I'm going to be implementing some code on a website to help automate a subscription service. For this, I'll be using PayPal's IPN.
I have the following code to check all parameters, and I just want to make sure that, above all, the code is reasonable secure. For example, I'm not sure if it is wise to put the database credentials in this file, or somewhere else, and what should be done to properly secure this file from prying eyes if it is ok to leave the DB credentials in it.
Keep in mind I'm not a developer, so I realize that there are probably better ways to run some of this script, but this is what I've hacked together.
I appreciate all feedback, though my primary concern is security.
Thanks!
AT
Code: Select all
<?php
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];
if (!$fp) { //http error
$message = "Error processing order for $payer_email";
mail('my@Email.com', 'ERROR! PayPal IPN', $message);
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
$mysql = mysql_connect("databaseHost", "user", "password");
if (mysql_error()){
mail('my@Email.com', 'ERROR! PayPal IPN', 'Error connecting to MYSQL thus, '.$message);
}
mysql_select_db("database");
if (mysql_error()){
mail('my@Email.com', 'ERROR! PayPal IPN', 'Error selecting DB thus, '.$message);
}
$sql = "SELECT txnid FROM subscribers WHERE txnid = $txn_id";
$res = mysql_query($sql);
if (mysql_error()){
mail('my@Email.com', 'ERROR! PayPal IPN', 'Error querying DB thus, '.$message);
}
$txnArray = mysql_fetch_array($res);
$txnOnFile = $txnArray[0];
$timestamp = date("F j, Y, g:i a");
if (strcmp ($res, "VERIFIED") == 0) {
if ($payment_status == "Completed"){
$statusCheck = 1;
} else {
$statusCheck = 0;
}
if ($txnOnFile == ""){
$txnCheck = 1;
} else {
$txnCheck = 0;
}
if ($receiver_email == "myPaypalAccount@Email.com"){
$emailCheck = 1;
} else {
$emailCheck = 0;
}
if ($payment_amount == 49){
$paymentCheck = 1;
} else {
$paymentCheck = 0;
}
if ($statusCheck == 1 && $txnCheck == 1 && $emailCheck == 1 && $paymentCheck == 1){
$sql = "INSERT INTO subscribers VALUES ('', '$timestamp', '$txn_id', '$payer_email', '$payment_status', '$payment_amount')";
$res = mysql_query($sql);
if (mysql_error()){
$message2 = "Error writing to subscribers table with:\nTime $timestamp\nTxnID $txn_id\nSubscriber $payer_email\nPayment Status $payment_status\n Amount $payment_amount";
mail('my@Email.com', 'ERROR! PayPal IPN', $message2);
}
$message3 = "Time $timestamp\nTxnID $txn_id\nSubscriber $payer_email\nPayment Status $payment_status\n Amount $payment_amount";
// fire off welcome email
mail('my@Email.com', 'Successful Payment Confirmation', $message3);
} else {
$sql = "INSERT INTO fraud VALUES ('', '$timestamp', '$txn_id', '$payer_email', '$payment_status', '$payment_amount')";
$res = mysql_query($sql);
if (mysql_error()){
$message4 = "Error writing to fraud table with:\nTime $timestamp\nTxnID $txn_id\nSubscriber $payer_email\nPayment Status $payment_status\n Amount $payment_amount";
mail('my@Email.com', 'ERROR! PayPal IPN', $message4);
}
$message5 = "Time $timestamp\nTxnID $txn_id\nSubscriber $payer_email\nPayment Status $payment_status\n Amount $payment_amount\n\nStatus Check $statusCheck\nTxnCheck $txnCheck\nEmail Check $emailCheck\nPayment Check $paymentCheck";
mail('my@Email.com', 'Fraud Attempt Recorded!', $message5);
}
}
else if (strcmp ($res, "INVALID") == 0) {
$sql = "INSERT INTO spoofed VALUES ('', '$timestamp', '$txn_id', '$payer_email', '$payment_status', '$payment_amount')";
$res = mysql_query($sql);
if (mysql_error()){
$message6 = "Error writing to spoofed table with:\nTime $timestamp\nTxnID $txn_id\nSubscriber $payer_email\nPayment Status $payment_status\n Amount $payment_amount";
mail('my@Email.com', 'ERROR! PayPal IPN', $message6);
}
}
mysql_close($mysql);
}
fclose ($fp);
}
?>