Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- //connect to the database
- include_once ('includes/connect_to_mysql.php');
- // Check to see there are posted variables coming into the script
- if ($_SERVER['REQUEST_METHOD'] != "POST") die ("No Post Variables");
- // Initialize the $req variable and add CMD key value pair
- $req = 'cmd=_notify-validate';
- // Read the post from PayPal
- foreach ($_POST as $key => $value) {
- $value = urlencode(stripslashes($value));
- $req .= "&$key=$value";
- }
- // Now Post all of that back to PayPal's server using curl, and validate everything with PayPal
- // We will use CURL instead of PHP for this for a more universally operable script (fsockopen has issues on some environments)
- $url = "https://www.sandbox.paypal.com/cgi-bin/webscr"; //USE SANDBOX ACCOUNT TO TEST WITH
- //$url = "https://www.paypal.com/cgi-bin/webscr"; //LIVE ACCOUNT
- $curl_result=$curl_err='';
- $ch = curl_init();
- curl_setopt($ch, CURLOPT_URL,$url);
- curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
- curl_setopt($ch, CURLOPT_POST, 1);
- curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
- curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Content-Length: " . strlen($req)));
- curl_setopt($ch, CURLOPT_HEADER , 0);
- curl_setopt($ch, CURLOPT_VERBOSE, 1);
- curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
- curl_setopt($ch, CURLOPT_TIMEOUT, 30);
- $curl_result = @curl_exec($ch);
- $curl_err = curl_error($ch);
- curl_close($ch);
- $req = str_replace("&", "n", $req); // Make it a nice list in case we want to email it to ourselves for reporting
- // Check that the result verifies with PayPal
- if (strpos($curl_result, "VERIFIED") !== false) {
- $req .= "nnPaypal Verified OK";
- mail("email@gmail.com", "Verified OK", "$req", "From: email@gmail.com" );
- } else {
- $req .= "nnData NOT verified from Paypal!";
- mail("email@gmail.com", "IPN interaction not verified", "$req", "From: email@gmail.com" );
- exit();
- }
- /* CHECK THESE 4 THINGS BEFORE PROCESSING THE TRANSACTION, HANDLE THEM AS YOU WISH
- 1. Make sure that business email returned is your business email
- 2. Make sure that the transaction’s payment status is “completed”
- 3. Make sure there are no duplicate txn_id
- 4. Make sure the payment amount matches what you charge for items. (Defeat Price-Jacking) */
- // Check Number 1 ------------------------------------------------------------------------------------------------------------
- $receiver_email = $_POST['receiver_email'];
- if ($receiver_email != "email-facilitator@hotmail.com") {
- $message = "Investigate why and how receiver_email variable sent back by PayPal does not match the buisness email set in cart.php. Email = " . $_POST['receiver_email'] . "nnn$req";
- mail("email@gmail.com", "Receiver Email is incorrect", $message, "From: email@gmail.com" );
- exit(); // exit script
- }
- // Check number 2 ------------------------------------------------------------------------------------------------------------
- if ($_POST['payment_status'] != "Completed") {
- // Handle how you think you should if a payment is not complete yet, a few scenarios can cause a transaction to be incomplete
- $message = "Investigate why payment was not completed. Email = " . $_POST['receiver_email'] . "nnn$req";
- mail("email@gmail.com", "Payment not complete", $message, "From: email@gmail.com" );
- exit(); // exit script
- }
- // Check number 3 ------------------------------------------------------------------------------------------------------------
- $this_txn = $_POST['txn_id'];
- $sql = mysql_query("SELECT id FROM transactions WHERE txn_id='$this_txn' LIMIT 1"); //check to see transaction id exists in the DB
- $numRows = mysql_num_rows($sql);
- if ($numRows == 0) {
- $message = "Duplicate transaction ID occured so we killed the IPN script. nnn$req";
- mail("email@gmail.com", "Duplicate transaction ID(txn_id) in the IPN system", $message, "From: email@gmail.com" );
- exit(); // exit script
- }
- // Check number 4 ------------------------------------------------------------------------------------------------------------
- $product_id_string = $_POST['custom'];
- $product_id_string = rtrim($product_id_string, ","); // remove last comma
- // Explode the string, make it an array, then query all the prices out, add them up, and make sure they match the payment_gross amount
- $id_str_array = explode(",", $product_id_string); // Uses Comma(,) as delimiter(break point)
- $fullAmount = 0;
- foreach ($id_str_array as $key => $value) {
- $id_quantity_pair = explode("-", $value); // Uses Hyphen(-) as delimiter to separate product ID from its quantity
- $product_id = $id_quantity_pair[0]; // Get the product ID
- $product_quantity = $id_quantity_pair[1]; // Get the quantity
- $sql = mysql_query("SELECT price FROM products WHERE id='$product_id' LIMIT 1");
- while($row = mysql_fetch_array($sql)){
- $product_price = $row["price"];
- }
- $product_price = $product_price * $product_quantity;
- $fullAmount = $fullAmount + $product_price;
- }
- $fullAmount = number_format($fullAmount, 2);
- $grossAmount = $_POST['mc_gross'];
- if ($fullAmount != $grossAmount) {
- $message = "Possible Price Jack: " . $_POST['mc_gross'] . " != $fullAmount nnn$req";
- mail("email@gmail.com", "Price Jack or Bad Programming", $message, "From: email@gmail.com" );
- exit(); // exit script
- }
- // END ALL SECURITY CHECKS NOW IN THE DATABASE IT GOES ------------------------------------
- ////////////////////////////////////////////////////
- // Assign local variables from the POST PayPal variables
- $custom = $_POST['custom'];
- $payer_email = $_POST['payer_email'];
- $first_name = $_POST['first_name'];
- $last_name = $_POST['last_name'];
- $payment_date = $_POST['payment_date'];
- $mc_gross = $_POST['mc_gross'];
- $payment_currency = $_POST['payment_currency'];
- $txn_id = $_POST['txn_id'];
- $receiver_email = $_POST['receiver_email'];
- $payment_type = $_POST['payment_type'];
- $payment_status = $_POST['payment_status'];
- $txn_type = $_POST['txn_type'];
- $payer_status = $_POST['payer_status'];
- $address_street = $_POST['address_street'];
- $address_city = $_POST['address_city'];
- $address_state = $_POST['address_state'];
- $address_zip = $_POST['address_zip'];
- $address_country = $_POST['address_country'];
- $address_status = $_POST['address_status'];
- $notify_version = $_POST['notify_version'];
- $verify_sign = $_POST['verify_sign'];
- $payer_id = $_POST['payer_id'];
- $mc_currency = $_POST['mc_currency'];
- $mc_fee = $_POST['mc_fee'];
- // Place the transaction into the database
- $sql = mysql_query("INSERT INTO transactions (product_id_array, payer_email, first_name, last_name, payment_date, mc_gross, payment_currency, txn_id, receiver_email, payment_type, payment_status, txn_type, payer_status, address_street, address_city, address_state, address_zip, address_country, address_status, notify_version, verify_sign, payer_id, mc_currency, mc_fee)
- VALUES('$custom','$payer_email','$first_name','$last_name','$payment_date','$mc_gross','$payment_currency','$txn_id','$receiver_email','$payment_type','$payment_status','$txn_type','$payer_status','$address_street','$address_city','$address_state','$address_zip','$address_country','$address_status','$notify_version','$verify_sign','$payer_id','$mc_currency','$mc_fee')") or die ("unable to execute the query");
- mysql_close();
- // Mail yourself the details
- mail("email@gmail.com", "NORMAL IPN RESULT - Transaction Entered", $req, "From: email@gmail.com");
- ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement