another paypal ipn db issue

[ianhaney]

Hi

 

Sorry I am having another issue with the paypal ipn script now, for some reason it has stopped adding the data to the paypal db table, it was all working before and now just stopped working

 

I am not getting any errors or nothing, below is the script I have

<?php

ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);

session_start();
include_once("paypal-config.php");
include_once("paypal.class.php");

$title = "Payment Success - Pay As You Go - Security Site";

$pgDesc="";

$pgKeywords="";

include ( 'includes/header.php' );

$paypalmode = ($PayPalMode=='sandbox') ? '.sandbox' : '';

if($_POST) //Post Data received from product list page.
{
    //Mainly we need 4 variables from product page Item Name, Item Price, Item Number and Item Quantity.
    
    //Please Note : People can manipulate hidden field amounts in form,
    //In practical world you must fetch actual price from database using item id. Eg: 
    //$ItemPrice = $mysqli->query("SELECT item_price FROM products WHERE id = Product_Number");

    $ItemName       = $_POST["ItemName"]; //Item Name
    $ItemPrice      = $_POST["ItemPrice"]; //Item Price
    $ItemNumber     = $_POST["ItemNumber"]; //Item Number
    $ItemDesc       = $_POST["ItemDesc"]; //Item description
    $ItemTotalPrice = ($ItemPrice); //(Item Price x Quantity = Total) Get total amount of product; 
    
    //Grand total including all tax, insurance, shipping cost and discount
    $GrandTotal = ($ItemTotalPrice);
    
    //Parameters for SetExpressCheckout, which will be sent to PayPal
    $padata =   '&METHOD=SetExpressCheckout'.
                '&RETURNURL='.urlencode($PayPalReturnURL ).
                '&CANCELURL='.urlencode($PayPalCancelURL).
                '&PAYMENTREQUEST_0_PAYMENTACTION='.urlencode("SALE").
                
                '&L_PAYMENTREQUEST_0_NAME0='.urlencode($ItemName).
                '&L_PAYMENTREQUEST_0_NUMBER0='.urlencode($ItemNumber).
                '&L_PAYMENTREQUEST_0_DESC0='.urlencode($ItemDesc).
                '&L_PAYMENTREQUEST_0_AMT0='.urlencode($ItemPrice).
                
                /* 
                //Additional products (L_PAYMENTREQUEST_0_NAME0 becomes L_PAYMENTREQUEST_0_NAME1 and so on)
                '&L_PAYMENTREQUEST_0_NAME1='.urlencode($ItemName2).
                '&L_PAYMENTREQUEST_0_NUMBER1='.urlencode($ItemNumber2).
                '&L_PAYMENTREQUEST_0_DESC1='.urlencode($ItemDesc2).
                '&L_PAYMENTREQUEST_0_AMT1='.urlencode($ItemPrice2).
                '&L_PAYMENTREQUEST_0_QTY1='. urlencode($ItemQty2).
                */
                
                /* 
                //Override the buyer's shipping address stored on PayPal, The buyer cannot edit the overridden address.
                '&ADDROVERRIDE=1'.
                '&PAYMENTREQUEST_0_SHIPTONAME=J Smith'.
                '&PAYMENTREQUEST_0_SHIPTOSTREET=1 Main St'.
                '&PAYMENTREQUEST_0_SHIPTOCITY=San Jose'.
                '&PAYMENTREQUEST_0_SHIPTOSTATE=CA'.
                '&PAYMENTREQUEST_0_SHIPTOCOUNTRYCODE=US'.
                '&PAYMENTREQUEST_0_SHIPTOZIP=95131'.
                '&PAYMENTREQUEST_0_SHIPTOPHONENUM=408-967-4444'.
                */
                
                '&NOSHIPPING=1'. //set 1 to hide buyer's shipping address, in-case products that do not require shipping
                
                '&PAYMENTREQUEST_0_ITEMAMT='.urlencode($ItemTotalPrice).
                '&PAYMENTREQUEST_0_AMT='.urlencode($GrandTotal).
                '&PAYMENTREQUEST_0_CURRENCYCODE='.urlencode($PayPalCurrencyCode).
                '&LOCALECODE=GB'. //PayPal pages to match the language on your website.
                '&LOGOIMG=http://www.broadwaymediadesigns.co.uk/sites/security-site/images/logo/logo.jpg'. //site logo
                '&CARTBORDERCOLOR=FFFFFF'. //border color of cart
                '&ALLOWNOTE=0';
                
                ############# set session variable we need later for "DoExpressCheckoutPayment" #######
                $_SESSION['ItemName']           =  $ItemName; //Item Name
                $_SESSION['ItemPrice']          =  $ItemPrice; //Item Price
                $_SESSION['ItemNumber']         =  $ItemNumber; //Item Number
                $_SESSION['ItemDesc']           =  $ItemDesc; //Item description
                $_SESSION['ItemTotalPrice']     =  $ItemTotalPrice; //total amount of product; 
                $_SESSION['GrandTotal']         =  $GrandTotal;


        //We need to execute the "SetExpressCheckOut" method to obtain paypal token
        $paypal= new MyPayPal();
        $httpParsedResponseAr = $paypal->PPHttpPost('SetExpressCheckout', $padata, $PayPalApiUsername, $PayPalApiPassword, $PayPalApiSignature, $PayPalMode);
        
        //Respond according to message we receive from Paypal
        if("SUCCESS" == strtoupper($httpParsedResponseAr["ACK"]) || "SUCCESSWITHWARNING" == strtoupper($httpParsedResponseAr["ACK"]))
        {

                //Redirect user to PayPal store with Token received.
                $paypalurl ='https://www'.$paypalmode.'.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token='.$httpParsedResponseAr["TOKEN"].'';
                header('Location: '.$paypalurl);
             
        }else{
            //Show error message
            echo '<div style="color:red"><b>Error : </b>'.urldecode($httpParsedResponseAr["L_LONGMESSAGE0"]).'</div>';
            echo '<pre>';
            print_r($httpParsedResponseAr);
            echo '</pre>';
        }

}

//Paypal redirects back to this page using ReturnURL, We should receive TOKEN and Payer ID
if(isset($_GET["token"]) && isset($_GET["PayerID"]))
{
    //we will be using these two variables to execute the "DoExpressCheckoutPayment"
    //Note: we haven't received any payment yet.
    
    $token = $_GET["token"];
    $payer_id = $_GET["PayerID"];
    
    //get session variables
    $ItemName           = $_SESSION['ItemName']; //Item Name
    $ItemPrice          = $_SESSION['ItemPrice'] ; //Item Price
    $ItemNumber         = $_SESSION['ItemNumber']; //Item Number
    $ItemDesc           = $_SESSION['ItemDesc']; //Item Number
    $ItemTotalPrice     = $_SESSION['ItemTotalPrice']; //total amount of product; 
    $GrandTotal         = $_SESSION['GrandTotal'];

    $padata =   '&TOKEN='.urlencode($token).
                '&PAYERID='.urlencode($payer_id).
                '&PAYMENTREQUEST_0_PAYMENTACTION='.urlencode("SALE").
                
                //set item info here, otherwise we won't see product details later  
                '&L_PAYMENTREQUEST_0_NAME0='.urlencode($ItemName).
                '&L_PAYMENTREQUEST_0_NUMBER0='.urlencode($ItemNumber).
                '&L_PAYMENTREQUEST_0_DESC0='.urlencode($ItemDesc).
                '&L_PAYMENTREQUEST_0_AMT0='.urlencode($ItemPrice).

                /* 
                //Additional products (L_PAYMENTREQUEST_0_NAME0 becomes L_PAYMENTREQUEST_0_NAME1 and so on)
                '&L_PAYMENTREQUEST_0_NAME1='.urlencode($ItemName2).
                '&L_PAYMENTREQUEST_0_NUMBER1='.urlencode($ItemNumber2).
                '&L_PAYMENTREQUEST_0_DESC1=Description text'.
                '&L_PAYMENTREQUEST_0_AMT1='.urlencode($ItemPrice2).
                '&L_PAYMENTREQUEST_0_QTY1='. urlencode($ItemQty2).
                */

                '&PAYMENTREQUEST_0_ITEMAMT='.urlencode($ItemTotalPrice).
                '&PAYMENTREQUEST_0_AMT='.urlencode($GrandTotal).
                '&PAYMENTREQUEST_0_CURRENCYCODE='.urlencode($PayPalCurrencyCode);
    
    //We need to execute the "DoExpressCheckoutPayment" at this point to Receive payment from user.
    $paypal= new MyPayPal();
    $httpParsedResponseAr = $paypal->PPHttpPost('DoExpressCheckoutPayment', $padata, $PayPalApiUsername, $PayPalApiPassword, $PayPalApiSignature, $PayPalMode);
    
    //Check if everything went ok..
    if("SUCCESS" == strtoupper($httpParsedResponseAr["ACK"]) || "SUCCESSWITHWARNING" == strtoupper($httpParsedResponseAr["ACK"])) 
    {
			echo '<div id="column-whole">';

            echo '<h2>Success</h2>';
			echo '<br>';
            echo '<p class="success-text">Your Transaction ID : '.urldecode($httpParsedResponseAr["PAYMENTINFO_0_TRANSACTIONID"]). '</p>';
            
                /*
                //Sometimes Payment are kept pending even when transaction is complete. 
                //hence we need to notify user about it and ask him manually approve the transiction
                */
                
                if('Completed' == $httpParsedResponseAr["PAYMENTINFO_0_PAYMENTSTATUS"])
                {
					echo '<br>';	
                    echo '<div style="color:white">Payment Received! Your can now enter your information on the link below<br><br><a href="register">Register</a></div>';
                }
                elseif('Pending' == $httpParsedResponseAr["PAYMENTINFO_0_PAYMENTSTATUS"])
                {
                    echo '<div style="color:white">Transaction Complete, but payment is still pending! '.
                    'You need to manually authorize this payment in your <a target="_new" href="http://www.paypal.com">Paypal Account</a></div>';
                }
				
				echo '</div>';

                // we can retrive transection details using either GetTransactionDetails or GetExpressCheckoutDetails
                // GetTransactionDetails requires a Transaction ID, and GetExpressCheckoutDetails requires Token returned by SetExpressCheckOut
                $padata =   '&TOKEN='.urlencode($token);
                $paypal= new MyPayPal();
                $httpParsedResponseAr = $paypal->PPHttpPost('GetExpressCheckoutDetails', $padata, $PayPalApiUsername, $PayPalApiPassword, $PayPalApiSignature, $PayPalMode);

                if("SUCCESS" == strtoupper($httpParsedResponseAr["ACK"]) || "SUCCESSWITHWARNING" == strtoupper($httpParsedResponseAr["ACK"])) 
                {
                    
                    /*echo '<br /><b>Stuff to store in database :</b><br /><pre>';*/
                    
                    #### SAVE BUYER INFORMATION IN DATABASE ###
                    //see (http://www.sanwebe.com/2013/03/basic-php-mysqli-usage) for mysqli usage
                    
                    $buyerName = $httpParsedResponseAr["FIRSTNAME"].' '.$httpParsedResponseAr["LASTNAME"];
                    $buyerEmail = $httpParsedResponseAr["EMAIL"];
                    
                    //Open a new connection to the MySQL server
                    $mysqli = new mysqli('','','','');
                    
                    //Output any connection error
                    if ($mysqli->connect_error) {
                        die('Error : ('. $mysqli->connect_errno .') '. $mysqli->connect_error);
                    }       
                    
                    $insert_row = $mysqli->query("INSERT INTO BuyerTable 
                    (BuyerName,BuyerEmail,TransactionID,ItemName,ItemNumber,ItemAmount)
                    VALUES ('$buyerName','$buyerEmail','$TransactionID','$ItemName','$ItemNumber', '$ItemTotalPrice')");
					
					$update_row = $mysqli->query("UPDATE BuyerTable SET paid = 1 WHERE buyerEmail = '$buyerEmail'");
                    
   if($insert_row){
   //if($update_row){
   
   /*$to = $_POST['BuyerEmail'];
   $subject = "Payment Confirmation";
   $message = "Thank you for your payment to Security Site, please visit <a href='http://www.broadwaymediadesigns.co.uk/payg-job-advert.php'>Add Job Listing</a>";
   $header = "From:noreply@broadwaymediadesigns.co.uk \r\n";
   $retval = mail ($to,$subject,$message,$header);
   if( $retval == true )  
   {
      echo "Message sent successfully...";
   }
   else
   {
      echo "Message could not be sent...";
   }*/
   
   header('Location: http://www.broadwaymediadesigns.co.uk/sites/security-site/payg-job-advert.php');
   }
   //}
					
                    /*if($insert_row){
                        print 'Success! ID of last inserted record is : ' .$mysqli->insert_id .'<br />'; 
                    }else{
                        die('Error : ('. $mysqli->errno .') '. $mysqli->error);
                    }*/
                    
                    /*echo '<pre>';
                    print_r($httpParsedResponseAr);
                    echo '</pre>';
                } else  {
                    echo '<div style="color:red"><b>GetTransactionDetails failed:</b>'.urldecode($httpParsedResponseAr["L_LONGMESSAGE0"]).'</div>';
                    echo '<pre>';
                    print_r($httpParsedResponseAr);
                    echo '</pre>';*/

                }
    
    }else{
            echo '<div style="color:red"><b>Error : </b>'.urldecode($httpParsedResponseAr["L_LONGMESSAGE0"]).'</div>';
            echo '<pre>';
            print_r($httpParsedResponseAr);
            echo '</pre>';
    }
}

include( 'includes/footer.php' );

?>

All I can think is that it is not connecting to the db

[requinix]

That's not IPN.

 

If

$insert_row = $mysqli->query("INSERT INTO BuyerTable 
(BuyerName,BuyerEmail,TransactionID,ItemName,ItemNumber,ItemAmount)
VALUES ('$buyerName','$buyerEmail','$TransactionID','$ItemName','$ItemNumber', '$ItemTotalPrice')");

is not executing properly then it means (a) code never reached that statement to begin with or (b) the query failed.

 

You don't really do any logging in there. Add some: log when certain lines are reached, log assorted interesting values, log error messages from MySQL if they come up, log stuff. And test until you figure out precisely what went wrong.

 

Couple obvious things to check out first:

1. Can't connect to the database - probably because you're using default values for the host and username/password.

2. One or more of the values you're trying to insert contain apostrophes which is why your code is vulnerable to SQL injection. Use prepared statements instead of putting values directly in queries like you're doing now.

[ianhaney]

Sorry, got it working now by using a script from the following link

 

http://www.codexworld.com/paypal-standard-payment-gateway-integration-php/

 

it works with using PayPal PDT

 

I just need to make the php page only accessible after payment has been received and if not been received to redirect to another page, within the db table is a column called payment_status and has a value of Completed once payment has been successful

 

The issue I got is I can access the php page without paying but need to stop that

 

Below is the script I have so far on success.php

<?php

ini_set('display_startup_errors',1);
ini_set('display_errors',1);
error_reporting(-1);

$title = "PayPal Success - Security Site";

include ( 'includes/header.php' );

?>

<?php

include 'db-connect.php';

//Store transaction information from PayPal
$item_number = $_GET['item_number'];
$txn_id = $_GET['tx'];
$payment_gross = $_GET['amt'];
$currency_code = $_GET['cc'];
$payment_status = $_GET['st'];

//Get product price
$productResult = $db->query("SELECT price FROM products WHERE id = ".$item_number);

$productRow = $productResult->fetch_assoc();
$productPrice = $productRow['price'];

if(!empty($txn_id) && $payment_gross == $productPrice){
    //Insert tansaction data into the database
    $insert = $db->query("INSERT INTO payments(item_number,txn_id,payment_gross,currency_code,payment_status) VALUES('".$item_number."','".$txn_id."','".$payment_gross."','".$currency_code."','".$payment_status."')");
    $last_insert_id = $db->insert_id;


echo "<h1>Your payment has been successful.</h1>";
echo "<h1>Your Payment ID - <?php echo $last_insert_id; ?>.</h1>";

if ($payment_status == Completed) {
header("Location: http://www.broadwaymediadesigns.co.uk/sites/security-site/payg-job-advert.php");
}else{
header("Location: http://www.broadwaymediadesigns.co.uk/sites/security-site/employer-profile.php");
}
}
?>

<?php include( 'includes/footer.php' ); ?>

[mac_gyver]

The issue I got is I can access the php page without paying but need to stop that

 

 

any page must have code to enforce who may access it.

 

the payment status data in a database table would need to be tied to the user who made the purchase through a user id. is your current code and query doing that?

 

if your protected page requires a logged in user, who has purchased an item allowing access to that page, and the payment status for that user and item is 'Completed', your user access code on that page must test for all of these conditions.

[ianhaney]

Ahh ok, my current code is not doing that

 

So taking a guess I would need to join the employee table that has the memberID, that is done by sessions when in the employer-profile.php page so would need to do a join in the sql query and get the memberID in the session when it comes to accessing the page and matching it with the payment that they just made, is that right or am I miles off

[ianhaney]

I got the memberID now stored in the payments table so ties up with the memberID of the user who is logged in

 

think I got it, I tried directly accessing the page that I don't want users to access directly unless a payment has been made and it has redirected me to the login page to login or create a account so think I have sussed it