please ignore that i am still using the old mysql query, as i am working on the updated version.
my question is when i submit a payment processing form all the data is posted except the ones after a query to get the customer’s name are not posted, the form is below
also when the query for the customer name is removed it post all the parameters(which indicates thats where the problem is),
when the customers name is not requested as in<input type=“hidden” name=“gtpay_cust_name” value=“” /> , the notification page url which is
<input type=“hidden” name=“gtpay_tranx_noti_url” value=“https://reacheasy.co.uk/paynotification.php” />
i would have expected to redirect to reacheasy.co.uk/paynotification.php was redirecting to https://reacheasy.co.uk/~reachea2/paynotification.php, and i reachea2 is just my hostname.
please any idea why the query is breaking the form and the redirection is pointing to the url.
thanks
So, you open the page above and it populates the form to be submitted on click. If you right-click and “view source” (or however you do that in your browser), what value has it put in for the customer name in the form? In fact, can you display the form and post the source as your browser shows it, before you click ‘submit’?
Sorry, that’s not the code I was hoping to see. I think it’s because the first page you posted has a ‘body onload’ instruction to force it to create the initial form (with all the hidden vars) then submit it straight away, that I didn’t notice. What I wanted to see was that form before it was submitted, because that’s the one that is having trouble.
Could you remove the "onload=“document.submit2gtpay_form.submit()” from the end of the body statement, display the form and then post the page source for that? That’s the form that’s causing trouble after the customer name query.
thanks droopsnoot for pointing me to that page source, i was able to see error from it, and i sorted it.
the second question i asked, which is the notification the page is to redirect, the page returns blank, i tried printing the post variable nothing is coming up, the page source is also blank, any idea to trouble shoot
thisi is code i am using to see all the post data that is to be redirected to the page
<?php
require_once(“include/session.php”);
require_once(“include/dataconnect.php”);
require_once(“include/functions.php”);
//echo $_SESSION[‘username’];
php print_r($_POST);
die();?>
yes i have but, what i dont know is since the the customer has left my site due to the processing and then been redirected, if the session will still hold or the session is broken
Try the select queries in turn directly against the database (via phpMyAdmin), with the value for {$_SESSION[‘username’]} substituted for what it’s meant to be just to make sure that it does return one or more rows in the result set.
One suggestion to help keep things organized and help debug these kinds of issues is to keep code that builds variables separate from where you use it.
<?php
$query = mysql_query("SELECT * FROM reuser WHERE Uname = '{$_SESSION['username']}'") or die(mysql_error());
$row = mysql_fetch_array($query);
$fullname = $row{fullname};
?>
<input type="hidden" name="gtpay_cust_name" value="<?php echo $fullname; ?>" />
Also, you might want to get rid of “or die(mysql_error()”. I don’t remember why, but I do remember that I used to use that and it would cause issues, even when the query was successful.
In all honesty, I’d switch to PDO, then you can try/catch and handle errors more properly.
To add to what @SpacePhoenix ; suggested, which was a good suggestion, when I get really stuck with a complex query I’ll use a mysql client and run the queries directly, with hard values you know exist. You might get more helpful error messages, and if you don’t then you know there’s an issue with syntax or variable values.
I prefer to use phpmyadmin as I have it installed locally and on my server.
I’m sorry, I don’t mean to go over your head or get too advanced for you, but I see something that I’d like to point out which might be helpful to you in the future. The “right” way that eventually you’ll have to learn. I’d feel irresponsible and feel like I’m not doing my best to help out if I didn’t mention it though
In production code you never want to store user specific data in a session or cookie, that leaves your site open to exploits like session highjacking.
You might want to have an identifier unique to the user (I use a random hashed value) stored in the session and in the user’s entry in the database. You can then query to see if the value in the session matches the value in the user’s database entry. If the values match you can then check if the password is correct. If that does not fail then you can create a user object (or array if you’d like) that will store the user specific information, like $user->userName, $user->userId, $user->userEmail and what not.
Like I said, I don’t mean to go over your head if you’re just learning, but my moto is “try to learn the right way the first way”. If not, you will find yourself in the position where you have to relearn everything later on.
If you have any questions about what I’ve said, please let me know. If so, I do think that’s a subject for another thread :-p
Have you considered using PHP + CURL to post the data to the payment server?
** UNTESTED and is theoretical **
function sanitize($postdata){
// in here you put what you want to sanitize your $_POST data
$postdata = stripslashes($postdata);
// ... more cleaning ...
return $postdata; // return cleaned input
}
// in to the empty array we insert the sanitized data
$fields = array(
"lname" => "",
"fname" => "",
"title" => "",
"company" => "",
"age" => "",
"email" => "",
"phone" => ""
);
// do some laundry...
foreach($fields as $accepted_input=>$value)
if( isset($_POST[$accepted_input]) ){
$fields[$accepted_input] = urlencode(sanitize($_POST[$accepted_input]));
}
// build a query string
$url = "http://target.domain.com/get-post.php";
//open connection
$ch = curl_init();
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, http_build_query($fields));
//execute post
$result = curl_exec($ch);
//close connection
curl_close($ch);
You can expand on this idea.
It is always best to treat any POST data as suspect and clean the inputs and I always use a whitelist approach to my scripts, accept inputs I designate, not what is in the POST stream.