paypal ipn script

phencesgirl

Hello! I am trying to modify this script that I found, so that it will work with paypal's ipn(instant payment notification) option.

As I understand it (a newbie's point of view!), paypal should post some information to the url I have specified in my profile. Then, I need to post the same info back to paypal, and then I can update tables, etc...to process the order.

I have set up my paypal profile so that ipn is enabled, and the URL that it is set to should call this script:

<?php
//paypal.php IPN validation
/*
Derived from info at paypal developer forums and
http://www.eliteweaver.co.uk/testing/ipntest.php
*/

// No ipn post means this script does not exist
if (!@$_POST['txn_type']){@header("Status: 404 Not Found"); exit;
}else{
header("Status: 200 OK"); }
/*
NO BROWSER OUTPUT FROM HERE.
data from paypal is looped back to paypal and a verification response is posted back
and transaction logged to file +/or database

// Add "cmd" to prepare for post back validation
// Read the ipn post from paypal or eliteweaver uk
// Fix issue with php magic quotes enabled on gpc
// Apply variable antidote (replaces array filter)
// Destroy the original ipn post (security reason)
// Reconstruct the ipn string ready for the post
*/

/**CONFIG**/
$paypal['business']="my_email_address@example.net"; //this I have edited
//$paypal['url'] = 'https://www.paypal.com/cgi-bin/webscr';
$paypal['url'] = 'https://www.sandbox.paypal.com/cgi-bin/webscr'; //I do have a sandbox account
//$paypal['url'] = 'http://www.eliteweaver.co.uk/testing/ipntest.php';

$ipn_log_file = '/log/ipn_log.txt'; //I have made this directory
$ipn_log = '['.date('m/d/Y g:i A').'] - ';
$postipn = 'cmd=_notify-validate';
/**/


foreach ($_POST as $ipnkey => $ipnval)
{
if (get_magic_quotes_gpc()){$ipnval = stripslashes ($ipnval);}
// Fix issue with magic quotes
if (!eregi("^[_0-9a-z-]{1,30}$",$ipnkey)|| !strcasecmp ($ipnkey, 'cmd')){unset($ipnkey);unset($ipnval);}
// ^ Antidote to potential variable injection and poisoning
if (@$ipnkey != '') { @$_PAYPAL[$ipnkey] = $ipnval; unset ($_POST);
/* Remove empty keys (not values) Assign data to new global array Destroy the original ipn post array*/
$postipn.='&'.@$ipnkey.'='.urlencode(@$ipnval); }
} // Notify string
$error=0;
$url_parsed=parse_url($paypal['url']);
// Post back the reconstructed instant payment notification
//
$socket = @fsockopen($url_parsed['host'],80,$err_no,$err_str,30);
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header.= "Content-Type: application/x-www-form-urlencoded\r\n";
$header.= "Content-Length: ".strlen($postipn)."\r\n";
$header.= "Accept: */*\r\n\r\n";
//* Note: "Connection: Close" is not required using HTTP/1.0
if(!$socket) {
// could not open the connection. the error message will be in the log.
$fso_error = "fsockopen error no. $errnum: $errstr";

$ipn_log .= "\n FSO:". $fso_error;
} else {
$fputs=@fputs ($socket,$header.$postipn."\r\n\r\n");

/*
//extra debug info
if ($fputs === FALSE) { $ipn_log .= "\n Cannot write to stream";}
else { $ipn_log .= "\n".$fputs."bytes written to stream "; }

*/
while (!feof($socket)){$response = fgets($socket,1024); }
@fclose ($socket);
$fso_error = "socket ok";
}
$response = trim($response);

// assign posted variables to local variables
$receiver_id=$_PAYPAL['receiver_id'];
$payment_type=$_PAYPAL['payment_type'];
$payment_status=$_PAYPAL['payment_status'];
$txn_type=$_PAYPAL['txn_type'];
$txn_id=$_PAYPAL['txn_id'];
$mc_gross=$_PAYPAL['mc_gross'];
$payment_gross=$_PAYPAL['payment_gross'];
$mc_fee=$_PAYPAL['mc_fee'];
$payment_fee=$_PAYPAL['payment_fee'];
$mc_currency=$_PAYPAL['mc_currency'];
$tax=$_PAYPAL['tax'];
$shipping=$_PAYPAL['shipping'];
$item_name=$_PAYPAL['item_name'];
$item_number=$_PAYPAL['item_number'];
$quantity=$_PAYPAL['quantity'];
$payer_status=$_PAYPAL['payer_status'];
$payer_email=$_PAYPAL['payer_email'];
$first_name=$_PAYPAL['first_name'];
$last_name=$_PAYPAL['last_name'];
$payer_id=$_PAYPAL['payer_id'];
$receiver_id=$_PAYPAL['receiver_id'];
$receiver_email=$_PAYPAL['receiver_email'];
$business=$_PAYPAL['business'];
$verify_sign=$_PAYPAL['verify_sign'];
$custom=$_PAYPAL['custom'];


$ipn_log .= "IPN POST:\n";
foreach ($_PAYPAL as $key=>$value) {
$ipn_log .= "$key=$value, ";
}



if (!strcmp ($response, "VERIFIED")) {
	// IPN was confirmed as both genuine and VERIFIED
	// Check that the "payment_status" variable is: Completed and that the "receiver_email" is yours
	if ($_POST['payment_status'] == 'Completed' && $_POST['receiver_email'] == 'my_email_address@example.net') { //this email I have edited as well

	// Update your db and process this payment accordingly
	$item_name = $_POST['item_name'];
	$payment_amount = $_POST['payment_amount'];
	$payment_currency = $_POST['payment_currency'];

	//get the quantity bought of each item.
	$sql="SELECT * FROM cart WHERE username='$item_name' AND confirmed='no'";
	$result = mysql_query($sql) or die(mysql_error());
	while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
		extract($row);	
		$total= mysql_query("SELECT SUM(order_total) FROM cart WHERE username='$item_name' AND confirmed='no'");

		// process payment
		//update the quantity in the products table
		$pid = $row['product_id'];
		$stock = $row['stock'];
		$quantity = $row['quantity'];
		$newstock = $stock - $quantity;

		$sql="UPDATE products SET quantity='$newstock' WHERE product_id='$pid'";
		mysql_query($sql) or die(mysql_error());

		//update the quantity in the wish table
		$sql="UPDATE wish SET quantity='$newstock' WHERE product_id='$pid'";
		mysql_query($sql) or die(mysql_error());

		//change cart table's confirmed column to yes
		$sql="UPDATE cart SET confirmed='yes' WHERE username='$item_name' AND product_id='$pid'";
		mysql_query($sql) or die(mysql_error());
}
// Log the response from the paypal server
$ipn_log .= "\n IPN Response VERIFIED:\n ";
$ipn_log .= "\n FSO:". $fso_error;
	} //end if statement
	}else{
		// IPN was not validated as genuine and is INVALID

	// Check your code for any post back validation problems
	// Investigate the fact that this could be a spoofed IPN
	// If updating your db, ensure this "txn_id" is not a duplicate
	//* Help: if(variableAudit('mc_gross','0.01') && *//
	//* variableAudit('receiver_email','paypal@domain.com') && *//
	//* variableAudit('payment_status','Completed')){ $do_this; } else { do_that; } *//


	$ipn_log .= "\n IPN Response INVALID:\n ".$postipn;
	$ipn_log .= "\n FSO:". $fso_error;
}

/*
//extra socket info debug
$socketinfo=print_r (socket_get_status($fp),1);
$ipn_log.="\n".$socketinfo;
*/

// Write to log
$fp=fopen($ipn_log_file,'a');
fwrite($fp, $ipn_log . "\n\n");

fclose($fp); // close file
//end logging
?>

So, am I correct that this script should output nothing in the browser, but should update the tables if the payment is completed? I have tested this script using paypal's sandbox, but it is not updating my tables at all. Any suggestions will be appreciated. Thank you!

phencesgirl

Hello again...I have decided to start over with a script of my own, rather than using the script above. I think it was too advanced for me. Well, here is the script that I am trying to use with Paypal's ipn application. I am working right now with paypal's sandbox. However, this script is not updating the tables, which is what I need it to do. Thank you all for your patience and help.

<?php
        //here is where I connect to my database with my config(omitted here, of course)

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
	$value = urlencode(stripslashes($value));
	$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp) {
	// HTTP ERROR
} else {
	fputs ($fp, $header . $req);
	while (!feof($fp)) {
		$res = fgets ($fp, 1024);
		if (strcmp ($res, "VERIFIED") == 0) {	
			// check the payment_status is Completed
			if ($payment_status == 'COMPLETED') {
				//get the quantity bought of each item.
				$sql="SELECT * FROM cart WHERE username='$item_name' AND confirmed='no'";
				$result = mysql_query($sql) or die(mysql_error());
				while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
					extract($row);	
					$total= mysql_query("SELECT SUM(order_total) FROM cart WHERE username='$item_name' AND confirmed='no'");
					// check that payment_amount/payment_currency are correct
					if ($payment_amount == $total && $payment_currency == 'USD' && $receiver_email == 'jamcica@comcast.net') {
						// process payment
						//update the quantity in the products table
						$pid=$row['product_id'];
						$stock = $row['stock'];
						$quantity = $row['quantity'];
						$newstock = $stock - $quantity;

						$sql="UPDATE products SET quantity='$newstock' WHERE product_id='$pid'";
						mysql_query($sql) or die(mysql_error());

						//update the quantity in the wish table
						$sql="UPDATE wish SET quantity='$newstock' WHERE product_id='$pid'";
						mysql_query($sql) or die(mysql_error());

						//change cart table's confirmed column to yes
						$sql="UPDATE cart SET confirmed='yes' WHERE username='$item_name' AND product_id='$pid'";
						mysql_query($sql) or die(mysql_error());
					}//end if statement
				} //end while loop
		} else if (strcmp ($res, "INVALID") == 0) {
			// log for manual investigation
		}
	} //end if statement
fclose ($fp);
} //end while loop
  }//end else statement
?>

MarkR

The IPN script is invoked by a server-server activity. The first thing you should do is establish an error handling / logging mechanism which will enable you to trace problems in development and/or production.

In practice this means at least:
- Turning error logging on
- error_reporting(E_ALL)

And I would strongly recommend an error handler which dumps a stack trace to a log and all relevant information such as GET, POST vars etc, perhaps also emailing if you like.

Once you've established a working error handler, you may wish to develop a test harness for the IPN, which would be a HTML form containing the same fields as you'd expect to receive fom Paypal.

Of course in order to implement IPN correctly you'll need to do a post back to Paypal to ensure that the request is genuine. I strongly recommend that you do not write your own HTTP implementation (as above) and instead use fopen() with a context parameter containing the POST parameters.

In order to test any of this, you'll need to set up a Paypal "Sandbox" (i.e. test) account and create at least two sub-accounts inside it, one of which (the merchant's) will need to be verified - more information about this exists in the Paypal docs.

Best of luck. It is not an easy thing to test.

Mark

MarkR

Of course all of your Paypal integration code will need to have a switch to switch between the sandbox and live environment, which is changed between development and production.

The above example is hardcoded to go to www.paypal.com which isn't the right location for the "sandbox" server which must be used in development.

You might also want to consider using HTTPS for the Paypal callbacks, as recommended in the Paypal documentation (Their PHP examples do not do this however, as they're designed for some ropey ancient version where SSL support was perhaps not so ubiquitous).

Mark

phencesgirl

Thank you so much for your help, MarkR!

I do have two paypal sandbox accounts...one for me as the merchant, and one for me as the customer. This allows me to 'pay' myself for items, which works just fine on the paypal end...it's just that the db for my site is not being updated properly.

I did realize that my script was hardcoded to www.paypal.com, so I changed it to 'www.sandbox.paypal.com'.

use fopen() with a context parameter containing the POST parameters.

The first script that I posted here uses 'fsockopen'. Perhaps I could use that.

And I would strongly recommend an error handler which dumps a stack trace to a log and all relevant information such as GET, POST vars etc, perhaps also emailing if you like.

I will have to look into this...but I think that the first script I posted here has this implementation as well.

Once you've established a working error handler, you may wish to develop a test harness for the IPN, which would be a HTML form containing the same fields as you'd expect to receive fom Paypal.

Would this essentially be the same as testing with paypal's sandbox?

You might also want to consider using HTTPS for the Paypal callbacks, as recommended in the Paypal documentation

I will see if I can do this...never used https before, but I've read about it. I think that paypal has an option where you can use SSL, but I do not have that ability right now.

I see I have my work cut out for me. 🙂 Thank you again for your help!

ClarkF1

You might also want to use mysql_real_escape_string() on the $_POST variables before updating the database to prevent SQL injection.

phencesgirl

Hello! I have been working on this script for a while, and I just can't seem to get it to work. I am using paypal's sandbox to test it. Here's the script, with my questions below:

<?php	
	// read the post from PayPal system and add 'cmd'
	$req = 'cmd=_notify-validate';
	foreach ($_POST as $key => $value) {
		$value = urlencode(stripslashes($value));
		$req .= "&$key=$value";
	}
	// post back to PayPal system to validate
	$header = "POST https://www.sandbox.paypal.com/cgi-bin/webscr HTTP/1.0\r\n";
	$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
	$fp = fsockopen('www.sandbox.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

if (!$fp) {
	// HTTP ERROR
	// log for manual investigation
	$fso_error = "error";
	$ipn_log = '['.date('m/d/Y g:i A').']';
	$ipn_log .= "\n HTTP ERROR:\n";
	$ipn_log .= "\n FSO:". $fso_error."\n\n";
	$ipn_log_file = '/path/to/my/log/file';

	// Write to log
	$fp=fopen($ipn_log_file,'a');
	fwrite($fp, $ipn_log);	
	exit;

} else {
	fputs($fp, $header . $req);
	while (!feof($fp)) {
		$res = fgets($fp,1024);
		$res2 = trim($res);
		include ('my config info omitted here'); //connect and select db
		if (strcmp ($res2, "VERIFIED") == 0) {
			// check the payment_status is Completed
			if ($payment_status == 'Completed') {
				$total= mysql_query("SELECT SUM(order_total) FROM cart WHERE username='$item_name' AND confirmed='no'");
				// check that payment_amount/receiver_email/currency are correct
				// check that txn_id has not been previously processed
				if ($payment_amount == $total && $receiver_email == 'me@myhome.com' && $payment_currency == 'USD') {
					//get the quantity bought of each item.
					$sql="SELECT * FROM cart WHERE username='$item_name' AND confirmed='no'";
					$result = mysql_query($sql) or die(mysql_error());
					while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
						extract($row);
						//rename variables	
						$pid = $row['product_id'];
						$stock = $row['stock'];
						$quantity = $row['quantity'];
						$newstock = $stock - $quantity;

						// process payment
						//update the quantity in the products table
						$sql="UPDATE products SET quantity='$newstock' WHERE product_id='$pid'";
						mysql_query($sql) or die(mysql_error());

						//update the quantity in the wish table
						$sql2="UPDATE wish SET quantity='$newstock' WHERE product_id='$pid'";
						mysql_query($sql2) or die(mysql_error());

						//change cart table's confirmed column to yes
						$sql3="UPDATE cart SET confirmed='yes' WHERE username='$item_name' AND product_id='$pid'";
						mysql_query($sql3) or die(mysql_error());
					} //end while
				}//end if
			}//end if
		} else {
			//INVALID or PENDING
			// log for manual investigation
			$ipn_log = '['.date('m/d/Y g:i A').']';
			$ipn_log .= "\n IPN Response INVALID:\n";
			$ipn_log .= "Response:".$res2."\n\n";
			$ipn_log_file = '/path/to/my/log/file';

			// Write to log
			$fp=fopen($ipn_log_file,'a');
			fwrite($fp, $ipn_log);	
			exit;
		}
	}//end while
fclose ($fp);
} //end else
?>

This script DOES write to the log, and it writes the value for $res2 right in there, too, along with date, etc. It is doing this because of the last else statement above. In other words, the 'if (strcmp ($res2, "VERIFIED") == 0)' part is not executing, and instead, the script is executing what is after that: the else statement.

Well, here is what the log says:
[10/12/2006 3:38 PM]
IPN Response INVALID:
Response:HTTP/1.1 200 OK

Now, based on this, $res2 == 'HTTP/1.1 200 OK'. So, I have tried setting up the if statement as follows:

'if (strcmp ($res2, "HTTP/1.1 200 OK") == 0)'

(This I did just to test it, I know I can't leave it that way.) I again tested the script, set up like this, yet it still executed the else statement instead of the if statement.

So, my question is: Why is strcmp not yielding a '0', if the two things it is comparing seem to be identical?

Thank you for your help!

MarkR

You really want to stop writing your own HTTP implementation.

Here is an implementation of a function which sends a HTTP(S) POST with urlencoded parameters:

function SendHttpPost($url, & $fields)
{
	$urlencoded = '';
	foreach (array_keys($fields) as $key) {
		$urlencoded = $urlencoded . "$key=" . rawurlencode($fields[$key]);
		$urlencoded .= '&';
	}
	$context_options = array(
		'http'=>array(
		'method'=>"POST",
		'header'=>"Accept-language: en\r\n" .
			"Content-length: " . strlen($urlencoded) . "\r\n" .
			"Content-type:application/x-www-form-urlencoded\r\n",
		'content'=> $urlencoded)
	);
	// Make sure the HTTPS options are the same as HTTP
	$context_options['https'] = $context_options['http'];
	$context = stream_context_create($context_options);
	$fp = fopen($url, 'r', false, $context);
	// Get the response...
	$response = '';
	/* For HTTPS, IIS closes the SSL socket improperly hence
	 * generating a warning. We want to suppress this, as some
	 * servers will be doing this.
	 * this refers to THEIR server running IIS, not ours.
	 *
	 * see http://uk.php.net/manual/en/wrappers.http.php
	 */
	$old_error_reporting = error_reporting();
	error_reporting($old_error_reporting & ~E_WARNING);
	// Get the headers
	$metadata = stream_get_meta_data($fp);
	foreach($metadata['wrapper_data'] as $responseheader) {
		// Look for the status header...
		if (substr($responseheader,0,5) == 'HTTP/') {
			$bits = split(' ', $responseheader);
			$httpstatus = (int) $bits[1];
			$httpstatusmessage = $responseheader;
		}
	}
	// There is no need to check the HTTP status, as fopen wrapper
	// that for us anyway.
	// Read the the response data
	while (!feof($fp)) {
		$response .= fread($fp, 8192);
	}
	fclose($fp);
	error_reporting($old_error_reporting);
	return $response;
}

I know that this function works correctly as I'm using it to integrate with Paypal and at least two other payment providers.

You should read the response and check it for containing "VERIFIED".

As ever, log everything (request & response) to see what's going on.

Remember to log all the POST parameters the IPN came back with. Hint: error_log(print_r($_POST, true));

Mark

phencesgirl

Thank you for your response, MarkR, and for the example code. I really wasnt sure what you meant by

use fopen() with a context parameter containing the POST parameters.

...but now I think I have a better idea, thanks to your code. 🙂

I will attempt to use that code now, test it, and post back here afterwards. Thank you again!