<?php//connect to the database include_once ('includes/connect_to_mysql.php

1. <?php
2. //connect to the database
3. include_once ('includes/connect_to_mysql.php');
4. // Check to see there are posted variables coming into the script
5. if ($_SERVER['REQUEST_METHOD'] != "POST") die ("No Post Variables");
6. // Initialize the $req variable and add CMD key value pair
7. $req = 'cmd=_notify-validate';
8. // Read the post from PayPal
9. foreach ($_POST as $key => $value) {
10. $value = urlencode(stripslashes($value));
11. $req .= "&$key=$value";
12. }
13. // Now Post all of that back to PayPal's server using curl, and validate everything with PayPal
14. // We will use CURL instead of PHP for this for a more universally operable script (fsockopen has issues on some environments)
15. $url = "https://www.sandbox.paypal.com/cgi-bin/webscr"; //USE SANDBOX ACCOUNT TO TEST WITH
16. //$url = "https://www.paypal.com/cgi-bin/webscr"; //LIVE ACCOUNT
17. $curl_result=$curl_err='';
18. $ch = curl_init();
19. curl_setopt($ch, CURLOPT_URL,$url);
20. curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
21. curl_setopt($ch, CURLOPT_POST, 1);
22. curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
23. curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Content-Length: " . strlen($req)));
24. curl_setopt($ch, CURLOPT_HEADER , 0);
25. curl_setopt($ch, CURLOPT_VERBOSE, 1);
26. curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
27. curl_setopt($ch, CURLOPT_TIMEOUT, 30);
28. $curl_result = @curl_exec($ch);
29. $curl_err = curl_error($ch);
30. curl_close($ch);
31.  
32. $req = str_replace("&", "n", $req); // Make it a nice list in case we want to email it to ourselves for reporting
33.  
34. // Check that the result verifies with PayPal
35. if (strpos($curl_result, "VERIFIED") !== false) {
36. $req .= "nnPaypal Verified OK";
37. mail("email@gmail.com", "Verified OK", "$req", "From: email@gmail.com" );
38. } else {
39. $req .= "nnData NOT verified from Paypal!";
40. mail("email@gmail.com", "IPN interaction not verified", "$req", "From: email@gmail.com" );
41. exit();
42. }
43.  
44. /* CHECK THESE 4 THINGS BEFORE PROCESSING THE TRANSACTION, HANDLE THEM AS YOU WISH
45. 1. Make sure that business email returned is your business email
46. 2. Make sure that the transaction’s payment status is “completed”
47. 3. Make sure there are no duplicate txn_id
48. 4. Make sure the payment amount matches what you charge for items. (Defeat Price-Jacking) */
49.  
50. // Check Number 1 ------------------------------------------------------------------------------------------------------------
51. $receiver_email = $_POST['receiver_email'];
52. if ($receiver_email != "email-facilitator@hotmail.com") {
53. $message = "Investigate why and how receiver_email variable sent back by PayPal does not match the buisness email set in cart.php. Email = " . $_POST['receiver_email'] . "nnn$req";
54. mail("email@gmail.com", "Receiver Email is incorrect", $message, "From: email@gmail.com" );
55. exit(); // exit script
56. }
57. // Check number 2 ------------------------------------------------------------------------------------------------------------
58. if ($_POST['payment_status'] != "Completed") {
59. // Handle how you think you should if a payment is not complete yet, a few scenarios can cause a transaction to be incomplete
60. $message = "Investigate why payment was not completed. Email = " . $_POST['receiver_email'] . "nnn$req";
61. mail("email@gmail.com", "Payment not complete", $message, "From: email@gmail.com" );
62. exit(); // exit script
63. }
64. // Check number 3 ------------------------------------------------------------------------------------------------------------
65. $this_txn = $_POST['txn_id'];
66. $sql = mysql_query("SELECT id FROM transactions WHERE txn_id='$this_txn' LIMIT 1"); //check to see transaction id exists in the DB
67. $numRows = mysql_num_rows($sql);
68. if ($numRows == 0) {
69. $message = "Duplicate transaction ID occured so we killed the IPN script. nnn$req";
70. mail("email@gmail.com", "Duplicate transaction ID(txn_id) in the IPN system", $message, "From: email@gmail.com" );
71. exit(); // exit script
72. }
73. // Check number 4 ------------------------------------------------------------------------------------------------------------
74. $product_id_string = $_POST['custom'];
75. $product_id_string = rtrim($product_id_string, ","); // remove last comma
76. // Explode the string, make it an array, then query all the prices out, add them up, and make sure they match the payment_gross amount
77. $id_str_array = explode(",", $product_id_string); // Uses Comma(,) as delimiter(break point)
78. $fullAmount = 0;
79. foreach ($id_str_array as $key => $value) {
80.  
81. $id_quantity_pair = explode("-", $value); // Uses Hyphen(-) as delimiter to separate product ID from its quantity
82. $product_id = $id_quantity_pair[0]; // Get the product ID
83. $product_quantity = $id_quantity_pair[1]; // Get the quantity
84. $sql = mysql_query("SELECT price FROM products WHERE id='$product_id' LIMIT 1");
85. while($row = mysql_fetch_array($sql)){
86. $product_price = $row["price"];
87. }
88. $product_price = $product_price * $product_quantity;
89. $fullAmount = $fullAmount + $product_price;
90. }
91. $fullAmount = number_format($fullAmount, 2);
92. $grossAmount = $_POST['mc_gross'];
93. if ($fullAmount != $grossAmount) {
94. $message = "Possible Price Jack: " . $_POST['mc_gross'] . " != $fullAmount nnn$req";
95. mail("email@gmail.com", "Price Jack or Bad Programming", $message, "From: email@gmail.com" );
96. exit(); // exit script
97. }
98. // END ALL SECURITY CHECKS NOW IN THE DATABASE IT GOES ------------------------------------
99. ////////////////////////////////////////////////////
100. // Assign local variables from the POST PayPal variables
101. $custom = $_POST['custom'];
102. $payer_email = $_POST['payer_email'];
103. $first_name = $_POST['first_name'];
104. $last_name = $_POST['last_name'];
105. $payment_date = $_POST['payment_date'];
106. $mc_gross = $_POST['mc_gross'];
107. $payment_currency = $_POST['payment_currency'];
108. $txn_id = $_POST['txn_id'];
109. $receiver_email = $_POST['receiver_email'];
110. $payment_type = $_POST['payment_type'];
111. $payment_status = $_POST['payment_status'];
112. $txn_type = $_POST['txn_type'];
113. $payer_status = $_POST['payer_status'];
114. $address_street = $_POST['address_street'];
115. $address_city = $_POST['address_city'];
116. $address_state = $_POST['address_state'];
117. $address_zip = $_POST['address_zip'];
118. $address_country = $_POST['address_country'];
119. $address_status = $_POST['address_status'];
120. $notify_version = $_POST['notify_version'];
121. $verify_sign = $_POST['verify_sign'];
122. $payer_id = $_POST['payer_id'];
123. $mc_currency = $_POST['mc_currency'];
124. $mc_fee = $_POST['mc_fee'];
125.  
126. // Place the transaction into the database
127. $sql = mysql_query("INSERT INTO transactions (product_id_array, payer_email, first_name, last_name, payment_date, mc_gross, payment_currency, txn_id, receiver_email, payment_type, payment_status, txn_type, payer_status, address_street, address_city, address_state, address_zip, address_country, address_status, notify_version, verify_sign, payer_id, mc_currency, mc_fee)
128. VALUES('$custom','$payer_email','$first_name','$last_name','$payment_date','$mc_gross','$payment_currency','$txn_id','$receiver_email','$payment_type','$payment_status','$txn_type','$payer_status','$address_street','$address_city','$address_state','$address_zip','$address_country','$address_status','$notify_version','$verify_sign','$payer_id','$mc_currency','$mc_fee')") or die ("unable to execute the query");
129.  
130. mysql_close();
131. // Mail yourself the details
132. mail("email@gmail.com", "NORMAL IPN RESULT - Transaction Entered", $req, "From: email@gmail.com");
133. ?>