Well basically, I had a person help me very quickly in the other thread I had here, so I think I can post this here and get some help fast too. I'm having another problem with the same PayPal script -- this is what the client said: And here is the file paypal.php -- I'm guessing the error is in here and it's not too long of a code so I'll post it below: +rep to whoever helps, and a possibility of PHP projects with good pay. Thanks a ton! Regards, Jared
I don't think the issue is within this file, as your simply selecting data from the db within this file and theirs nowhere which indicates you updating/inserting to the db. Furthermore you should validate/clean all $_GET requests as I've noticed your using it straight from the user and then doing a mysql query using it, such as: $res = mysql_query("SELECT * FROM `payment_method` where `id`='".$_GET["pm"]."'"); PHP: Consider using mysql_real_escape_string() on $_GET['pm'];
You need insert or update to database. I can't offer you my service, regarding to this post sprintf("SELECT * FROM table FROM `field`='%s'",mysql_real_escape_string($var)); PHP:
<?php include_once("config.inc.php"); require_once('paypal.class.php'); if (constant('ctpf')=='on') { echo "paypal.php file error"; exit(); } if(empty($_GET["pm"]) || empty($_GET["id"]) || intval($_GET["pm"])<1 || intval($_GET["id"])<1 ){ echo "Unauthorized Access"; exit(); } $res = mysql_query(sprintf("SELECT * FROM `payment_method` where `id`='%s'",mysql_real_escape_string($_GET["pm"]))); $payment_method = mysql_fetch_array($res,MYSQL_ASSOC); $res = mysql_query(sprintf("SELECT * FROM `products` where `id`='%s'",mysql_real_escape_string($_GET["id"]))); $products = mysql_fetch_array($res,MYSQL_ASSOC); $productprice=$products['price']; $waiting_time=$products['waiting_time']; $offerinfo=""; if(constant("offercode")){ if(!empty($_GET["txtOffer"])){ $strSQL= sprintf("select type,amount,startdate,enddate,waiting_time,productlist from offer_code where offercode='%s' and published='1'",mysql_real_escape_string($_GET["txtOffer"])); $res = mysql_query($strSQL); $offercode = mysql_fetch_array($res,MYSQL_ASSOC); if($offercode!="" && count($offercode)>0){ $productlist= explode(",",$offercode["productlist"]); if(in_array($products["id"],$productlist)){ //check start and end date // The timestamp and date have differect structure? if((time() > $offercode["startdate"]) && (time() < $offercode["enddate"])){ if($offercode["type"]=="fixed"){ $productprice=$productprice-$offercode["amount"]; }else{ $productprice=round($productprice-(($offercode["amount"]/100)*$productprice),2); } $waiting_time=$offercode['waiting_time']; } } } } } if(count($payment_method) < 1 && count($products) < 1){ echo "Unauthorized Access"; exit(); } $paypalipn=urlencode(constant('domainurl')."/".$payment_method["notify_script"]."?txtOffer=".@$_GET["txtOffer"]); $buyNow = new Paypal; $buyNow->useSandBox(false); $buyNow->addVar('business',$payment_method["email"]); /* Payment Email */ $buyNow->addVar('cmd','_xclick'); $buyNow->addVar('amount',$productprice); $buyNow->addVar('item_name',$products["name"]); $buyNow->addVar('item_number',$products["id"]); $buyNow->addVar('quantity','1'); $buyNow->addVar('tax','0'); $buyNow->addVar('shipping','0'); $buyNow->addVar('currency_code',$payment_method["currency"]); $buyNow->addVar('no_shipping',!constant('shipping_address')); $buyNow->addVar('rm','2'); /* Return method must be POST (2) for this class */ $buyNow->addVar('notify_url',$paypalipn); if(constant('thanks_page')!=""){ $return_url=urlencode(constant('domainurl')."/".constant('thanks_page')).""; $buyNow->addVar('return_url',$return_url); } header('Location: '.$buyNow->getLink()); require_once('clearresource.php'); ?> PHP: