php - paypal ipn developer script to long? -

-

hey there ask specific script, here is:

http://www.phpbuilder.com/articles/application-architecture/shopping-carts/setting-up-paypal-ipn-in-php.html

i understood everything, quite nice structured , it, looks safe well, have 1 question else-part:

    } else {          // paypal payment valid         // process order here      }

what have here? insert values in database?? done before?! :

    } else {         // transaction not processed, store in database         $payer_email  = mysql_real_escape_string($_post[‘payer_email’]);         $gross = mysql_real_escape_string($_post[‘mc_gross’]);

greetings !

edit: ok , prevent replay attack well? :

    if($f[‘count’] > 0) {         $errors[] = “transaction processed”;      } else {       if (count($errors) > 0)  {          // ipn data incorrect - possible fraud         // practice send transaction details e-mail , investigate manually          $message = "ipn failed fraud checks";         mail(‘youremail@example.com’, 'ipn fraud warning', $message, $headers);       } else {          // transaction not processed, store in database         $payer_email  = mysql_real_escape_string($_post[‘payer_email’]);         $gross = mysql_real_escape_string($_post[‘mc_gross’]);          $insert = mysql_query(“insert transactions (txt_id, payer_email, mc_gross) values          (‘$txt_id’,’$payer_email’,’$mc_gross’)”);        }     }

what think of this?

the above code in question is:

if (!$fp) { // http error } else {

you must place within else, because if $fp false, means connection paypal's ipn verification system not established.

following through, can see there checks within else, check if payment (considered paypal) valid:

if (strcmp ($res, "verified") == 0) { // payment valid }

the idea of ipn this, when user follows html button code, links them paypal's website pay.

there hidden value (or if using hosted button, it's saved on paypal's website instead), paypal pings payment went through.

the next step in assuring client's , server's security double check ping came paypal. ssl certificates downloaded before hand, , connect check paypal on https.

the below code shows valid: if (count($errors) > 0) { else linked this.

what have here? insert values in database?? done before?! :

you process information. such as, if user buying membership website, set user upgraded state in database.

the payment logged in database, prevents replay attack.

replay attack

i think you've answered own question $errors[] = "transaction processed";

if @ code above, can see script queries database past transactions. if id matches rows, it's deemed invalid. so, no. long have checks in place, replay attack should not possible.


Comments

Post a Comment

Popular posts from this blog

c++ - Creating new partition disk winapi -

-
i'am trying create new partition , mount volume new, thought createfile let me this, code : lpctstr lpfilename=l"\\\\.\\device\\harddisk0\\partition3"; handle handl=createfile( lpfilename, generic_read | generic_write, file_share_read | file_share_write, null, create_always, file_attribute_normal, null ); if (handl==invalid_handle_value) { qdebug()<<"handl invalid"<<" error"<<getlasterror();} bool success = definedosdevice(ddd_raw_target_path,l"i:",l"\\device\\harddisk0\\partition3"); if(!success) qdebug()<<" definedosdevice failed "<<getlasterror(); bflag = getvolumenameforvolumemountpoint( l"i:\\", // input volume mount point or directory /** u in dir
Read more

Android Prevent Bluetooth Pairing Dialog -

-
i'm developing internal application uses bluetooth printing. want bluetooth pairing occur without user input. have managed working trapping android.bluetooth.device.action.pairing_request broadcast. in broadcast receiver call setpin method, , pairing works ok, bluetoothpairingdialog displayed second or two, disappears - see link below. https://github.com/android/platform_packages_apps_settings/blob/master/src/com/android/settings/bluetooth/bluetoothpairingdialog.java since broadcast non-ordered, can't call abortbroadcast() , , wondering if there other way prevent pairing dialog appearing. can hook window manager in way? i haven't been able come way without modifying sdk. if you're oem, it's easy (i'm on 4.3): in packages/apps/settings/androidmanifest.xml, comment intent filter pairing dialog: <activity android:name=".bluetooth.bluetoothpairingdialog" android:label="@string/bluetooth_pairing_request"
Read more

VBA function to include CDATA -

-
i have following function include cdata: function cdatasection() dim objdom domdocument dim objkmlrootelement ikmldomelement dim objkmlelement ikmldomelement dim cdata ikmldomcdatasection set objdom = new domdocument set objkmlrootelement = objdom.createelement("balloonstyle") objdom.appendchild objkmlrootelement set objkmlelement = objdom.createelement("text") objkmlrootelement.appendchild objkmlelement set cdata = objdom.createcdatasection("text") cdata.data = "<![cdata[<b>latitude = $[latitude]</b>?]]>;" end function when run above, getting error "user defined data type not found" function. yes ripster says find library reference. vba window tools>references for list of relevant references see... http://msdn.microsoft.com/en-us/library/windows/desktop/ms763701%28v=vs.85%29.aspx however, if have hard time tracking down reference, replace dim sta
Read more