0

I'm testing a success page that loads after a transaction with paypal(ipn) has succesfully been completed. All data is succesfully saved to a database at the ipn stage but for some reason the success page I'm using does not load any variables I have fetched. In this case $last_insert_id

The only thing that is echoed is the word success BUT when I hit reload the variable appears. Can someone explain what I have gotten wrong. Thanks.

Success.php

<?php
include 'dbconnection.php';

//Get payment information from PayPal
$item_number = $_GET['item_number']; 
$txn_id = $_GET['tx'];
$payment_gross = $_GET['amt'];
$currency_code = $_GET['cc'];
$payment_status = $_GET['st'];
$item_name = $_GET['item_name'];

//Get product price from database
$productResult = $db->query("SELECT price FROM products WHERE id = '".$item_number."'");
$productRow = $productResult->fetch_assoc();
$productPrice = $productRow['price'];

if(!empty($txn_id) && $payment_gross == $productPrice){
    //Check if payment data exists with the same TXN ID.
    $prevPaymentResult = $db->query("SELECT payment_id FROM payments WHERE txn_id = '".$txn_id."'");

    if($prevPaymentResult->num_rows > 0){
        $paymentRow = $prevPaymentResult->fetch_assoc();
        $last_insert_id = $paymentRow['payment_id'];
    }

    echo "success";
    echo $last_insert_id;
} else{
    echo "error";    
}
?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
JulianJ
  • 1,259
  • 3
  • 22
  • 52
  • 1
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 02 '17 at 16:26
  • May be the second `SELECT` query `SELECT payment_id FROM ...` is not getting executed in the first time or may be it's returning an empty result set. Check whether you have this `$txn_id` data available to you in the first place. Also, do `var_dump($last_insert_id);` to debug this issue further. – Rajdeep Paul Jul 02 '17 at 16:39
  • var_dump($last_insert_id); gives me NULL. If I hit it again the variable get echoed but still NULL. I cant' figure it out. – JulianJ Jul 02 '17 at 17:15
  • `$prevPaymentResult->num_rows` are you sure this row exists in the database? if you `var_dump` the query and run it in your database client, does it have any results? – Richie Hughes Jul 02 '17 at 17:22
  • var_dump($prevPaymentResult); outputs object(mysqli_result)#4 (5) { ["current_field"]=> int(0) ["field_count"]=> int(1) ["lengths"]=> NULL ["num_rows"]=> int(0) ["type"]=> int(0) } – JulianJ Jul 02 '17 at 18:56

0 Answers0