Fail to send variables back to return address while Paypal payment-CodePudding

I am unable to get variables in my return address while paying with Paypal.

My form is like below:

<form action="<?php echo $ps_paypal_url; ?>" method="post"> 
            <input type="hidden" name="business" value="<?php echo $ps_paypal_merchant; ?>">
            <input type="hidden" name="notify_url" value="<?php echo 'http://'.$_SERVER['SERVER_NAME'].CONF_WEBROOT_URL. 'paypal-ipn.php'; ?>">
            <input type="hidden" name="item_name" value="<?php echo 'For Order ' . $_POST['ORDER']; ?>">
            <input type="hidden" name="user_name" value="<?php echo $_SESSION['logged_user']['user_id']; ?>">
            <input type="hidden" name="quantity" value="1">
            <input type="hidden" name="item_number" value="<?php echo $_POST['ORDER']; ?>">
            <input TYPE="hidden" name="cmd" value="_xclick">
            <input type="hidden" name="amount" value="<?php echo round($total_payable, 2); ?>">
            <?php if($_POST['wallet'] > 0){ ?>
                <input type="hidden" name="discount_amount" value="<?php echo round($_POST['wallet'],2); ?>" />
            <?php } ?>
            
            <input type="hidden" name="no_shipping" value="1">
            <input type="hidden" name="custom" value="<?php echo $_SESSION['logged_user']['user_id']; ?>">
            <?php  
                $success = 'http://' . $_SERVER['SERVER_NAME'] . CONF_WEBROOT_URL .'success/;
                
            ?>  
            <input type='hidden' name='rm' value='2'>
            <input type="hidden" name="return" value="<?php echo $success ; ?>">
            <input type="hidden" name="currency_code" value="<?php echo CONF_CURRENCY_CODE; ?>">
        </form>

In my return address I am trying to read for example item_name or amount. But no success so far. I beleive paypal is disabled this function and variables are not allowed to be posted to return address. In my return file I am trying to read the variables like below:

<?php 
$amount = $_GET['amount'];
$amountpost = $_POST['amount'];
echo $amount;
echo $amountpost ;
?>

The result is empty. There is not any problem with ipn file once it is verified I am able to get the result with ipn file but why it is needed for me is because I need to add pending orderd in users purchase history. So when user will be redirected to success.php I will add pending order to account and once it is completed I will check via ipn and will change the status to "paid".

Any help would be highly appreciated.

PS: I don't want to send parameters in URL as $_GET parameters. I just want to get parameters of form.

CodePudding user response：

First, please enable IPN explicitly after logging in your Paypal account and set the IPN url (e.g. set as http://www.yoursite.com/payment1234A.php)

Second, please remove notify_url from your form (to avoid hacking)

Thirdly, please add return and cancel_return url as hidden fields. For example:

 <input type="hidden" name="return" value="http://www.yoursite.com/success.php">
 <input type="hidden" name="cancel_return" value="http://www.yoursite.com/cancelled.php">

So, if you want to collect USD1000 , then the form to be sent to paypal should be like the following form:

Note:

I have added a javascript autosubmit so that the user does not need to click a submit button);
I have used the "custom" field to send a unique data, it can be something like [customerserial-transactionserial] so that your IPN script can use it to do your db update.
The minimum requested fields to be submitted in the form are: business, item_name, amount, currency_code. For further details please refer to Paypal's official documentation.

<form id=form1 action="https://www.paypal.com/cgi-bin/webscr" method="post">

  <!-- Identify your business so that you can collect the payments. -->
  <input type="hidden" name="business" value="[email protected]">

  <!-- Specify a Buy Now button. -->
  <input type="hidden" name="cmd" value="_xclick">

  <!-- Specify details about the item that buyers will purchase. -->
  <input type="hidden" name="item_name" value="Purchase">
  <input type="hidden" name="amount" value="1000">
  <input type="hidden" name="currency_code" value="USD">
  <input type="hidden" name="custom" value="<?php echo $_SESSION["checkcode"]; ?>">

 <input type="hidden" name="return" value="http://www.yoursite.com/success.php">
 <input type="hidden" name="cancel_return" value="http://www.yoursite.com/cancelled.php">

</form>

<script>
document.getElementById('form1').submit();
</script>

Finally, use (and customize if necessary) the following standard paypal IPN php script in your IPN link (e.g.payment1234A.php). Please note that the amount you submitted will be returned as $_POST['mc_gross'] (not $_GET['amount'] nor $_POST['amount']) . But the custom field will be returned as $_POST['custom'].

The file below : payment1234A.php

<?php
// STEP 1: Read POST data
 
// reading posted data from directly from $_POST causes serialization 
// issues with array data in POST
// reading raw POST data from input stream instead. 
$raw_post_data = file_get_contents('php://input');
$raw_post_array = explode('&', $raw_post_data);
$myPost = array();
foreach ($raw_post_array as $keyval) {
  $keyval = explode ('=', $keyval);
  if (count($keyval) == 2)
     $myPost[$keyval[0]] = urldecode($keyval[1]);
}
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
if(function_exists('get_magic_quotes_gpc')) {
   $get_magic_quotes_exists = true;
} 
foreach ($myPost as $key => $value) {        
   if($get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) { 
        $value = urlencode(stripslashes($value)); 
   } else {
        $value = urlencode($value);
   }
   $req .= "&$key=$value";
}
 
 if (1==2) {
// STEP 2: Post IPN data back to paypal to validate
// only works if your IPN url is https, otherwise remark this block as 1==2

$ch = curl_init('https://ipnpb.paypal.com/cgi-bin/webscr');
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
 
// In wamp like environments that do not come bundled with root authority certificates,
// please download 'cacert.pem' from "http://curl.haxx.se/docs/caextract.html" and set the directory path 
// of the certificate as shown below.
// curl_setopt($ch, CURLOPT_CAINFO, dirname(__FILE__) . '/cacert.pem');
if( !($res = curl_exec($ch)) ) {
    // error_log("Got " . curl_error($ch) . " when processing IPN data");
    curl_close($ch);
    exit;
}
curl_close($ch);
 
 }

// STEP 3: Inspect IPN validation result and act accordingly
 
if (1==1) {
    // check whether the payment_status is Completed
    // check that txn_id has not been previously processed
    // check that receiver_email is your Primary PayPal email
    // check that payment_amount/payment_currency are correct
    // process payment
 
    // assign posted variables to local variables
    $item_name = $_POST['item_name'];
    $item_number = $_POST['item_number'];
    $payment_status = $_POST['payment_status'];
    $payment_amount = $_POST['mc_gross'];
    $custom = $_POST['custom'];

    $payment_currency = $_POST['mc_currency'];
    $txn_id = $_POST['txn_id'];
    $receiver_email = $_POST['receiver_email'];
    $payer_email = $_POST['payer_email'];

    // <---- HERE you can do your INSERT to the database



if ( trim($payment_status)=="Completed" ) {

/// do whatever you want for successful transaction

}


} 


?>