-1

<?php
if ( isset($_POST['btnSubmit']) ) {

// gather card info
// gather card info
$transaction->amount ='9.99';

$transaction->card_num =$_POST['card_num'];
$transaction->exp_date =$_POST['exp_date'];

// gather card info
// gather card info

//capture info

$response = $transaction->authorizeAndCapture();

//capture info

//check if approved
//check if approved

if($response->approved){
  echo "<h1>Success! The test credit card has been charged!</h1>";
  echo "Transaction ID: ". $response->transaction_id;

//check if approved
//check if approved

// if approved insert into sql data base
// if approved insert into sql data base

$query = "INSERT INTO payments (card_num,exp_date) VALUES ('$card_num','$exp_dat')";
        $result = mysql_query($query);

// if approved insert into sql data base
// if approved insert into sql data base

}else{
  echo $response->error_message;
}
}
?>

I am trying to run a payment integration code, and when the payment is approved, I can't insert the payment details into MySQL table. It says:

Undefined variable: exp_dat" " Undefined variable: card_num.

I am not sure how to define it because I can't put $ before card_num in the $transaction->card_num =$_POST['card_num'];.

I also can't insert the transaction id in there.

Thanks

A_Sk
  • 4,532
  • 3
  • 27
  • 51
jake
  • 3
  • 1
  • 3
    Are you seriously putting credit card numbers in a database? **NO**. Just stop right there. This is completely reckless. Please, **please**, use a processor like Stripe or PayPal or **anything** other than this. This short example of code is riddled with severe [SQL injection bugs](http://bobby-tables.com/) which means getting this data out is easy, you have zero security. This would fail PCI certification so hard. – tadman Sep 23 '15 at 16:13
  • This code is how lives are ruined – John Conde Sep 23 '15 at 18:59
  • Thanks tadman. I am using authorize.net as my payment gateway and I am using their sdk. I will not be inserting the creditcard info in data base. I will only be inserting the transaction id and the name of the customer into the sql database. Furthermore, regarding security, do you think it is okay to have the credit card number """"""""$transaction->card_num =$_POST['card_num'];""""""""" but not inserting it in database? or is that just as easy to obtain as a hacker? – jake Sep 24 '15 at 04:33

2 Answers2

1

You have no variable $exp_dat just as the error says, your variable is either $transaction->exp_date or _POST['exp_date']

That being said, please read this link How can I prevent SQL injection in PHP? and convert this to a mysli_ query while binding your variables, or use PDO.

Community
  • 1
  • 1
dstudeba
  • 8,878
  • 3
  • 32
  • 41
  • I am aware how to insert into sql and define variables eg, $numbers = $_POST['numbers']; $names = $_POST['names']; query = "INSERT INTO tester (numbers,names) VALUES ('$numbers','$names')"; $result = mysql_query($query); – jake Sep 23 '15 at 15:56
  • I dont know however, how to define it here – jake Sep 23 '15 at 15:56
  • because there is $transaction->card_num before the card_num. Does that mean i insert the value as $transaction->card_num?? – jake Sep 23 '15 at 15:57
  • Your syntax is incorrect. `$query = "INSERT INTO payments (card_num,exp_date) VALUES ('$card_num','$exp_dat')";` should be `$query = "INSERT INTO payments (card_num,exp_date) VALUES ('$transaction->card_num','$transaction->exp_date')";` – dstudeba Sep 23 '15 at 15:58
  • Yes, you cannot just use `$card_num` or `card_num` for `$transaction->card_num` – dstudeba Sep 23 '15 at 16:00
  • Thank you so much guys for the help. THanks dstudeba. You guys are quick as lightning :) – jake Sep 23 '15 at 16:03
  • :S i just tested it, Undefined property: AuthorizeNetAIM::$card_num is what im getting :S – jake Sep 23 '15 at 16:08
  • That is a different issue which will require debugging on your part probably by using hard coded variables to start. Also please read tadman's comment above, he brings up a very good point. – dstudeba Sep 23 '15 at 16:24
0

The error message is perfectly clear.

$exp_dat does not exist (but $transaction->exp_date does)

$card_num does not exist (but $transaction->card_num does)

Use these variables in your query:

$query = "INSERT INTO payments (card_num,exp_date) 
          VALUES ('$transaction->card_num','$transaction->exp_date')";
MaggsWeb
  • 3,018
  • 1
  • 13
  • 23
  • Ohhhh, that makes alot more sense!! does that mean I have to change the names of the values in mysql table to $transaction->card_num ?? – jake Sep 23 '15 at 16:00
  • Nope. The 'column name' and variable do NOT need to match. – MaggsWeb Sep 23 '15 at 16:00
  • Alright, thank you so much!! and sorry for the noob question. It was just abit different – jake Sep 23 '15 at 16:02
  • :S i just tested it, Undefined property: AuthorizeNetAIM::$card_num is what im getting :S – jake Sep 23 '15 at 16:08