0

I am using payment gateway for online transaction for which I am submitting the form through this script where I calculate the order charges and submits the form to payment gateway url:

 <?php
    
    session_start(); 
    header("Pragma: no-cache");
    header("Cache-Control: no-cache");
    header("Expires: 0");
    
    
    
    require_once("./lib/config_paytm.php");
    require_once("./lib/encdec_paytm.php");
    
    
    
    
    if(!isset($_SESSION['groupid']) || !isset($_SESSION['userid'])){
    header('location: cart.php');
    exit();
    }
    
    $db= mysqli_connect('localhost','root','','project');
    
    $groupid = $_SESSION['groupid'];
    $userid = $_SESSION['userid'];
$charges = 0;
$disc = 0;
$taxes = 0;
$delfee =0;
    
   
    
    $query_9="SELECT content,delievery_charges,taxes FROM orders WHERE userid='$userid' and groupid='$groupid' ";
    
         $result_9=mysqli_query($db,$query_9);
    
    if(mysqli_num_rows($result_9)==0){
    header('cart.php');
    }
    
    while($row=mysqli_fetch_assoc($result_9)){
    
    if(!empty($row["delievery_charges"])){
    $charges = $charges + $row["delievery_charges"];
    }
    if(!empty($row["taxes"])){
    $taxes = $taxes + $row["taxes"];
    }
    
    // I calculate charges,discount here
   
    }
    
       $net = round($charges - $disc + $taxes +$delfee);
    $paytmcharge=$net + (0.0099 * $net);
    
    
    
    $checkSum = "";
    $paramList = array();
    
    $ORDER_ID = "ORDS" . rand(10000,99999999).$_SESSION['userid'];
    $CUST_ID = $_SESSION["userid"];;
    $INDUSTRY_TYPE_ID = "Retail";
    $CHANNEL_ID = "WEB";
    
    
    $TXN_AMOUNT = round($paytmcharge);
    
    // Create an array having all required parameters for creating checksum.
    $paramList["MID"] = PAYTM_MERCHANT_MID;
    $paramList["ORDER_ID"] = $ORDER_ID;
    $paramList["CUST_ID"] = $CUST_ID;
    $paramList["INDUSTRY_TYPE_ID"] = $INDUSTRY_TYPE_ID;
    $paramList["CHANNEL_ID"] = $CHANNEL_ID;
    $paramList["TXN_AMOUNT"] = $TXN_AMOUNT;
    $paramList["WEBSITE"] = PAYTM_MERCHANT_WEBSITE;
    
    
    $paramList["CALLBACK_URL"] = "https://www.mydomain.in/pgResponse.php";
    
    
    //Here checksum string will return by getChecksumFromArray() function.
    $checkSum = getChecksumFromArray($paramList,PAYTM_MERCHANT_KEY);
    
    
    ?>
    <html>
    <head>
    <title>Merchant Check Out Page</title>
    </head>
    <body>
        <center><h1>Please do not refresh this page...</h1></center>
            <form method="post" action="<?php echo PAYTM_TXN_URL ?>" name="f1">
            <table border="1">
                <tbody>
                <?php
                foreach($paramList as $name => $value) {
                    echo '<input type="hidden" name="' . $name .'" value="' . $value . '">';
                }
                ?>
                <input type="hidden" name="CHECKSUMHASH" value="<?php echo $checkSum ?>">
                </tbody>
            </table>
            <script type="text/javascript">
                document.f1.submit();
            </script>
        </form>
    </body>
    </html>

In my response script recieved from payment gateway (mentioned below), I am redirected to cart.php because probably my $_SESSION['groupid'] and $_SESSION['userid'] are not set

<?php
session_start(); 
header("Pragma: no-cache");
header("Cache-Control: no-cache");
header("Expires: 0");



if(!isset($_SESSION['userid']) || !isset($_SESSION['groupid'])){
header('location: cart.php');//I am always getting redirected here
exit();
}

//check if transaction is successfull or not
?>
<html>
        <head>
        <title>Merchant Check Out Page</title>
        </head>
        <body>
//show if transaction was successfull or not 
</body>
</html>

I have tried session_cache_limiter('private') ; session_cache_expire(0); but it is still not working and all my session variables are lost.how can I use nocache without loosing the session variables

aryanknp
  • 1,135
  • 2
  • 8
  • 21
  • Not the issue but you are generating invalid HTML. The `table` cannot contain only `input` elements with no `tr` and `td` elements – Professor Abronsius Aug 04 '20 at 06:46
  • ok sir will correct it – aryanknp Aug 04 '20 at 06:49
  • have you tried setting the form `target` attribute? ie: `target='_blank'`? – Professor Abronsius Aug 04 '20 at 06:53
  • just did so and now the page is showing a pop up was blocked – aryanknp Aug 04 '20 at 06:59
  • ok - it was just a mad thought. – Professor Abronsius Aug 04 '20 at 07:00
  • What makes you think this was a _caching_ issue in the first place? This sounds like you lost your session id somehow. – CBroe Aug 04 '20 at 07:02
  • sir what should i do , I am not able to understand – aryanknp Aug 04 '20 at 07:03
  • It's hard to figure what is going wrong when one is unable to test this but one idea is when you set the callback url ( `$paramList["CALLBACK_URL"] = "https://www.mydomain.in/pgResponse.php";` ) you could assign a unique token to that as querystring parameter ( ie: `...pgResponse.php?token=d1421938155a03a0311` ) ~ when the user is redirected by the payment gateway you can verify that the token is valid and then show whatever you need? – Professor Abronsius Aug 04 '20 at 07:19
  • **Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Aug 04 '20 at 13:19
  • i was using data not provided by user thats why i did'nt use prepared statement here, is this still subject to sql injection – aryanknp Aug 04 '20 at 13:36

0 Answers0