付款成功后保存到数据库(PayPal) [英] Saving to database on payment successful (paypal)
本文介绍了付款成功后保存到数据库(PayPal)的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我正在尝试找出在客户使用Paypal付款后将数据(以前以表格形式提交)保存到数据库中的最佳方法.与此过程类似的事情:
1)在实际网站上填写表格-> 2)登录Paypal-> 3)立即付款(PayPal)-> 4)数据已插入数据库中-> 5)返回起点?
我已经找到了执行步骤1至3和5的方法,但是在执行步骤4时需要一些帮助.据我所知,我需要以某种方式存储数据,然后保存或丢弃已存储的数据按要求.最好的方法是什么?
表格
<form action="" method="post" target="" id="bookstay">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="unitprice" value="40" />
<input type="hidden" name="apt_name" value="Apartment1" />
<input type="hidden" name="no_note" value=""/>
<input type="hidden" name="lc" value="MT" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="apartment" value="1"/>
<input name='first_name' class="short-input" id='name' type="text" value="Name" onFocus="this.value = ''" />
<input name= 'last_name' class="short-input" id='name' type="text" value="surname" onFocus="this.value = ''" />
<input name='payer_email' class="long-input" type="text" value="Email" onFocus="this.value = ''" />
<input name='address' class="long-input" type="text" value="Address" onFocus="this.value = ''" />
<input name='mobile' class="short-input" type="text" value="mobile" onFocus="this.value = ''" />
<div class='select' id='peopletostay'>
<select name='pax' class='short-input'>
<option value='0'>people to stay</option>
<option value='1'>1</option>
<option value='2'>2</option>
<option value='3'>3</option>
<option value='4'>4</option>
</select>
</div>
<div id="dateofarrival">
date of arrival<br>
<div class='select' id='date'>
<select class="short-input day-from" name="day_from">
<option value= "01" >01</option>
...
<option value= "31" >31</option>
</select>
</div>
<div class='select' id='month'>
<select class="short-input month-from" name="month_from" size="1">
<option value="01" >January</option>
....
<option value="12" >December</option>
</select>
</div>
<div class='select' id='year'>
<select class="short-input year-from" name='year_from'>
<option value= 2015 > 2015</option>
....
<option value= 2025 > 2025</option>
</select>
</div>
</div>
<div id="dateodeparture">
date of arrival<br>
<div class='select' id='date'>
<select class="short-input day-from" name="day_to">
<option value= "01" >01</option>
...
<option value= "31" >31</option>
</select>
</div>
<div class='select' id='month'>
<select class="short-input month-from" name="month_to" size="1">
<option value="01" >January</option>
....
<option value="12" >December</option>
</select>
</div>
<div class='select' id='year'>
<select class="short-input year-from" name='year_to'>
<option value= 2015 > 2015</option>
....
<option value= 2025 > 2025</option>
</select>
</div>
</div>
<textarea name='remarks'>Extra Remarks</textarea>
<button type="submit" name="proceedtopaypal" id="proceedtopaypal">make booking (proceed to paypal)</button>
</form>
付款代码
<?php
if ($_POST) {
if (isset($_POST['proceedtopaypal'])){
include 'connect.php';
$apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
$unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
$first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
$last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
$payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
$address = mysqli_real_escape_string($conn, $_POST['address']);
$apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
$mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
$pax = mysqli_real_escape_string($conn, $_POST['pax']);
$remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
$day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
$month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
$year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
$booking_from = $year_from."-".$month_from."-".$day_from;
$day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
$month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
$year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
$booking_to = $year_to."-".$month_to."-".$day_to;
$no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from));
$quantity = floor($no_of_nights / (60*60*24));
// paypal settings
$paypal_email = 'christabelbusuttil@gmail.com';
$return_url = 'http://localhost/Webdevelopment/V18/apartments.php';
$cancel_url = 'http://localhost/Webdevelopment/V18/apartments.php';
$notify_url = 'http://localhost/Webdevelopment/V18/paypal/payments.php';
$item_amount = $unitprice * $quantity;
$item_name = "Booking at ".$apt_name." from " .$booking_from ." to " .$booking_to;
$validdate = false;
$buttonpressed = false;
$checkin='<p>Check in date is invalid.</p>';
$checkout='<p>Check out date is invalid</p>';
$larger = '<p>Check in date is after check out date</p>';
$noinfo='<p>please fill in the missing information.</p>';
$booked='<p>The dates selected are already booked for this apartment</p>';
$equal = '<p>You need to spend a minimum of 1 night in these apartment</p>';
$thankyou = '<h5>Thank you</h5><p>thank you for booking an apartment with V18-apartments.</p>';
$window = '';
function IsInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}
if (!checkdate($month_from, $day_from, $year_from)) {
$window = $checkin;
echo $window;
$validate = true;
}
else if (!checkdate($month_to, $day_to, $year_to)) {
$window = $checkout;
$validate = true;
echo $window;
//echo "Check out date is invalid";
}
else if ($booking_from > $booking_to) {
$window = $larger;
$validate = true;
echo $window;
// echo "Check in date is after check out date";
}
else if ($booking_from == $booking_to) {
$window = $equal;
$validate = true;
echo $window;
}
// check if all info is filled in
else if (($first_name == "Name") || ($last_name == "surname") || ($payer_email == "Email") || ($mobile == "mobile") || ($address == "Address")) {
$window = $noinfo;
echo $window;
$validate = true;
// echo "Please fill in the missing information";
}
else if (IsInjected($payer_email)) {
echo "Not an email";
}
else if ($validdate == false) {
$final = true;
$sql = "SELECT COUNT(*) FROM room_nights WHERE apartmentID= '$apartment' AND dates >= '$booking_from' AND dates <= '$booking_to'";
$result = mysqli_query($conn, $sql);
$result = mysqli_query($conn, $sql);
$row=mysqli_fetch_row($result);
if ($row[0] > 0) {
$window = $booked;
echo $window;
}
else if ($final == true) {
// save to database
include 'insertdata.php'; // code below
echo $item_name;
// include functions
include ("pay_functions.php");
// Check if paypal request or response
if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){
// Firstly Append paypal account to querystring
$querystring .= "?business=".urlencode($paypal_email)."&";
// Append amount& currency (£) to quersytring so it cannot be edited in html
//The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable.
$querystring .= "item_name=".urlencode($item_name)."&";
$querystring .= "amount=".urlencode($item_amount)."&";
//loop for posted values and append to querystring
foreach($_POST as $key => $value){
$value = urlencode(stripslashes($value));
$querystring .= "$key=$value&";
}
// Append paypal return addresses
$querystring .= "return=".urlencode(stripslashes($return_url))."&";
$querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&";
$querystring .= "notify_url=".urlencode($notify_url);
// Append querystring with custom field
//$querystring .= "&custom=".USERID;
// Redirect to paypal IPN
header('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring);
exit();
}
else {
// Response from paypal
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix
$req .= "&$key=$value";
}
// assign posted variables to locate variables
$data['item_name'] = $_POST['item_name'];
$data['item_number'] = $_POST['item_number'];
$data['payment_status'] = $_POST['payment_statis'];
$data['payment_amount'] = $_POST['mc_gross'];
$data['payment_currency'] = $_POST['mc_currency'];
$data['txn_id'] = $_POST['txn_id'];
$data['receiver_email'] = $_POST['receiver_email'];
$data['payer_email'] = $_POST['payer_email'];
$data['custom'] = $_POST['custom'];
// post back to paypal system and validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type : application/x-www-form-urlencoded\r\n";
$header .= "Content-Lenght: " .strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
if (!$fp) {
// HTTP error
} else {
mail('christabelbusuttil@gmail.com', '0', '0');
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// validate payment (check unique txnid & correct price)
$valid_txnid = check_txnid($data['txn_id']);
$valid_price = check_price($data['payment_amount'], $data['item_number']);
// Payment validated and verified
if ($valid_price && $valid_price) {
$orderid = updatePayments($data);
if ($orderid){
// payment has been made and inserted into db
} else {
echo "Error";
}
}
else if (strcmp($res, "INVALID") == 0) {
echo "Payment invalid";
}
}
fclose($fp);
}
}
}
}
}
}
}
?>
INSERTDATA.PHP
<?php
$apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
$unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
$first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
$last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
$payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
$address = mysqli_real_escape_string($conn, $_POST['address']);
$apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
$mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
$pax = mysqli_real_escape_string($conn, $_POST['pax']);
$remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
$day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
$month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
$year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
$booking_from = $year_from."-".$month_from."-".$day_from;
$day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
$month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
$year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
$booking_to = $year_to."-".$month_to."-".$day_to;
$no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from));
$quantity = floor($no_of_nights / (60*60*24));
$reason = "Booked by ".$first_name." ".$last_name." for ".$pax ." people";
function daterange($booking_from, $booking_to, $step = '+1 day', $output_format = 'Y-m-d') {
$dates = array();
$first = new DateTime($booking_from);
$last = new DateTime($booking_to);
$last = $last->modify('+ 1 day');
$interval = DateInterval::createFromDateString($step);
$period = new DatePeriod($first, $interval, $last);
foreach ($period as $date) {
$dates[] = $date->format($output_format);
}
return $dates;
}
$dates = daterange($booking_from, $booking_to);
include 'connect.php';
if (!$conn->autocommit(FALSE)) {
printf("Errormessage: %s\n", $conn->error);
}
if (!$conn->query("INSERT INTO client_details (clientID, name, email, address, mobile) VALUES ('', '$first_name $last_name', '$payer_email', '$address', '$mobile')")) {
printf("Errormessage: %s\n", $conn->error);
}
if (!$conn->query("INSERT INTO bookings (bookingID, apartmentID, clientID, date_from, date_to, nights, pax, remarks) VALUES ('', '$apartment', LAST_INSERT_ID(), '$booking_from', '$booking_to', '$days', '$pax', '$remarks')")) {
printf("Errormessage: %s\n", $conn->error);
}
foreach ($dates as $date) {
if (!$conn->query("INSERT INTO room_nights (bookingID, apartmentID, dates, reason) VALUES (LAST_INSERT_ID(), '$apartment', '$date', '$reason')")) {
printf("Errormessage: %s\n", $conn->error);
}
}
if (!$conn->commit()) {
printf("Errormessage: %s\n", $conn->error);
}
$conn->close();
?>
解决方案
您的步骤有误
1)在实际网站上填写表格-> 2)登录Paypal-> 3)立即付款(PayPal)-> 4)数据已插入数据库中-> 5)返回起点?
第3步之后的原因是,您将如何找出第一步中填写的数据,当用户单击提交"并离开实际网站并登录到Paypal时,您将丢失该表单数据,并且用户可以提出虚假声明他们也是从您的网站上购买的,或者使用您所销售的产品或服务付款.
该步骤应该是在与Paypal打交道时
- 填写实际网站中的
- 在提交表单时验证表单数据,如果验证为Okey,则将数据保存到数据库中并将用户重定向到Paypal
- 用户登录到Paypal并进行付款
- 通过Paypal即时付款通知(IPN)获取付款明细(尽管用户仍在Paypal网站上) IPN详细信息(在您的情况下为
payments.php)(在IPN中,贝宝(Paypal)发布需要在步骤5中更新数据库的交易详细信息,金额详细信息等,否则您将无法确定用户针对哪个产品付款) - 根据Paypal即时付款通知(付款成功,付款失败,付款待处理)更新数据库中的数据
- 使用返回URL
旁注:第七步,在此步骤中,您可以提供唯一的参考号(仅在成功付款时生成),并将该参考号提供给从您的网站购买的用户,否则您最终可能会与声称拥有所有权的用户打交道他们以任何产品付款.
(与Paypal打交道时,请记住,paypal总是更喜欢它的消费者而不是商家,因此您必须要小心,否则,如果欺诈投诉过多,他们将冻结您的帐户)
就您的代码而言,只需像mysqli_real_escape_string($_POST['apartment']);这样用mysqli_real_escape_string转义表单值,而无需使用PDO,您已经在使用MySQLi来转义字符串并在服务器端验证表单输入,足以避免SQL Injection vulnerabilities
I am trying to figure out the best way to save data (which was submitted previously in a form) to a database, after the client has paid for the item, using paypal. Something along the lines of this process:
1)Fill in form on actual website --> 2)Login Paypal --> 3) Pay Now (PayPal) --> 4) Data is inserted in database --> 5) Return to starting point?
I have figured out how to do steps 1 to 3 and 5, however would need some help in doing step 4. As far as I can tell, I need to somehow store the data, and then save or discard the stored data as required. What would the best way to do so be?
The Form
<form action="" method="post" target="" id="bookstay">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="unitprice" value="40" />
<input type="hidden" name="apt_name" value="Apartment1" />
<input type="hidden" name="no_note" value=""/>
<input type="hidden" name="lc" value="MT" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="apartment" value="1"/>
<input name='first_name' class="short-input" id='name' type="text" value="Name" onFocus="this.value = ''" />
<input name= 'last_name' class="short-input" id='name' type="text" value="surname" onFocus="this.value = ''" />
<input name='payer_email' class="long-input" type="text" value="Email" onFocus="this.value = ''" />
<input name='address' class="long-input" type="text" value="Address" onFocus="this.value = ''" />
<input name='mobile' class="short-input" type="text" value="mobile" onFocus="this.value = ''" />
<div class='select' id='peopletostay'>
<select name='pax' class='short-input'>
<option value='0'>people to stay</option>
<option value='1'>1</option>
<option value='2'>2</option>
<option value='3'>3</option>
<option value='4'>4</option>
</select>
</div>
<div id="dateofarrival">
date of arrival<br>
<div class='select' id='date'>
<select class="short-input day-from" name="day_from">
<option value= "01" >01</option>
...
<option value= "31" >31</option>
</select>
</div>
<div class='select' id='month'>
<select class="short-input month-from" name="month_from" size="1">
<option value="01" >January</option>
....
<option value="12" >December</option>
</select>
</div>
<div class='select' id='year'>
<select class="short-input year-from" name='year_from'>
<option value= 2015 > 2015</option>
....
<option value= 2025 > 2025</option>
</select>
</div>
</div>
<div id="dateodeparture">
date of arrival<br>
<div class='select' id='date'>
<select class="short-input day-from" name="day_to">
<option value= "01" >01</option>
...
<option value= "31" >31</option>
</select>
</div>
<div class='select' id='month'>
<select class="short-input month-from" name="month_to" size="1">
<option value="01" >January</option>
....
<option value="12" >December</option>
</select>
</div>
<div class='select' id='year'>
<select class="short-input year-from" name='year_to'>
<option value= 2015 > 2015</option>
....
<option value= 2025 > 2025</option>
</select>
</div>
</div>
<textarea name='remarks'>Extra Remarks</textarea>
<button type="submit" name="proceedtopaypal" id="proceedtopaypal">make booking (proceed to paypal)</button>
</form>
Payment Code
<?php
if ($_POST) {
if (isset($_POST['proceedtopaypal'])){
include 'connect.php';
$apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
$unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
$first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
$last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
$payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
$address = mysqli_real_escape_string($conn, $_POST['address']);
$apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
$mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
$pax = mysqli_real_escape_string($conn, $_POST['pax']);
$remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
$day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
$month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
$year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
$booking_from = $year_from."-".$month_from."-".$day_from;
$day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
$month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
$year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
$booking_to = $year_to."-".$month_to."-".$day_to;
$no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from));
$quantity = floor($no_of_nights / (60*60*24));
// paypal settings
$paypal_email = 'christabelbusuttil@gmail.com';
$return_url = 'http://localhost/Webdevelopment/V18/apartments.php';
$cancel_url = 'http://localhost/Webdevelopment/V18/apartments.php';
$notify_url = 'http://localhost/Webdevelopment/V18/paypal/payments.php';
$item_amount = $unitprice * $quantity;
$item_name = "Booking at ".$apt_name." from " .$booking_from ." to " .$booking_to;
$validdate = false;
$buttonpressed = false;
$checkin='<p>Check in date is invalid.</p>';
$checkout='<p>Check out date is invalid</p>';
$larger = '<p>Check in date is after check out date</p>';
$noinfo='<p>please fill in the missing information.</p>';
$booked='<p>The dates selected are already booked for this apartment</p>';
$equal = '<p>You need to spend a minimum of 1 night in these apartment</p>';
$thankyou = '<h5>Thank you</h5><p>thank you for booking an apartment with V18-apartments.</p>';
$window = '';
function IsInjected($str) {
$injections = array('(\n+)',
'(\r+)',
'(\t+)',
'(%0A+)',
'(%0D+)',
'(%08+)',
'(%09+)'
);
$inject = join('|', $injections);
$inject = "/$inject/i";
if(preg_match($inject,$str))
{
return true;
}
else
{
return false;
}
}
if (!checkdate($month_from, $day_from, $year_from)) {
$window = $checkin;
echo $window;
$validate = true;
}
else if (!checkdate($month_to, $day_to, $year_to)) {
$window = $checkout;
$validate = true;
echo $window;
//echo "Check out date is invalid";
}
else if ($booking_from > $booking_to) {
$window = $larger;
$validate = true;
echo $window;
// echo "Check in date is after check out date";
}
else if ($booking_from == $booking_to) {
$window = $equal;
$validate = true;
echo $window;
}
// check if all info is filled in
else if (($first_name == "Name") || ($last_name == "surname") || ($payer_email == "Email") || ($mobile == "mobile") || ($address == "Address")) {
$window = $noinfo;
echo $window;
$validate = true;
// echo "Please fill in the missing information";
}
else if (IsInjected($payer_email)) {
echo "Not an email";
}
else if ($validdate == false) {
$final = true;
$sql = "SELECT COUNT(*) FROM room_nights WHERE apartmentID= '$apartment' AND dates >= '$booking_from' AND dates <= '$booking_to'";
$result = mysqli_query($conn, $sql);
$result = mysqli_query($conn, $sql);
$row=mysqli_fetch_row($result);
if ($row[0] > 0) {
$window = $booked;
echo $window;
}
else if ($final == true) {
// save to database
include 'insertdata.php'; // code below
echo $item_name;
// include functions
include ("pay_functions.php");
// Check if paypal request or response
if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){
// Firstly Append paypal account to querystring
$querystring .= "?business=".urlencode($paypal_email)."&";
// Append amount& currency (£) to quersytring so it cannot be edited in html
//The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable.
$querystring .= "item_name=".urlencode($item_name)."&";
$querystring .= "amount=".urlencode($item_amount)."&";
//loop for posted values and append to querystring
foreach($_POST as $key => $value){
$value = urlencode(stripslashes($value));
$querystring .= "$key=$value&";
}
// Append paypal return addresses
$querystring .= "return=".urlencode(stripslashes($return_url))."&";
$querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&";
$querystring .= "notify_url=".urlencode($notify_url);
// Append querystring with custom field
//$querystring .= "&custom=".USERID;
// Redirect to paypal IPN
header('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring);
exit();
}
else {
// Response from paypal
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix
$req .= "&$key=$value";
}
// assign posted variables to locate variables
$data['item_name'] = $_POST['item_name'];
$data['item_number'] = $_POST['item_number'];
$data['payment_status'] = $_POST['payment_statis'];
$data['payment_amount'] = $_POST['mc_gross'];
$data['payment_currency'] = $_POST['mc_currency'];
$data['txn_id'] = $_POST['txn_id'];
$data['receiver_email'] = $_POST['receiver_email'];
$data['payer_email'] = $_POST['payer_email'];
$data['custom'] = $_POST['custom'];
// post back to paypal system and validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type : application/x-www-form-urlencoded\r\n";
$header .= "Content-Lenght: " .strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
if (!$fp) {
// HTTP error
} else {
mail('christabelbusuttil@gmail.com', '0', '0');
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// validate payment (check unique txnid & correct price)
$valid_txnid = check_txnid($data['txn_id']);
$valid_price = check_price($data['payment_amount'], $data['item_number']);
// Payment validated and verified
if ($valid_price && $valid_price) {
$orderid = updatePayments($data);
if ($orderid){
// payment has been made and inserted into db
} else {
echo "Error";
}
}
else if (strcmp($res, "INVALID") == 0) {
echo "Payment invalid";
}
}
fclose($fp);
}
}
}
}
}
}
}
?>
INSERTDATA.PHP
<?php
$apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
$unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
$first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
$last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
$payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
$address = mysqli_real_escape_string($conn, $_POST['address']);
$apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
$mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
$pax = mysqli_real_escape_string($conn, $_POST['pax']);
$remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
$day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
$month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
$year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
$booking_from = $year_from."-".$month_from."-".$day_from;
$day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
$month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
$year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
$booking_to = $year_to."-".$month_to."-".$day_to;
$no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from));
$quantity = floor($no_of_nights / (60*60*24));
$reason = "Booked by ".$first_name." ".$last_name." for ".$pax ." people";
function daterange($booking_from, $booking_to, $step = '+1 day', $output_format = 'Y-m-d') {
$dates = array();
$first = new DateTime($booking_from);
$last = new DateTime($booking_to);
$last = $last->modify('+ 1 day');
$interval = DateInterval::createFromDateString($step);
$period = new DatePeriod($first, $interval, $last);
foreach ($period as $date) {
$dates[] = $date->format($output_format);
}
return $dates;
}
$dates = daterange($booking_from, $booking_to);
include 'connect.php';
if (!$conn->autocommit(FALSE)) {
printf("Errormessage: %s\n", $conn->error);
}
if (!$conn->query("INSERT INTO client_details (clientID, name, email, address, mobile) VALUES ('', '$first_name $last_name', '$payer_email', '$address', '$mobile')")) {
printf("Errormessage: %s\n", $conn->error);
}
if (!$conn->query("INSERT INTO bookings (bookingID, apartmentID, clientID, date_from, date_to, nights, pax, remarks) VALUES ('', '$apartment', LAST_INSERT_ID(), '$booking_from', '$booking_to', '$days', '$pax', '$remarks')")) {
printf("Errormessage: %s\n", $conn->error);
}
foreach ($dates as $date) {
if (!$conn->query("INSERT INTO room_nights (bookingID, apartmentID, dates, reason) VALUES (LAST_INSERT_ID(), '$apartment', '$date', '$reason')")) {
printf("Errormessage: %s\n", $conn->error);
}
}
if (!$conn->commit()) {
printf("Errormessage: %s\n", $conn->error);
}
$conn->close();
?>
解决方案
Your steps are wrong
1)Fill in form on actual website --> 2)Login Paypal --> 3) Pay Now (PayPal) --> 4) Data is inserted in database --> 5) Return to starting point?
Reason after Step 3, how you will find out the data which was filled in form in step one, the moment user click submit and leave the actual website and login to Paypal you will lose the form data and users can make false claims too that they purchased from your website or make payments against the product or service your are selling.
The Step Should be when dealing with Paypal
- Fill in the From on Actual Website
- On Form submission Validate the form data, if validation Okey, save data into Database and redirect user to Paypal
- User Login to Paypal and make payment
- Get Payment Detail via Paypal Instant Payment Notification (IPN) (While user still on Paypal website) IPN Detail in your case which is
payments.php(In IPN, Paypal Post the transaction detail, amount detail etc which you need to update the database in step-5 otherwise you will not figure out against which product which user paid) - Update the data in database according to Paypal Instant Payment Notification (Payment Success, Payment Failed, Payment Pending)
- Redirect the User back to Actual website with Return URL Return URL Detail
return.php - Show the payment detail and other details on Return URL on Actual Website.
Side Note: 7th step, at this step you can provide a unique reference number (which only generate against successful payment) and provide that reference number to the user who purchased from your website otherwise you may end up dealing with users who claim that they made payment against any product.
(When dealing with Paypal, keep in mind paypal always prefer it's consumers not merchants so you have to be careful or they will freeze your account if there will be too many fraudulent complains)
As far your code concern, just escape the form values with mysqli_real_escape_string like mysqli_real_escape_string($_POST['apartment']);and no need to use PDO you are already using MySQLi escaping the string and validating form inputs on server side enough to avoid the SQL Injection vulnerabilities
这篇关于付款成功后保存到数据库(PayPal)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
