第3步之后的原因是,您将如何找出第一步中填写的数据,当用户单击提交"并离开实际网站并登录到Paypal时,您将丢失该表单数据,并且用户可以提出虚假声明他们也是从您的网站上购买的,或者使用您所销售的产品或服务付款.该步骤应该是在与Paypal打交道时填写实际网站中的在提交表单时验证表单数据,如果验证为Okey,则将数据保存到数据库中并将用户重定向到Paypal用户登录到Paypal并进行付款通过Paypal即时付款通知(IPN)获取付款明细(尽管用户仍在Paypal网站上) IPN详细信息(在您的情况下为payments.php)(在IPN中,贝宝(Paypal)发布需要在步骤5中更新数据库的交易详细信息,金额详细信息等,否则您将无法确定用户针对哪个产品付款)根据Paypal即时付款通知(付款成功,付款失败,付款待处理)更新数据库中的数据使用返回URL 返回网址详细信息 return.php在实际网站的返回URL"上显示付款明细和其他详细信息.旁注:第七步,在此步骤中,您可以提供唯一的参考号(仅在成功付款时生成),并将该参考号提供给从您的网站购买的用户,否则您最终可能会与声称拥有所有权的用户打交道他们以任何产品付款.(与Paypal打交道时,请记住,paypal总是更喜欢它的消费者而不是商家,因此您必须要小心,否则,如果欺诈投诉过多,他们将冻结您的帐户)就您的代码而言,只需像mysqli_real_escape_string($_POST['apartment']);这样用mysqli_real_escape_string转义表单值,而无需使用PDO,您已经在使用MySQLi来转义字符串并在服务器端验证表单输入,足以避免SQL Injection vulnerabilities I am trying to figure out the best way to save data (which was submitted previously in a form) to a database, after the client has paid for the item, using paypal. Something along the lines of this process:1)Fill in form on actual website --> 2)Login Paypal --> 3) Pay Now (PayPal) --> 4) Data is inserted in database --> 5) Return to starting point?I have figured out how to do steps 1 to 3 and 5, however would need some help in doing step 4. As far as I can tell, I need to somehow store the data, and then save or discard the stored data as required. What would the best way to do so be?The Form <form action="" method="post" target="" id="bookstay"> <input type="hidden" name="cmd" value="_xclick" /> <input type="hidden" name="unitprice" value="40" /> <input type="hidden" name="apt_name" value="Apartment1" /> <input type="hidden" name="no_note" value=""/> <input type="hidden" name="lc" value="MT" /> <input type="hidden" name="currency_code" value="EUR" /> <input type="hidden" name="bn" value="BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" /> <input type="hidden" name="apartment" value="1"/> <input name='first_name' class="short-input" id='name' type="text" value="Name" onFocus="this.value = ''" /> <input name= 'last_name' class="short-input" id='name' type="text" value="surname" onFocus="this.value = ''" /> <input name='payer_email' class="long-input" type="text" value="Email" onFocus="this.value = ''" /> <input name='address' class="long-input" type="text" value="Address" onFocus="this.value = ''" /> <input name='mobile' class="short-input" type="text" value="mobile" onFocus="this.value = ''" /> <div class='select' id='peopletostay'> <select name='pax' class='short-input'> <option value='0'>people to stay</option> <option value='1'>1</option> <option value='2'>2</option> <option value='3'>3</option> <option value='4'>4</option> </select> </div> <div id="dateofarrival"> date of arrival<br> <div class='select' id='date'> <select class="short-input day-from" name="day_from"> <option value= "01" >01</option> ... <option value= "31" >31</option> </select> </div> <div class='select' id='month'> <select class="short-input month-from" name="month_from" size="1"> <option value="01" >January</option> .... <option value="12" >December</option> </select> </div> <div class='select' id='year'> <select class="short-input year-from" name='year_from'> <option value= 2015 > 2015</option> .... <option value= 2025 > 2025</option> </select> </div> </div> <div id="dateodeparture"> date of arrival<br> <div class='select' id='date'> <select class="short-input day-from" name="day_to"> <option value= "01" >01</option> ... <option value= "31" >31</option> </select> </div> <div class='select' id='month'> <select class="short-input month-from" name="month_to" size="1"> <option value="01" >January</option> .... <option value="12" >December</option> </select> </div> <div class='select' id='year'> <select class="short-input year-from" name='year_to'> <option value= 2015 > 2015</option> .... <option value= 2025 > 2025</option> </select> </div> </div> <textarea name='remarks'>Extra Remarks</textarea> <button type="submit" name="proceedtopaypal" id="proceedtopaypal">make booking (proceed to paypal)</button> </form>Payment Code<?phpif ($_POST) {if (isset($_POST['proceedtopaypal'])){include 'connect.php'; $apartment = mysqli_real_escape_string($conn, $_POST['apartment']); $unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']); $first_name = mysqli_real_escape_string($conn, $_POST['first_name']); $last_name = mysqli_real_escape_string($conn, $_POST['last_name']); $payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']); $address = mysqli_real_escape_string($conn, $_POST['address']); $apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']); $mobile = mysqli_real_escape_string($conn, $_POST['mobile']); $pax = mysqli_real_escape_string($conn, $_POST['pax']); $remarks = mysqli_real_escape_string($conn, $_POST['remarks']); $day_from = mysqli_real_escape_string($conn, $_POST['day_from']); $month_from = mysqli_real_escape_string($conn, $_POST['month_from']); $year_from = mysqli_real_escape_string($conn, $_POST['year_from']); $booking_from = $year_from."-".$month_from."-".$day_from; $day_to = mysqli_real_escape_string($conn, $_POST['day_to']); $month_to = mysqli_real_escape_string($conn, $_POST['month_to']); $year_to = mysqli_real_escape_string($conn, $_POST['year_to']); $booking_to = $year_to."-".$month_to."-".$day_to; $no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from)); $quantity = floor($no_of_nights / (60*60*24)); // paypal settings $paypal_email = '[email protected]'; $return_url = 'http://localhost/Webdevelopment/V18/apartments.php'; $cancel_url = 'http://localhost/Webdevelopment/V18/apartments.php'; $notify_url = 'http://localhost/Webdevelopment/V18/paypal/payments.php'; $item_amount = $unitprice * $quantity; $item_name = "Booking at ".$apt_name." from " .$booking_from ." to " .$booking_to; $validdate = false; $buttonpressed = false; $checkin='<p>Check in date is invalid.</p>'; $checkout='<p>Check out date is invalid</p>'; $larger = '<p>Check in date is after check out date</p>'; $noinfo='<p>please fill in the missing information.</p>'; $booked='<p>The dates selected are already booked for this apartment</p>'; $equal = '<p>You need to spend a minimum of 1 night in these apartment</p>'; $thankyou = '<h5>Thank you</h5><p>thank you for booking an apartment with V18-apartments.</p>'; $window = ''; function IsInjected($str) { $injections = array('(\n+)', '(\r+)', '(\t+)', '(%0A+)', '(%0D+)', '(%08+)', '(%09+)' ); $inject = join('|', $injections); $inject = "/$inject/i"; if(preg_match($inject,$str)) { return true; } else { return false; } } if (!checkdate($month_from, $day_from, $year_from)) { $window = $checkin; echo $window; $validate = true; } else if (!checkdate($month_to, $day_to, $year_to)) { $window = $checkout; $validate = true; echo $window; //echo "Check out date is invalid"; } else if ($booking_from > $booking_to) { $window = $larger; $validate = true; echo $window; // echo "Check in date is after check out date"; } else if ($booking_from == $booking_to) { $window = $equal; $validate = true; echo $window; } // check if all info is filled in else if (($first_name == "Name") || ($last_name == "surname") || ($payer_email == "Email") || ($mobile == "mobile") || ($address == "Address")) { $window = $noinfo; echo $window; $validate = true; // echo "Please fill in the missing information"; } else if (IsInjected($payer_email)) { echo "Not an email"; } else if ($validdate == false) { $final = true; $sql = "SELECT COUNT(*) FROM room_nights WHERE apartmentID= '$apartment' AND dates >= '$booking_from' AND dates <= '$booking_to'"; $result = mysqli_query($conn, $sql); $result = mysqli_query($conn, $sql); $row=mysqli_fetch_row($result); if ($row[0] > 0) { $window = $booked; echo $window; } else if ($final == true) { // save to database include 'insertdata.php'; // code below echo $item_name; // include functions include ("pay_functions.php"); // Check if paypal request or response if (!isset($_POST["txn_id"]) && !isset($_POST["txn_type"])){ // Firstly Append paypal account to querystring $querystring .= "?business=".urlencode($paypal_email)."&"; // Append amount& currency (£) to quersytring so it cannot be edited in html //The item name and amount can be brought in dynamically by querying the $_POST['item_number'] variable. $querystring .= "item_name=".urlencode($item_name)."&"; $querystring .= "amount=".urlencode($item_amount)."&"; //loop for posted values and append to querystring foreach($_POST as $key => $value){ $value = urlencode(stripslashes($value)); $querystring .= "$key=$value&"; } // Append paypal return addresses $querystring .= "return=".urlencode(stripslashes($return_url))."&"; $querystring .= "cancel_return=".urlencode(stripslashes($cancel_url))."&"; $querystring .= "notify_url=".urlencode($notify_url); // Append querystring with custom field //$querystring .= "&custom=".USERID; // Redirect to paypal IPN header('location:https://www.sandbox.paypal.com/cgi-bin/webscr'.$querystring); exit(); } else { // Response from paypal $req = 'cmd=_notify-validate'; foreach ($_POST as $key => $value) { $value = urlencode(stripslashes($value)); $value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix $req .= "&$key=$value"; } // assign posted variables to locate variables $data['item_name'] = $_POST['item_name']; $data['item_number'] = $_POST['item_number']; $data['payment_status'] = $_POST['payment_statis']; $data['payment_amount'] = $_POST['mc_gross']; $data['payment_currency'] = $_POST['mc_currency']; $data['txn_id'] = $_POST['txn_id']; $data['receiver_email'] = $_POST['receiver_email']; $data['payer_email'] = $_POST['payer_email']; $data['custom'] = $_POST['custom']; // post back to paypal system and validate $header = "POST /cgi-bin/webscr HTTP/1.0\r\n"; $header .= "Content-Type : application/x-www-form-urlencoded\r\n"; $header .= "Content-Lenght: " .strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); if (!$fp) { // HTTP error } else { mail('[email protected]', '0', '0'); fputs ($fp, $header . $req); while (!feof($fp)) { $res = fgets($fp, 1024); if (strcmp ($res, "VERIFIED") == 0) { // validate payment (check unique txnid & correct price) $valid_txnid = check_txnid($data['txn_id']); $valid_price = check_price($data['payment_amount'], $data['item_number']); // Payment validated and verified if ($valid_price && $valid_price) { $orderid = updatePayments($data); if ($orderid){ // payment has been made and inserted into db } else { echo "Error"; } } else if (strcmp($res, "INVALID") == 0) { echo "Payment invalid"; } } fclose($fp); } } } } }} }?>INSERTDATA.PHP <?php $apartment = mysqli_real_escape_string($conn, $_POST['apartment']); $unitprice = mysqli_real_escape_string($conn, $_POST['unitprice']); $first_name = mysqli_real_escape_string($conn, $_POST['first_name']); $last_name = mysqli_real_escape_string($conn, $_POST['last_name']); $payer_email = mysqli_real_escape_string($conn, $_POST['payer_email']); $address = mysqli_real_escape_string($conn, $_POST['address']); $apt_name = mysqli_real_escape_string($conn, $_POST['apt_name']); $mobile = mysqli_real_escape_string($conn, $_POST['mobile']); $pax = mysqli_real_escape_string($conn, $_POST['pax']); $remarks = mysqli_real_escape_string($conn, $_POST['remarks']); $day_from = mysqli_real_escape_string($conn, $_POST['day_from']); $month_from = mysqli_real_escape_string($conn, $_POST['month_from']); $year_from = mysqli_real_escape_string($conn, $_POST['year_from']); $booking_from = $year_from."-".$month_from."-".$day_from; $day_to = mysqli_real_escape_string($conn, $_POST['day_to']); $month_to = mysqli_real_escape_string($conn, $_POST['month_to']); $year_to = mysqli_real_escape_string($conn, $_POST['year_to']); $booking_to = $year_to."-".$month_to."-".$day_to; $no_of_nights = abs(strtotime($booking_to) - strtotime($booking_from)); $quantity = floor($no_of_nights / (60*60*24)); $reason = "Booked by ".$first_name." ".$last_name." for ".$pax ." people";function daterange($booking_from, $booking_to, $step = '+1 day', $output_format = 'Y-m-d') { $dates = array(); $first = new DateTime($booking_from); $last = new DateTime($booking_to); $last = $last->modify('+ 1 day'); $interval = DateInterval::createFromDateString($step); $period = new DatePeriod($first, $interval, $last); foreach ($period as $date) { $dates[] = $date->format($output_format); } return $dates;}$dates = daterange($booking_from, $booking_to);include 'connect.php'; if (!$conn->autocommit(FALSE)) { printf("Errormessage: %s\n", $conn->error); } if (!$conn->query("INSERT INTO client_details (clientID, name, email, address, mobile) VALUES ('', '$first_name $last_name', '$payer_email', '$address', '$mobile')")) { printf("Errormessage: %s\n", $conn->error); } if (!$conn->query("INSERT INTO bookings (bookingID, apartmentID, clientID, date_from, date_to, nights, pax, remarks) VALUES ('', '$apartment', LAST_INSERT_ID(), '$booking_from', '$booking_to', '$days', '$pax', '$remarks')")) { printf("Errormessage: %s\n", $conn->error); } foreach ($dates as $date) { if (!$conn->query("INSERT INTO room_nights (bookingID, apartmentID, dates, reason) VALUES (LAST_INSERT_ID(), '$apartment', '$date', '$reason')")) { printf("Errormessage: %s\n", $conn->error); } } if (!$conn->commit()) { printf("Errormessage: %s\n", $conn->error); } $conn->close();?> 解决方案 Your steps are wrong1)Fill in form on actual website --> 2)Login Paypal --> 3) Pay Now (PayPal) --> 4) Data is inserted in database --> 5) Return to starting point?Reason after Step 3, how you will find out the data which was filled in form in step one, the moment user click submit and leave the actual website and login to Paypal you will lose the form data and users can make false claims too that they purchased from your website or make payments against the product or service your are selling.The Step Should be when dealing with PaypalFill in the From on Actual WebsiteOn Form submission Validate the form data, if validation Okey, save data into Database and redirect user to PaypalUser Login to Paypal and make paymentGet Payment Detail via Paypal Instant Payment Notification (IPN) (While user still on Paypal website) IPN Detail in your case which is payments.php (In IPN, Paypal Post the transaction detail, amount detail etc which you need to update the database in step-5 otherwise you will not figure out against which product which user paid)Update the data in database according to Paypal Instant Payment Notification (Payment Success, Payment Failed, Payment Pending)Redirect the User back to Actual website with Return URL Return URL Detail return.phpShow the payment detail and other details on Return URL on Actual Website.Side Note: 7th step, at this step you can provide a unique reference number (which only generate against successful payment) and provide that reference number to the user who purchased from your website otherwise you may end up dealing with users who claim that they made payment against any product.(When dealing with Paypal, keep in mind paypal always prefer it's consumers not merchants so you have to be careful or they will freeze your account if there will be too many fraudulent complains)As far your code concern, just escape the form values with mysqli_real_escape_string like mysqli_real_escape_string($_POST['apartment']);and no need to use PDO you are already using MySQLi escaping the string and validating form inputs on server side enough to avoid the SQL Injection vulnerabilities 这篇关于付款成功后保存到数据库(PayPal)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持! 上岸,阿里云!
08-24 13:52