-2

notify_url.php

<?php
include('connection.php');
$sql = "UPDATE tablename 
        SET credit = credit + {$_POST['amount']} 
        WHERE username = '123456789'";
mysqli_query($con, $sql);
?>

form html

<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
          <input type="hidden" name="cmd" value="_s-xclick">
          <input type="hidden" name="hosted_button_id" value="6RNT8A4HBBJRE">
          <input type="image" 
            src="https://www.sandbox.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif" 
            border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
          <img alt="" border="0" src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif" 
            width="1" height="1">
            <input name="amount" value=10.95 type="hidden"> <<< not sure if this line should be here
            <input name="notify_url" value="notify_url.php" type="hidden">
    </form>

The above code is what I have in my notify_url.php file. My database is not being updated :(. My connection file is ok. And when I put a number instead of the POST variable it works fine. Which only means that my POST variable could be wrong or the script is not being called at all!

Edit: The second code is the form that was generated from PayPal website (the Buy button).

MiniGunnR
  • 5,590
  • 8
  • 42
  • 66

2 Answers2

1

Edit:

You have value=10.95, wrap that in quotes value="10.95" - It's not a big deal, but good practice.

also if(isset($_POST['amount'])){...} or if(!empty($_POST['amount'])){...}

while making sure your column is DECIMAL with length/values like 10,2 for example, in order to be able to accept decimals such as 10.95

Consult:

The way I tested this was using:

$amount = $_POST['amount'];

$sql = "UPDATE tablename 
        SET credit = credit + $amount 
        WHERE username = '123456789'";

Or you can try using concatenates:

SET credit = credit + '".$amount."'

Also, your post action should be action="notify_url.php" rather than what you're using now.

Original answer before you posted your HTML form:

I have a suspicion that either your form element doesn't have a name attribute and/or a value, as well as not using a POST method.

If your form does not have a defined method being POST since you are using $_POST['amount'], it will default to a GET method, in turn failing silently.

Since you haven't posted your HTML form, you can base yourself on any of the following:

If using a hidden type with a preset value: (in this case, I used 1000).

<form method="post" action="your_handler.php">

<input type="hidden" name="amount" value="1000">
<input type="submit" name="submit">

</form>

If from user input:

<form method="post" action="your_handler.php">

<input type="text" name="amount">
<input type="submit" name="submit">

</form>

You can also check if the form's element is set/empty by using:

if(isset($_POST['amount'])){...} or if(!empty($_POST['amount'])){...}

  • Also make sure your column is an int rather than varchar, which can also be a or one of the reasons why your code may be failing.

I need to note that your present code is open to SQL injection. Use prepared statements, or PDO with prepared statements, they're much safer.

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// rest of your code

as well as or die(mysqli_error($con)) to mysqli_query().

Sidenote: Error reporting should only be done in staging, and never production.

  • If that still doesn't work, post your HTML form and DB schema in order to be absolutely certain.
Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
0

Could you try to rewrite the code as follow:

$sql = "UPDATE tablename SET credit = credit + ". $_POST['amount'] ." WHERE username = '123456789'";

Anyway I discourage that approach (pass the POST straight to the query) because vulnerable for mysql injection.

And try to change

    <input name="notify_url" value="notify_url.php" type="hidden">

in 

    <input name="notify_url" value="http://www.domain.com/notify_url.php" type="hidden">
nik.longstone
  • 244
  • 2
  • 8
  • The direct query is just for testing phase. I'm so frustrated that it doesn't work! BTW, that change in syntax doesn't work. – MiniGunnR Mar 15 '15 at 11:07
  • did you receive from the POST the correct value? what you get from var_dump($_POST['amount']) – nik.longstone Mar 15 '15 at 11:09
  • I don't know what I receive. Apparently the notify_url.php file is never loaded. It just gets the post variables. Otherwise I would have print_r($_POST) to see the variables. – MiniGunnR Mar 15 '15 at 14:01
  • Sorry nik. Still no luck. I am trying to get someone to pay for airtime. https://devtools-paypal.com/guide/digitalgoods_ec/php?interactive=ON&env=sandbox <-- Is this link a good way to do it? Although a lot of it are not clear to me yet, I can surely try. – MiniGunnR Mar 15 '15 at 14:28