付款成功后保存到数据库(paypal)

时间:2015-09-06 07:30:16

标签: php mysqli paypal

我正在尝试找出在客户使用paypal支付项目后,将数据(先前已在表单中提交)保存到数据库的最佳方法。这个过程的一些方面:

1)在实际网站上填写表格 - > 2)登录Paypal - > 3)立即付款(PayPal) - > 4)将数据插入数据库中 - > 5)回到起点?

我已经想出了如何执行第1步到第3步和第5步,但是在执行第4步时需要一些帮助。据我所知,我需要以某种方式存储数据,然后保存或丢弃存储的数据按要求。最好的方法是什么?

表格

 <form action="" method="post" target="" id="bookstay">
      <input type="hidden" name="cmd" value="_xclick" />
      <input type="hidden" name="unitprice" value="40" />
      <input type="hidden" name="apt_name" value="Apartment1" />
      <input type="hidden" name="no_note" value=""/>
      <input type="hidden" name="lc" value="MT" />
      <input type="hidden" name="currency_code" value="EUR" />
      <input type="hidden" name="bn" value="BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
      <input type="hidden" name="apartment" value="1"/>
      <input name='first_name' class="short-input" id='name' type="text" value="Name" onFocus="this.value = ''" />
      <input  name= 'last_name' class="short-input" id='name' type="text" value="surname" onFocus="this.value = ''" />
      <input  name='payer_email' class="long-input" type="text" value="Email" onFocus="this.value = ''"  />
      <input name='address' class="long-input" type="text" value="Address" onFocus="this.value = ''" />
      <input name='mobile'  class="short-input" type="text" value="mobile" onFocus="this.value = ''"  />
      <div class='select' id='peopletostay'>
           <select name='pax' class='short-input'>
                <option value='0'>people to stay</option>
                <option value='1'>1</option>
                <option value='2'>2</option>
                <option value='3'>3</option>
                <option value='4'>4</option>
           </select>
      </div>                         
      <div id="dateofarrival">
           date of arrival<br>                 
           <div class='select' id='date'>
                <select class="short-input day-from" name="day_from">   
                       <option value= "01" >01</option> 
                          ...
                        <option value= "31" >31</option>
                </select>
           </div>
           <div class='select' id='month'>
            <select class="short-input month-from" name="month_from" size="1">
                  <option value="01" >January</option>
                  ....                    
                  <option value="12" >December</option>
           </select>
           </div>
           <div class='select' id='year'>
                <select class="short-input year-from" name='year_from'>
                      <option value= 2015 > 2015</option>
                       ....
                       <option value= 2025 > 2025</option>
                 </select>
           </div>
      </div>
      <div id="dateodeparture">
           date of arrival<br>                 
           <div class='select' id='date'>
                <select class="short-input day-from" name="day_to">   
                       <option value= "01" >01</option> 
                          ...
                        <option value= "31" >31</option>
                </select>
           </div>
           <div class='select' id='month'>
            <select class="short-input month-from" name="month_to" size="1">
                  <option value="01" >January</option>
                  ....                    
                  <option value="12" >December</option>
           </select>
           </div>
           <div class='select' id='year'>
                <select class="short-input year-from" name='year_to'>
                      <option value= 2015 > 2015</option>
                       ....
                       <option value= 2025 > 2025</option>
                 </select>
           </div>
      </div>
      <textarea name='remarks'>Extra Remarks</textarea>
      <button type="submit" name="proceedtopaypal" id="proceedtopaypal">make booking (proceed to paypal)</button>

      </form>

付款代码

<?php
if ($_POST) {
if (isset($_POST['proceedtopaypal'])){

include 'connect.php';

    $apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
    $unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
    $first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
    $last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
    $payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
    $address = mysqli_real_escape_string($conn, $_POST['address']);
    $apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
    $mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
    $pax = mysqli_real_escape_string($conn, $_POST['pax']);
    $remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
    $day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
    $month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
    $year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
    $booking_from = $year_from."-".$month_from."-".$day_from;
    $day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
    $month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
    $year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
    $booking_to = $year_to."-".$month_to."-".$day_to;
    $no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from)); 
    $quantity = floor($no_of_nights / (60*60*24));

    // paypal settings 
    $paypal_email = 'christabelbusuttil@gmail.com';
    $return_url = 'http://localhost/Webdevelopment/V18/apartments.php';
    $cancel_url = 'http://localhost/Webdevelopment/V18/apartments.php';
    $notify_url = 'http://localhost/Webdevelopment/V18/paypal/payments.php';

    $item_amount = $unitprice * $quantity;
    $item_name = "Booking at ".$apt_name." from " .$booking_from ." to " .$booking_to;
    $validdate = false;
    $buttonpressed = false;
    $checkin='<p>Check in date is invalid.</p>';
    $checkout='<p>Check out date is invalid</p>';
    $larger = '<p>Check in date is after check out date</p>';
    $noinfo='<p>please fill in the missing information.</p>';
    $booked='<p>The dates selected are already booked for this apartment</p>';
    $equal = '<p>You need to spend a minimum of 1 night in these apartment</p>';
    $thankyou = '<h5>Thank you</h5><p>thank you for booking an apartment with V18-apartments.</p>';
    $window = '';

        function IsInjected($str) {
          $injections = array('(\n+)',
                      '(\r+)',
                      '(\t+)',
                      '(%0A+)',
                      '(%0D+)',
                      '(%08+)',
                      '(%09+)'
                      );
          $inject = join('|', $injections);
          $inject = "/$inject/i";
          if(preg_match($inject,$str))
            {
            return true;
          }
          else
            {
            return false;
            }
        }

        if (!checkdate($month_from, $day_from, $year_from)) {
            $window = $checkin;
            echo $window;
            $validate = true;
        }
        else if (!checkdate($month_to, $day_to, $year_to)) {
            $window = $checkout;
            $validate = true;
            echo $window;
            //echo "Check out date is invalid";
        }
        else if ($booking_from > $booking_to) {
                $window = $larger;
                $validate = true;
                echo $window;
                // echo "Check in date is after check out date";
        }
        else if ($booking_from == $booking_to) {
            $window = $equal;
            $validate = true;
            echo $window;
        }   
    // check if all info is filled in 
        else if (($first_name == "Name") || ($last_name == "surname") || ($payer_email == "Email") || ($mobile == "mobile") || ($address == "Address")) {
            $window = $noinfo;
            echo $window;
            $validate = true;
            // echo "Please fill in the missing information";
        }
        else if (IsInjected($payer_email)) {
            echo "Not an email";
        }
        else if ($validdate == false) {
            $final = true;
            $sql = "SELECT COUNT(*)  FROM room_nights WHERE apartmentID= '$apartment' AND dates >= '$booking_from' AND dates <= '$booking_to'";
            $result = mysqli_query($conn, $sql);
            $result = mysqli_query($conn, $sql);
            $row=mysqli_fetch_row($result);

            if ($row[0] > 0) {
                $window = $booked;
                echo $window;
            }

        else if ($final == true)  {
            // save to database 
                include 'insertdata.php';   // code below

                echo $item_name;
                // include functions
                include ("pay_functions.php");
                // Check if paypal request or response
                if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){
                // Firstly Append paypal account to querystring
                    $querystring .= "?business=".urlencode($paypal_email)."&";  
                    // Append amount& currency (£) to quersytring so it cannot be edited in html
                    //The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable.
                    $querystring .= "item_name=".urlencode($item_name)."&";
                    $querystring .= "amount=".urlencode($item_amount)."&";
                        //loop for posted values and append to querystring
                        foreach($_POST as $key => $value){
                            $value = urlencode(stripslashes($value));
                            $querystring .= "$key=$value&";
                        }
                    // Append paypal return addresses
                    $querystring .= "return=".urlencode(stripslashes($return_url))."&";
                    $querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&";
                    $querystring .= "notify_url=".urlencode($notify_url);
                    // Append querystring with custom field
                    //$querystring .= "&custom=".USERID;
                    // Redirect to paypal IPN
                    header('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring);
                    exit();

                } 
            else {
                    // Response from paypal
                    $req = 'cmd=_notify-validate';
                    foreach ($_POST as $key => $value) {
                        $value = urlencode(stripslashes($value));
                        $value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix
                        $req .= "&$key=$value";
                    }

                    // assign posted variables to locate variables
                    $data['item_name'] = $_POST['item_name'];
                    $data['item_number'] = $_POST['item_number'];
                    $data['payment_status'] = $_POST['payment_statis'];
                    $data['payment_amount'] = $_POST['mc_gross'];
                    $data['payment_currency'] = $_POST['mc_currency'];
                    $data['txn_id'] = $_POST['txn_id'];
                    $data['receiver_email'] = $_POST['receiver_email'];
                    $data['payer_email'] = $_POST['payer_email'];
                    $data['custom'] = $_POST['custom'];

                    // post back to paypal system and validate

                    $header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
                    $header .= "Content-Type : application/x-www-form-urlencoded\r\n";
                    $header .= "Content-Lenght: " .strlen($req) . "\r\n\r\n";

                    $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);

                if (!$fp) {
                // HTTP error
                } else {
                    mail('christabelbusuttil@gmail.com', '0', '0');
                    fputs ($fp, $header . $req);
                    while (!feof($fp)) {
                        $res = fgets($fp, 1024);
                        if (strcmp ($res, "VERIFIED") == 0) {

                             // validate payment (check unique txnid & correct price) 
                             $valid_txnid = check_txnid($data['txn_id']);
                             $valid_price = check_price($data['payment_amount'], $data['item_number']);
                             // Payment validated and verified
                            if ($valid_price && $valid_price) {
                                 $orderid = updatePayments($data);
                                if ($orderid){
                                     // payment has been made and inserted into db
                                } else {
                                     echo "Error";
                                }
                            } 
                            else if (strcmp($res, "INVALID") == 0) {
                                    echo "Payment invalid";
                            }
                        }
                             fclose($fp);
                    }
                }
            }    
        } 
    }
}

 }

?>

INSERTDATA.PHP

 <?php

    $apartment = mysqli_real_escape_string($conn, $_POST['apartment']);
    $unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']);
    $first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
    $last_name = mysqli_real_escape_string($conn, $_POST['last_name']);
    $payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']);
    $address = mysqli_real_escape_string($conn, $_POST['address']);
    $apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']);
    $mobile = mysqli_real_escape_string($conn, $_POST['mobile']);
    $pax = mysqli_real_escape_string($conn, $_POST['pax']);
    $remarks = mysqli_real_escape_string($conn, $_POST['remarks']);
    $day_from = mysqli_real_escape_string($conn, $_POST['day_from']);
    $month_from = mysqli_real_escape_string($conn, $_POST['month_from']);
    $year_from = mysqli_real_escape_string($conn, $_POST['year_from']);
    $booking_from = $year_from."-".$month_from."-".$day_from;
    $day_to = mysqli_real_escape_string($conn, $_POST['day_to']);
    $month_to = mysqli_real_escape_string($conn, $_POST['month_to']);
    $year_to = mysqli_real_escape_string($conn, $_POST['year_to']);
    $booking_to = $year_to."-".$month_to."-".$day_to;
    $no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from)); 
    $quantity = floor($no_of_nights / (60*60*24));
    $reason = "Booked by ".$first_name." ".$last_name." for ".$pax ." people";

function daterange($booking_from, $booking_to, $step = '+1 day', $output_format = 'Y-m-d') {
  $dates = array();
  $first = new DateTime($booking_from);
  $last = new DateTime($booking_to);
  $last = $last->modify('+ 1 day');
  $interval = DateInterval::createFromDateString($step);
  $period = new DatePeriod($first, $interval, $last);


  foreach ($period as $date) {
      $dates[] = $date->format($output_format);
  } 

  return $dates;
}

$dates = daterange($booking_from, $booking_to);
include 'connect.php';

 if (!$conn->autocommit(FALSE)) {
    printf("Errormessage: %s\n", $conn->error);
 }

 if (!$conn->query("INSERT INTO client_details (clientID, name, email, address, mobile) VALUES ('', '$first_name $last_name', '$payer_email', '$address', '$mobile')")) {
     printf("Errormessage: %s\n", $conn->error);
 }


 if (!$conn->query("INSERT INTO bookings (bookingID, apartmentID, clientID, date_from, date_to, nights, pax, remarks) VALUES ('', '$apartment', LAST_INSERT_ID(), '$booking_from', '$booking_to', '$days', '$pax', '$remarks')")) {
     printf("Errormessage: %s\n", $conn->error);
 }

 foreach ($dates as $date) {
 if (!$conn->query("INSERT INTO room_nights (bookingID, apartmentID, dates, reason) VALUES (LAST_INSERT_ID(), '$apartment', '$date', '$reason')")) {
      printf("Errormessage: %s\n", $conn->error);
 }
 }

 if (!$conn->commit()) {
     printf("Errormessage: %s\n", $conn->error);
 }
 $conn->close();

?>

1 个答案:

答案 0 :(得分:2)

你的步骤错了

1)在实际网站上填写表格 - &gt; 2)登录Paypal - &gt; 3)立即付款(PayPal) - &gt; 4)将数据插入数据库中 - &gt; 5)回到起点?

在第3步之后的原因,您将如何找到在第一步中填写的数据,当用户点击提交并离开实际网站并登录到Paypal时,您将丢失表单数据,用户可以进行虚假声明他们也是从您的网站购买或者对您销售的产品或服务进行付款。

步骤应该是在处理Paypal时

  1. 填写实际网站上的发件人
  2. 表单提交验证表单数据,如果验证Okey,将数据保存到数据库并将用户重定向到Paypal
  3. 用户登录Paypal并付款
  4. 通过Paypal即时付款通知(IPN)获取付款明细(当用户仍然在Paypal网站上)IPN Detail在您的情况下payments.php(在IPN,Paypal发布交易明细,金额详情等您需要在步骤5中更新数据库,否则您将无法确定用户支付的产品
  5. 根据Paypal即时付款通知更新数据库(付款成功,付款失败,付款待处理)
  6. 使用返回网址Return URL Detail return.php
  7. 将用户重定向回实际网站
  8. 在实际网站上显示返回网址的付款明细和其他详细信息。
  9. 附注:第7步,在此步骤中,您可以提供唯一的参考号(仅针对成功付款生成)并向从您的网站购买的用户提供该参考号,否则您最终可能会与声称的用户打交道他们对任何产品付款。

    (在处理Paypal时,请记住,PayPal总是喜欢它的消费者而不是商家,因此如果有太多欺诈性投诉,您必须小心,否则他们会冻结您的帐户)

    就您的代码而言,只需使用mysqli_real_escape_string mysqli_real_escape_string($_POST['apartment']);转义表单值,而不需要使用PDO,您已经在使用MySQLi转义字符串并验证服务器上的表单输入这足以避免SQL Injection vulnerabilities