lukep11a Posted June 30, 2012 Share Posted June 30, 2012 Hi, I wonder if somebody can help me. I have a form where each user can select is their account type, either free or premium. When the form is submitted it validates all the fields and inserts the data into a table, then if the user selected a premium account they are redirected to paypal to make a ?2 payment, and if not then they are simply displayed with a thank you message. I have a payments.php file which when actioned directly from the registration form works fine at redirecting to paypal, but when I use $_SERVER['PHP_SELF'] as the form action and use an if statement to determine when payments.php is included on the registration page it doesn't work. There is quite alot of code that goes with this so I will just try to pick out the 'important bits' from the 3 files. user.functions.php function show_team_selections(){ echo '<form name="form1" action="'. $_SERVER['PHP_SELF']. " method="post" id="paypal_form" target="_blank"> <input type="hidden" name="cmd" value="_xclick" /> <input type="hidden" name="no_note" value="1" /> <input type="hidden" name="lc" value="UK" /> <input type="hidden" name="currency_code" value="GBP" /> <input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" /> <input type="hidden" name="first_name" value="Customers First Name" /> <input type="hidden" name="last_name" value="Customers Last Name" /> <input type="hidden" name="payer_email" value="customer@example.com" /> <input type="hidden" name="item_number" value="123456" / > registration.php if (isset($_POST['submit_team'])){ if (submitNewTeam($_POST['user_id'], $_POST['user_team_name'], $_POST['team_id'])){ if ($_POST['account'] == 1) { /* Redirect visitor to the thank you page */ include("payments.php"); } elseif ($_POST['account'] == 2) { echo "<p class='normal'>Thank you for submitting a new team.</p>"; } }else { echo "<p class='fail'>Team registration failed! Please try again.</p>"; show_team_selections(); } } else { // has not pressed the submit button show_team_selections(); } payments.php // PayPal settings $paypal_email = 'test_1337893520_biz@mysite.co.uk'; $return_url = 'http://www.mysite.co.uk/new/myteams/thanks.htm'; $cancel_url = 'http://www.mysite.co.uk/new/myteams/payment-cancelled.htm'; $notify_url = 'http://www.mysite.co.uk/new/myteams/payments.php'; $item_name = 'Registration'; $item_amount = 2.00; // Include Functions include("functions.php"); //Database Connection $link = mysql_connect($host, $user, $pass); mysql_select_db($db_name); // Check if paypal request or response if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){ // Firstly Append paypal account to querystring $querystring .= "?business=".urlencode($paypal_email)."&"; // Append amount& currency (?) to quersytring so it cannot be edited in html //The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable. $querystring .= "item_name=".urlencode($item_name)."&"; $querystring .= "amount=".urlencode($item_amount)."&"; //loop for posted values and append to querystring foreach($_POST as $key => $value){ $value = urlencode(stripslashes($value)); $querystring .= "$key=$value&"; } Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 just FYI using $_SERVER[php_SELF] is a security hazard. change it to $_SERVER[sCRIPT_NAME] Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 try using an absolute path instead of a relative one. also i changed == to === <?php $root = realpath($_SERVER["DOCUMENT_ROOT"]); if (isset($_POST['submit_team'])){ if (submitNewTeam($_POST['user_id'], $_POST['user_team_name'], $_POST['team_id'])){ if ($_POST['account'] === 1) { /* Redirect visitor to the thank you page */ include("$root/payments.php"); } elseif ($_POST['account'] === 2) { echo "<p class='normal'>Thank you for submitting a new team.</p>"; } }else { echo "<p class='fail'>Team registration failed! Please try again.</p>"; show_team_selections(); } } else { // has not pressed the submit button show_team_selections(); } ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted June 30, 2012 Share Posted June 30, 2012 Also, look at the syntax highlighting for the first block of code you posted. Does that seem right? You have a problem with your quoting. Quote Link to comment Share on other sites More sharing options...
lukep11a Posted June 30, 2012 Author Share Posted June 30, 2012 Thank you for your replies, I have fixed the quoting issue in the first block of code. I have also tried the suggestions of using an absolute path and now it doesn't load the include file at all Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 you can remove the absolute path change it back also you can use heredoc syntax to fix your quote issue $self= htmlspecialchars($_SERVER['PHP_SELF']); //fixes security issue echo <<<EOT <form name="form1" action="$self" method="post" id="paypal_form" target="_blank"> <input type="hidden" name="cmd" value="_xclick" /> <input type="hidden" name="no_note" value="1" /> <input type="hidden" name="lc" value="UK" /> <input type="hidden" name="currency_code" value="GBP" /> <input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" /> <input type="hidden" name="first_name" value="Customers First Name" /> <input type="hidden" name="last_name" value="Customers Last Name" /> <input type="hidden" name="payer_email" value="customer@example.com" /> <input type="hidden" name="item_number" value="123456" /> EOT; Quote Link to comment Share on other sites More sharing options...
lukep11a Posted June 30, 2012 Author Share Posted June 30, 2012 The include file now seems to be loading but I am getting these errors if it helps in any way Notice: Undefined variable: querystring in /home/vouche7/public_html2/new/myteams/payments.php on line 31 Warning: stripslashes() expects parameter 1 to be string, array given in /home/vouche7/public_html2/new/myteams/payments.php on line 41 Warning: Cannot modify header information - headers already sent by (output started at /home/vouche7/public_html2/new/myteams/team-selections-test.php:141) in /home/vouche7/public_html2/new/myteams/payments.php on line 54 Quote Link to comment Share on other sites More sharing options...
lukep11a Posted June 30, 2012 Author Share Posted June 30, 2012 This is the full code to payments.php <?php ini_set('display_errors',1); error_reporting(-1); // Database variables $host = "localhost"; //database location $user = "username"; //database username $pass = "password"; //database password $db_name = "dbname"; //database name // PayPal settings $paypal_email = 'test_1337893520_biz@mysite.co.uk'; $return_url = 'http://www.mysite.co.uk/new/myteams/thanks.htm'; $cancel_url = 'http://www.mysite.co.uk/new/myteams/payment-cancelled.htm'; $notify_url = 'http://www.mysite.co.uk/new/myteams/payments.php'; $item_name = 'Registration'; $item_amount = 2.00; // Include Functions include("functions.php"); //Database Connection $link = mysql_connect($host, $user, $pass); mysql_select_db($db_name); // Check if paypal request or response if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){ // Firstly Append paypal account to querystring $querystring .= "?business=".urlencode($paypal_email)."&"; // Append amount& currency (?) to quersytring so it cannot be edited in html //The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable. $querystring .= "item_name=".urlencode($item_name)."&"; $querystring .= "amount=".urlencode($item_amount)."&"; //loop for posted values and append to querystring foreach($_POST as $key => $value){ $value = urlencode(stripslashes($value)); $querystring .= "$key=$value&"; } // Append paypal return addresses $querystring .= "return=".urlencode(stripslashes($return_url))."&"; $querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&"; $querystring .= "notify_url=".urlencode($notify_url); // Append querystring with custom field //$querystring .= "&custom=".USERID; // Redirect to paypal IPN header('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring); exit(); }else{ // Response from Paypal // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix $req .= "&$key=$value"; } // assign posted variables to local variables $data['item_name'] = $_POST['item_name']; $data['item_number'] = $_POST['item_number']; $data['payment_status'] = $_POST['payment_status']; $data['payment_amount'] = $_POST['mc_gross']; $data['payment_currency'] = $_POST['mc_currency']; $data['txn_id'] = $_POST['txn_id']; $data['receiver_email'] = $_POST['receiver_email']; $data['payer_email'] = $_POST['payer_email']; $data['custom'] = $_POST['custom']; // post back to PayPal system to validate $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp($res, "VERIFIED") == 0) { // Used for debugging //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Verified Response<br />data = <pre>".print_r($post, true)."</pre>"); // Validate payment (Check unique txnid & correct price) $valid_txnid = check_txnid($data['txn_id']); $valid_price = check_price($data['payment_amount'], $data['item_number']); // PAYMENT VALIDATED & VERIFIED! if($valid_txnid && $valid_price){ $orderid = updatePayments($data); if($orderid){ // Payment has been made & successfully inserted into the Database }else{ // Error inserting into DB // E-mail admin or alert user } }else{ // Payment made but data has been changed // E-mail admin or alert user } }else if (strcmp ($res, "INVALID") == 0) { // PAYMENT INVALID & INVESTIGATE MANUALY! // E-mail admin or alert user // Used for debugging //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Invalid Response<br />data = <pre>".print_r($post, true)."</pre>"); } } fclose ($fp); } } ?> Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted June 30, 2012 Share Posted June 30, 2012 try this.... <?php ini_set('display_errors',1); error_reporting(-1); // Database variables $host = "localhost"; //database location $user = "username"; //database username $pass = "password"; //database password $db_name = "dbname"; //database name // PayPal settings $paypal_email = 'test_1337893520_biz@mysite.co.uk'; $return_url = 'http://www.mysite.co.uk/new/myteams/thanks.htm'; $cancel_url = 'http://www.mysite.co.uk/new/myteams/payment-cancelled.htm'; $notify_url = 'http://www.mysite.co.uk/new/myteams/payments.php'; $item_name = 'Registration'; $item_amount = 2.00; // Include Functions //Database Connection $link = mysql_connect($host, $user, $pass); mysql_select_db($db_name); include("functions.php"); function redirect($url){ if (!headers_sent()){ //If headers not sent yet... then do php redirect header('Location: '.$url); exit; }else{ //If headers are sent... do java redirect... if java disabled, do html redirect. echo '<script type="text/javascript">'; echo 'window.location.href="'.$url.'";'; echo '</script>'; echo '<noscript>'; echo '<meta http-equiv="refresh" content="0;url='.$url.'" />'; echo '</noscript>'; exit; } } function unstrip_array($array){ foreach($array as &$val){ if(is_array($val)){ $val = unstrip_array($val); }else{ $val = stripslashes($val); } } return $array; } // Check if paypal request or response if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){ // Firstly Append paypal account to querystring $querystring .= "?business=".urlencode($paypal_email)."&"; // Append amount& currency (?) to quersytring so it cannot be edited in html //The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable. $querystring .= "item_name=".urlencode($item_name)."&"; $querystring .= "amount=".urlencode($item_amount)."&"; //loop for posted values and append to querystring foreach($_POST as $key => $value){ $value = urlencode(unstrip_array($value)); $querystring .= "$key=$value&"; } // Append paypal return addresses $querystring .= "return=".urlencode(unstrip_array($return_url))."&"; $querystring .= "cancel_return=".urlencode(unstrip_array($cancel_url))."&"; $querystring .= "notify_url=".urlencode($notify_url); // Append querystring with custom field //$querystring .= "&custom=".USERID; // Redirect to paypal IPN redirect('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring); exit(); }else{ // Response from Paypal // read the post from PayPal system and add 'cmd' $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix $req .= "&$key=$value"; } // assign posted variables to local variables $data['item_name'] = $_POST['item_name']; $data['item_number'] = $_POST['item_number']; $data['payment_status'] = $_POST['payment_status']; $data['payment_amount'] = $_POST['mc_gross']; $data['payment_currency'] = $_POST['mc_currency']; $data['txn_id'] = $_POST['txn_id']; $data['receiver_email'] = $_POST['receiver_email']; $data['payer_email'] = $_POST['payer_email']; $data['custom'] = $_POST['custom']; // post back to PayPal system to validate $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); if (!$fp) { // HTTP ERROR } else { fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets ($fp, 1024); if (strcmp($res, "VERIFIED") == 0) { // Used for debugging //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Verified Response<br />data = <pre>".print_r($post, true)."</pre>"); // Validate payment (Check unique txnid & correct price) $valid_txnid = check_txnid($data['txn_id']); $valid_price = check_price($data['payment_amount'], $data['item_number']); // PAYMENT VALIDATED & VERIFIED! if($valid_txnid && $valid_price){ $orderid = updatePayments($data); if($orderid){ // Payment has been made & successfully inserted into the Database }else{ // Error inserting into DB // E-mail admin or alert user } }else{ // Payment made but data has been changed // E-mail admin or alert user } }else if (strcmp ($res, "INVALID") == 0) { // PAYMENT INVALID & INVESTIGATE MANUALY! // E-mail admin or alert user // Used for debugging //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Invalid Response<br />data = <pre>".print_r($post, true)."</pre>"); } } fclose ($fp); } } ?> used a redirect function in javascript instead of header used a array function to strip slashes. instead of stripslashes which is just for strings Quote Link to comment Share on other sites More sharing options...
lukep11a Posted July 1, 2012 Author Share Posted July 1, 2012 Hi, thanks for that, just had to change this bit: redirect('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring); to: redirect('https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring); and it redirects correctly, would that be right? Also, it seems to display a short list of errors on the page with a 1 second delay before redirecting, it all seems to be working as it should though so not sure what the errors are about Quote Link to comment Share on other sites More sharing options...
lukep11a Posted July 1, 2012 Author Share Posted July 1, 2012 Just quickly managed to copy some of the error that is displayed before it redirects Warning: Invalid argument supplied for foreach() in /home/vouche7/public_html2/new/myteams/payments.php on line 42 It is just repeated about 10 times Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted July 1, 2012 Share Posted July 1, 2012 remove function unstrip_array entirely and replace all instances with mysql_real_escape_string there is really no need for stripslashes if you are having trouble with slashes you might have magic quotes enabled and would need to disable them via php.ini. Quote Link to comment Share on other sites More sharing options...
lukep11a Posted July 1, 2012 Author Share Posted July 1, 2012 ok thanks, I am now just getting two errors, I don't know why this is though because it is still redirecting as it should Notice: Undefined variable: querystring in /home/vouche7/public_html2/new/myteams/payments.php on line 31 Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /home/vouche7/public_html2/new/myteams/payments.php on line 41 Quote Link to comment Share on other sites More sharing options...
darkfreaks Posted July 1, 2012 Share Posted July 1, 2012 $querystring.= array_map('mysql_real_escape_string', $querystring); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.