diff --git a/buypoints.php b/buypoints.php
index d3ec272..fcc8e30 100644
--- a/buypoints.php
+++ b/buypoints.php
@@ -43,7 +43,7 @@ if ($paypal['enabled']) {
-
+
diff --git a/ipn.php b/ipn.php
index 9b671a9..2ffb09f 100644
--- a/ipn.php
+++ b/ipn.php
@@ -1,87 +1,124 @@
$value) {
$value = urlencode(stripslashes($value));
- $req .= "&$key=$value";
+ $req .= "&$key=$value";
}
+ $postdata = $req;
- // post back to PayPal system to validate
- $header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
- $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
- $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
-
- // assign posted variables to local variables
- $item_name = $_POST['item_name'];
- $item_number = $_POST['item_number'];
- $payment_status = $_POST['payment_status'];
- $payment_amount = $_POST['mc_gross'];
+ // Assign payment notification values to local variables
+ $item_name = $_POST['item_name'];
+ $item_number = $_POST['item_number'];
+ $payment_status = $_POST['payment_status'];
+ $payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
- $txn_id = mysql_real_escape_string($_POST['txn_id']);
- $receiver_email = $_POST['receiver_email'];
- $payer_email = mysql_real_escape_string($_POST['payer_email']);
- $custom = $_POST['custom'];
+ $txn_id = $_POST['txn_id'];
+ $receiver_email = $_POST['receiver_email'];
+ $payer_email = $_POST['payer_email'];
+ $custom = (int)$_POST['custom'];
+
+ $connectedIp = $_SERVER['REMOTE_ADDR'];
+ mysql_insert("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', 'Connection from IP: $connectedIp', '0', '0', '0')");
- if (!$fp) {
- // HTTP ERROR
- } else {
- fputs ($fp, $header . $req);
- while (!feof($fp)) {
- $res = fgets ($fp, 1024);
- if (strcmp ($res, "VERIFIED") == 0) {
- if ($payment_status == 'Completed') {
- $txn_id_check = mysql_query("SELECT `txn_id` FROM `znote_paypal` WHERE `txn_id`='$txn_id'");
- if (mysql_num_rows($txn_id_check) != 1) {
- if ($receiver_email == $paypal['email']) {
-
- $status = true;
- $pieces = explode("!", $custom);
- // TODO - fix this logic
- // 0 = user_id, 1 = price, 2 = points
- $f_user_id = (int)$pieces[0];
- $f_price = (float)$pieces[1];
- $f_points = (int)$pieces[2];
- if ($payment_amount != $f_price) $status = false; // If he paid wrong ammount
- if ($payment_currency != $paypal['currency']) $status = false; // If he paid using another currency
-
- // Verify that the user havent messed around with POST data
- if ($status) {
- $status = false;
- foreach ($prices as $price => $points) {
- if ($price == $f_price && $points == $f_points) $status = true; // data does not appear to be manipulated.
- }
- if ($status) {
- // transaction log
- $log_query = mysql_query("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', '$payer_email', '$f_user_id', '".(int)$f_price."', '".(int)$f_points."')");
-
- // Give points to user
- $old_points = mysql_result(mysql_query("SELECT `points` FROM `znote_accounts` WHERE `account_id`='$f_user_id';"), 0, 'points');
- $new_points = (int)$f_points;
- $new_points += $old_points;
- $update_account = mysql_query("UPDATE `znote_accounts` SET `points`='$new_points' WHERE `account_id`='$f_user_id'");
- } else mysql_query("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', 'ERROR: HACKER detected: $payer_email', '$f_user_id', '".(int)$f_price."', '".(int)$f_points."')");
- }
- } else {
- $pmail = $paypal['email'];
- mysql_query("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', 'ERROR: Wrong mail. Received: $receiver_email, configured: $pmail', '0', '0', '0')");
+ $status = VerifyPaypalIPN();
+ if ($status) {
+ // Check that the payment_status is Completed
+ if ($payment_status == 'Completed') {
+
+
+ // Check that txn_id has not been previously processed
+ $txn_id_check = mysql_select_single("SELECT `txn_id` FROM `znote_paypal` WHERE `txn_id`='$txn_id'");
+ if ($txn_id_check !== false) {
+ // Check that receiver_email is your Primary PayPal email
+ if ($receiver_email == $paypal['email']) {
+
+ $status = true;
+ $paidMoney = 0;
+ $paidPoints = 0;
+
+ foreach ($prices as $priceValue => $pointsValue) {
+ if ($priceValue == $payment_amount) {
+ $paidMoney = $priceValue;
+ $paidPoints = $pointsValue;
}
}
+
+ if ($paidMoney == 0) $status = false; // Wrong ammount of money
+ if ($payment_currency != $paypal['currency']) $status = false; // Wrong currency
+
+ // Verify that the user havent messed around with POST data
+ if ($status) {
+ // transaction log
+ mysql_insert("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', '$payer_email', '$custom', '".$paidMoney."', '".$paidPoints."')");
+
+ // Process payment
+ $data = mysql_select_single("SELECT `points` AS `old_points` FROM `znote_accounts` WHERE `account_id`='$custom';");
+
+ // Give points to user
+ $new_points = $data['old_points'] + $paidPoints;
+ mysql_update("UPDATE `znote_accounts` SET `points`='$new_points' WHERE `account_id`='$custom'");
+ }
+ } else {
+ $pmail = $paypal['email'];
+ mysql_insert("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', 'ERROR: Wrong mail. Received: $receiver_email, configured: $pmail', '0', '0', '0')");
}
}
- else if (strcmp ($res, "INVALID") == 0) {
- // log for manual investigation
-
- }
}
- fclose ($fp);
+ } else {
+ // Something is wrong
+ mysql_insert("INSERT INTO `znote_paypal` VALUES ('', '$txn_id', 'ERROR: Invalid data. $postdata', '0', '0', '0')");
}
?>
\ No newline at end of file