hey leute, ein wesentlicher Teil eines ipn-scriptes ist ja die Überprüfunf von vier bestimmten Details.
Nun würde ich von euch gerne wissen, ob das hier gut und sicher geschrieben ist:
ich weiß, Punkt 4 der Überprüfung ist noch nicht so gut, deswegen wende ich mich hier ja an euch, damit mir vielleicht jemand helfen könnte, was brauche ich noch zu ergänzen, wie sollte es sein?..etc
LG und danke euch!
Nun würde ich von euch gerne wissen, ob das hier gut und sicher geschrieben ist:
PHP:
/* CHECK THESE 4 THINGS BEFORE PROCESSING THE TRANSACTION, HANDLE THEM AS YOU WISH
1. Make sure that business email returned is your business email
2. Make sure that the transaction’s payment status is “completed”
3. Make sure there are no duplicate txn_id
4. Make sure the payment amount matches what you charge for items. (Defeat Price-Jacking) */
// Check Number 1 ------------------------------------------------------------------------------------------------------------
$receiver_email = $_POST['receiver_email'];
if ($receiver_email != "[email protected]") {
$message = "Investigate why and how receiver email is wrong. Email = " . $_POST['receiver_email'] . "\n\n\n$req";
mail("[email protected]", "Receiver Email is incorrect", $message, "From: [email protected]" );
exit(); // exit script
}
// Check number 2 ------------------------------------------------------------------------------------------------------------
if ($_POST['payment_status'] != "Completed") {
die();// Handle how you think you should if a payment is not complete yet, a few scenarios can cause a transaction to be incomplete
}
// Connect to database ------------------------------------------------------------------------------------------------------
require_once 'connect_to_mysql.php';
// Check number 3 ------------------------------------------------------------------------------------------------------------
$this_txn = $_POST['txn_id'];
$sql = mysql_query("SELECT id FROM transactions WHERE txn_id='$this_txn' LIMIT 1");
$numRows = mysql_num_rows($sql);
if ($numRows > 0) {
$message = "Duplicate transaction ID occured so we killed the IPN script. \n\n\n$req";
mail("[email protected]", "Duplicate txn_id in the IPN system", $message, "From: [email protected]" );
exit(); // exit script
}
// Check number 4
// Hier war ich mir echt nicht sicher, deswegen werden wir das wohl verbessern müssen...
------------------------------------------------------------------------------------------------------------
$product_id_string = $_POST['custom']; // hier übergebe ich die Variable, die ich im Button festgelegt habe
$product_id_string = rtrim($product_id_string, ","); // das letzte Komma kommt weg
// Explode den string, mach ein array daraus, lese den festgelegten Preis aus; stell sicher, dass er gleich dem payment_gross Betrag ist
$id_str_array = explode(",", $product_id_string); // Uses Comma(,) as delimiter(break point)
$fullAmount = 0;
foreach ($id_str_array as $key => $value) {
$id_quantity_pair = explode("-", $value); // Uses Hyphen(-) as delimiter to separate product ID from its quantity
$product_id = $id_quantity_pair[0]; // Get the product ID
$sql = mysql_query("SELECT price FROM products WHERE id='$product_id' LIMIT 1");
while($row = mysql_fetch_array($sql)){
$product_price = $row["price"];
}
$fullAmount = $fullAmount + $product_price;
}
$fullAmount = number_format($fullAmount, 2);
$grossAmount = $_POST['mc_gross'];
if ($fullAmount != $grossAmount) {
$message = "Possible Price Jack: " . $_POST['payment_gross'] . " != $fullAmount \n\n\n$req";
mail("[email protected]", "Price Jack or Bad Programming", $message, "From: [email protected]" );
exit(); // exit script
}LG und danke euch!
