Paypal Payment successful but no data Inserted on my database. help me please

anturj · February 1, 2013, 6:24am

Hello,
I am facing problem with paypal payment system . I created a system where users can upload fund by paypal. after payment successfull my website database will load with those data but its not happaning. while users payment successfull there is no data in my database. i am providing you all code. please help me for that. Thank you in advance

HTML CODE IS :

                <form action='https://www.paypal.com/cgi-bin/webscr' method='post'  name="form" id="form">
                    <input type='hidden' name='business' value='seshies@gmail.com'>
                    <input type='hidden' name='cmd' value='_xclick'>

                    <input type='hidden' name='item_name' value='Recharge For My Unlock Factory Account'>
					<tr>
					<th>Valid E-Mail * : </th>
					<td><input type="text" name='item_number' class="textfield"/></td>
					</tr>

					<tr>
					<th>Amount * : </th>
					<td><input type="text" name="amount" class="textfield"/></td>
					</tr>

                    <input type='hidden' name='no_shipping' value='1'>
                    <input type='hidden' name='currency_code' value='USD'>
                    <input type='hidden' name='handling' value='0'>
                    <input type='hidden' name='cancel_return' value='http://http://www.unlockphones.org/payment-cancel'>
                    <input type='hidden' name='return' value='http://http://www.unlockphones.org/payment-success'>


    <tr>
      <td>&nbsp;</td>
      <td>         <input type="submit" style="margin-top:0px;" name="Submit" value="Buy Through Paypal" class="tsc_buttons2 red"/></td>
    </tr>
</form>

PHP CODE IS :

//if user id and username not !=
$u_email = $_GET['item_number'];
$uid = $_SESSION['SESS_MEMBER_ID'];
$username=$_SESSION['user'];
$item_transaction = $_GET['tx'];
$amount = $_GET['amt'];
$status="Paid";
//select user and update money
$result = mysql_query("SELECT * FROM users WHERE uid='$uid'");
while($row = mysql_fetch_array($result)){
$money=$row["antu_money"];
	mysql_query("UPDATE users SET antu_money=$money + $amount WHERE uid='$uid'");
}
//insert data into table because payment successful
  $result = mysql_query("INSERT INTO antu_recharge(antu_email, antu_uid, antu_uname, antu_date, antu_trid, antu_amnt, antu_status) VALUES('$u_email', '$uid','$username', NOW(), '$item_transaction','$amount','$status')");


echo '<div id="login_content">';

echo '<div id="error_req">';
 echo "<h1>Welcome, $username</h1>";
  echo '<h1>Payment Successful</h1>';
  echo "<meta http-equiv='refresh' content='5;url=recharge-history'>";
echo '</div>';
echo '</div>';

}



?>

SteveWhea · February 1, 2013, 7:54am

Hi Are you using Paypal IPN to let paypal talk to your server and update your database. If you not let me know and I’ll let you have the code

2ndmouse · February 1, 2013, 8:05am

I presume your ‘success’ page is named ‘index.php’

Your return address and ‘cancel-return’ has a typo:

<input type=‘hidden’ name=‘return’ value='http://http://www.unlockphones.org/payment-success’>

anturj · February 1, 2013, 8:06am

i am not using paypal IPN please let me details and please give me the code. i am new with paypal payment system. @steve thank you

anturj · February 1, 2013, 8:08am

mouse tnx thats really helpfull for me. my site is not now on that link. tnx a lot. @mouse

DarthGuido · February 1, 2013, 8:22am


                    <input type='hidden' name='cancel_return' value='[B][COLOR="#FF0000"]http://http://[/COLOR][/B]www.unlockphones.org/payment-cancel'>
                    <input type='hidden' name='return' value='[B][COLOR="#FF0000"]http://http://[/COLOR][/B]www.unlockphones.org/payment-success'>

There is an error in these two urls.
I don’t know about Paypal, but if I put those links in my browser, I get a http.com page with ads.

There are also a couple of things that I don’t like in your code:

you should use mysql_i or pdo instead of mysql_ to do your DB stuff, because mysql_ is deprecated: http://www.php.net/manual/en/intro.mysql.php
you don’t do any validation and sanitizing of the $_GET data? That leaves you vulnerable for injection attacks. I’m sure there’s a way to be sure the script is being called by paypal, and not simply by someone that put the link to the script in his browser, adding the GET data by hand?
uid is unique? Then there’s no need to loop through the query result set. One fetch is enough.
After the loop you always do the insert. You don’t check if you actually found a row in the users table.

Edit: It took me a bit too long to write this, others have beaten me to it

anturj · February 1, 2013, 8:32am

will you tell me details for validation and sanitizing of the $_GET data . i am new with paypal payment system. or please give me a sequire code. @ guido

ServerStorm · February 2, 2013, 3:04am

Hi,

You can use htmlentities($_GET); to remove malicious entities. If as @Guido mentions if you switch to PDO or MYSQL_I you can can use bound queries to protect against SQL injection.

anturj · February 2, 2013, 2:03pm

Hello server will you please give me a example with my code. It will be easy for me.
Thank you.

anturj · February 5, 2013, 7:40am

it’s not working also . please tell me details about this problem . i am in problem…