hey there i would like to ask you about a specific script, here it is:
i understood everything, it is quite nice structured and i really like it, i looks very safe as well, but i have one question about this else-part:
} else {
// PayPal payment is valid
// Process order here
}
What do i have to do here? insert values in database?? but this was done before?! :
} else {
// Transaction not processed, store it in the database
$payer_email = mysql_real_escape_string($_POST[‘payer_email’]);
$gross = mysql_real_escape_string($_POST[‘mc_gross’]);
greetings !
EDIT: ok and could i prevent replay attack with this as well? :
if($f[‘count’] > 0) {
$errors[] = “Transaction already processed”;
} else {
if (count($errors) > 0) {
// IPN data is incorrect - possible fraud
// It is a good practice to send the transaction details to your e-mail and investigate manually
$message = "IPN failed fraud checks";
mail(‘[email protected]’, 'IPN Fraud Warning', $message, $headers);
} else {
// Transaction not processed, store it in the database
$payer_email = mysql_real_escape_string($_POST[‘payer_email’]);
$gross = mysql_real_escape_string($_POST[‘mc_gross’]);
$insert = mysql_query(“INSERT INTO transactions (txt_id, payer_email, mc_gross) VALUES
(‘$txt_id’,’$payer_email’,’$mc_gross’)”);
}
}
what do you think of this?
The above code in question is:
if (!$fp) {
// HTTP ERROR
} else {
You must place everything within the else, because if $fp is false, then it means a connection to Paypal's IPN verification system could not be established.
Following through, we can see that there are checks within else, which also check if the payment (considered by paypal) is actually valid:
if (strcmp ($res, "VERIFIED") == 0) {
// PAYMENT VALID
}
The idea of IPN is this, when a user follows a html button code, it links them to paypal's website where they pay.
There usually is a hidden value (or if you are using a hosted button, it's saved on paypal's website instead), where paypal pings back to say that the payment went through.
The next step in assuring your client's and your server's security is to double check that the ping came from Paypal. So you get your SSL certificates that you downloaded before hand, and connect to check with Paypal on https.
The below code shows what is also valid: if (count($errors) > 0) { the else is linked up to this.
What do i have to do here? insert values in database?? but this was done before?! :
You process the information. Such as, if the user were buying membership for your website, you would set their user to an upgraded state in the database.
The payment is already logged in the database, this prevents a replay attack.
Replay Attack
I think you've answered your own question with $errors[] = "Transaction already processed";
If you look at the code above, you can see that the script queries the database for past transactions. If the id matches any rows, then it's deemed invalid. So, no. As long as you have those checks in place, a replay attack should not be possible.