}");


} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {

// PAYMENT VALIDATED & VERIFIED!
/*
$sythename = $_POST['os0'];
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];
$get1pin = mysql_query("SELECT pins FROM pin ORDER BY RAND() LIMIT 1") or die(mysql_error());

$get1pin = mysql_escape_string($get1pin);
$payer_email = mysql_escape_string($payer_email);
$txn_id = mysql_escape_string($txn_id);
$sythename = mysql_escape_string($sythename);

mysql_query("INSERT INTO users (pin, paypal, transaction, name) VALUES('".$get1pin."', '".$txn_id."', '".$txn_id."','".$sythename."' ) ") or die(mysql_error());
echo "Your PIN number is ".$get1pin.". Keep it in a safe place.";

mysql_query("INSERT INTO tes (test) VALUES('1') ") or die(mysql_error());
*/

if (!@mysql_query("INSERT INTO tes (test) VALUES('1') "))
{
	@mail('dezkit@yahoo.com', 'Error at 47', mysql_error());
} else {
	@mail('dezkit@yahoo.com', 'Success at 49', mysql_error());
}

}else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

	@mail('dezkit@yahoo.com', 'Success at 56', mysql_error());


}
}
fclose ($fp);
}
?>

However after debugging, I had been emailed the error that says Success at 49, meaning that the process was verified and the database had been updated.

 

Thanks everybody for your help, does anybody know how I do so that only Paypal can view the ipn.php, because whenever I view it I get an email, which is terrible debugging. Thank you.

Also can anybody give me more information on how to improve this code, security measures, etc? Thanks again guys

Link to comment
Share on other sites

Also can anybody give me more information on how to improve this code, security measures, etc?

 

yes, don't do that.  I'm very surprised Paypal allows the transfer of user credentials over an unsecure socket/port such as 80.  You have eliminated the ssl (Secure Socket Layer) and replaced with a regular http protocol, and have also switched out a secure port 443 for an unsecure, easily scraped port 80.

 

While it may work for you, I highly discourage this.

 

this line:

 

$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

 

works perfectly fine.  There must be configuration issue on your server.  Make sure you have OpenSSL installed/enabled on your server.

Link to comment
Share on other sites

Also can anybody give me more information on how to improve this code, security measures, etc?

 

yes, don't do that.  I'm very surprised Paypal allows the transfer of user credentials over an unsecure socket/port such as 80.  You have eliminated the ssl (Secure Socket Layer) and replaced with a regular http protocol, and have also switched out a secure port 443 for an unsecure, easily scraped port 80.

 

While it may work for you, I highly discourage this.

 

this line:

 

$fp = fsockopen ('ssl://www.sandbox.paypal.com/', 443, $errno, $errstr, 30);

 

works perfectly fine.  There must be configuration issue on your server.  Make sure you have OpenSSL installed/enabled on your server.

I don't think the sandbox has a ssl connection thing, I tried doing it to the regular domain and it worked... Anyways, does anybody know how I do so that when they actually PAY they get back to the website where they can see the random sql row?
Link to comment
Share on other sites

OK So about echo'ing the PIN Number in a returning page after a person had made a payment, should I make a session that equals to the id in the database, then check if the session exists and get the id from the database and echo all the information?

 

Also: why doesn't os0 and os1 get posted back into my site.... everything works fine

	$os0 = $_POST['os0'];
$os1 = $_POST['os1'];
$first_name = ucwords(strtolower($_POST["first_name"]));
$last_name = ucwords(strtolower($_POST["last_name"]));
$payer_email = $_POST['payer_email'];
$txn_id = $_POST['txn_id'];

 

Everything gets saved into the database except os0 and os1, they always end up being blank, even when being echo'ed.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.