0

I'm wanting to insert into a database some data which is sent from paypal to my IPN. At the moment I'm just testing so I want to add a couple snippets of data into my payment table. 

if (strcmp ($res, "VERIFIED") == 0) {
        // check whether the payment_status is Completed
        // check that txn_id has not been previously processed
        // check that receiver_email is your PayPal email
        // check that payment_amount/payment_currency are correct
        // process payment and mark item as paid.

        // assign posted variables to local variables
        $item_name = $_POST['item_name'];
        $item_number = $_POST['item_number'];
        $payment_status = $_POST['payment_status'];
        $payment_amount = $_POST['mc_gross'];
        $payment_currency = $_POST['mc_currency'];
        $txn_id = $_POST['txn_id'];
        $receiver_email = $_POST['receiver_email'];
        $payer_email = $_POST['payer_email'];
        $custom = $_POST['custom'];

        try 
        {
        $sql = "INSERT INTO payment(transaction_id,payment_status)
        VALUES('$txn_id','$payment_status')";
            mysql_query($sql);
        }

        catch(Exception $e)
        {
            echo "Caught Exception: " . $e->getMessage(); 
        }       


        /*if($payment_status == "completed")
        {
            mysql_query('UPDATE `users` SET `is_member`= 1 WHERE `username` == $username')
        }
        else
        {
           mysql_query('UPDATE `users` SET `is_member`= 0 WHERE `username` == $username')
        }*/


        if(DEBUG == true) {
            error_log(date('[Y-m-d H:i e] '). "Verified IPN: $req ". PHP_EOL, 3, LOG_FILE);
        }
    } else if (strcmp ($res, "INVALID") == 0) {
        // log for manual investigation
        // Add business logic here which deals with invalid IPN messages
        if(DEBUG == true) {
            error_log(date('[Y-m-d H:i e] '). "Invalid IPN: $req" . PHP_EOL, 3, LOG_FILE);
        }
    }

Another question, is this the way I should be storing data as is, when its sent to the IPN receiver? I'm currently send dummy IPN messages to the page to test it. It's saying the message has been received, but there is no evidence in the database

Small Legend
  • 733
  • 1
  • 6
  • 20
  • 2
    You shouldn't use `mysql_*`. Take a look at [`mysqli`](http://php.net/manual/en/mysqli.quickstart.php) or [`pdo`](http://php.net/manual/en/intro.pdo.php). On that note, you should be using prepared statements. – noahnu Sep 18 '15 at 14:14
  • So using mysql_ is completely invalid? – Small Legend Sep 18 '15 at 14:15
  • 1
    Not invalid. It works (for the moment; it's deprecated and outdated). You are not validating the Paypal POST data. You are vulnerable to SQL injection. **Edit:** what are the values of txn_id and payment_status? do a var_dump – noahnu Sep 18 '15 at 14:20
  • but mysqli validates the paypal POST data? – Small Legend Sep 18 '15 at 14:21
  • With [prepared](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) statements. – noahnu Sep 18 '15 at 14:22
  • Also, you're missing a semicolon after your last POST assignment. – noahnu Sep 18 '15 at 14:24
  • if `$custom = $_POST['custom']` does indeed have the semi-colon and is a typo, you should edit your question to include it. People will think it's the main problem here. If is part of your actual code, then your question is off-topic based on a syntax error, which Stack deems as just that; a syntax off-topic issue. Error reporting would have said that. http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Sep 18 '15 at 14:28
  • also do `mysql_query($sql) or die(mysql_error());` if it's a db error while making sure you've successfully connected to db using the same MySQL API. – Funk Forty Niner Sep 18 '15 at 14:30
  • what are you saying? even with the semi-colon it doesn't work. – Small Legend Sep 18 '15 at 14:33
  • well then, your code failed and you need to find out why that is. You're not checking for errors which is obvious here. *"it doesn't work"* isn't much to go on really. – Funk Forty Niner Sep 18 '15 at 14:37
  • So how am I not looking for errors? what am I doing posting on stackoverflow, when its quite clear I'm unsure of my problem. – Small Legend Sep 18 '15 at 14:38
  • 1
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 18 '15 at 14:43
  • 1
    [The `mysql_*` extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 18 '15 at 14:44

0 Answers0