im currently using 2checkout for my site but always i have to pass the payment manually on my site, Customers pay successfully but my IPN script never verified the payment i always get the message in log file HASH MISMATCH <?php $hash=mysql_query("SELECT * FROM payment WHERE id='1' "); $hashSecretWord=mysql_fetch_array($hash['hash']); $hashSid = mysql_fetch_array($hash['sid']); $hashTotal = '135.00'; $hashOrder = $_REQUEST['order_number']; $StringToHash = strtoupper(md5($hashSecretWord . $hashSid . $hashOrder . $hashTotal)); if ($StringToHash != $_REQUEST['key']) { //No order processing } else { //Processing order } Code (markup): Can any one help please?
well your fetching more than once, as far as I know you can only do that once. And your fetching a variable array? that makes no sense to me. Why not (and use mysqli not mysql) $hash=mysqli_query($conn,"SELECT * FROM payment WHERE id='1' "); $hashSecretWord=mysqli_fetch_array($hash); $hashSid = $hashSecretWord['sid']; $hashTotal = '135.00'; $hashOrder = $_REQUEST['order_number']; $StringToHash = strtoupper(md5($hashSecretWord . $hashSid . $hashOrder . $hashTotal)); if ($StringToHash != $_REQUEST['key']) { //No order processing } else { //Processing order } [code] Code (markup):
You cannot call mysql_fetch_array twice like that. on second call to mysql_fetch_array, you are setting the value of $hashSid to false assuming there is only one row returned from the database.
Webstumbler and samyak are on the right track, though really I'd have to see the actual table layout to make sense of what you are doing as generally speaking you've got gibberish there. The dual _fetch_array isn't necessarily wrong, so much as what you are passing to it which is complete gibberish. $hash would be a mysql_ handler, and as such it wouldn't have EITHER of those array indexes (hash and sid) since IT'S NOT AN ARRAY. Would also make more sense if you did a _fetch_assoc since you don't seem to be using numeric indexes. The lack of any error handling is also bad, and I'd also be shirking my duty if I failed to mention that really any script written after 2005 really has no business using the long deprecated mysql_ functions, hence the GIANT RED WARNING BOXES on all the functions in the manual. I'm guessing wildly, but if you were to use the outdated outmoded half-assed mysql_ functions, it should probably go: $result = mysql_query("SELECT * FROM payment WHERE id = 1"); if ($row = mysql_fetch_assoc($result)) { $hashTotal = '135.00'; $hash = strtoupper(md5( $row['hash'] . $row['sid'] . $_REQUEST['order_number'] . $hashTotal )); if ($hash == $_REQUEST['key']) { // process order } else { // reject order } Code (markup): Some other suggestions: STOP making extra variables you don't need, STOP using names on variables that have nothing to do with what they are, always process the most likely condition FIRST, and consider switching to a secure hashing method like sha256 or sha512 given that MD5 has been rainbow tabled to death and cracked, making it about as secure as using nothing at all.
actually im not using prepared statement. But let me try your advise. I guess here im mistaking. let me try and will update here... After reading it. i think i need to echo the result, seems here also im mistaking. Thank you all guys for a great help. I will update you if this script works after reading all suggestions.
You can not use mysql_fetch_array like that. ok try this let me know. $hash=mysql_fetch_array(mysql_query("SELECT * FROM payment WHERE id='1' "),MYSQL_BOTH); $hashSecretWord=$hash['hash']; $hashSid = $hash['sid']); $hashTotal = '135.00'; $hashOrder = $_REQUEST['order_number']; $StringToHash = strtoupper(md5($hashSecretWord . $hashSid . $hashOrder . $hashTotal)); if ($StringToHash != $_REQUEST['key']) { //No order processing } else { //Processing order } Code (markup): Important! Have you checked the IPN message notification from your 2checkout account? 2Checkout INS Documentation Above could should be placed in your IPN Listener like TwoCo.php example; www.yoursite.com/TwoCo.php ( above codes in this file) this will be your IPN notification URL in 2checkout account setup Try it and update me my friend good luck
$hash=mysql_fetch_array(mysql_query("SELECT * FROM payment WHERE id='1' "),MYSQL_BOTH); $hashSecretWord=$hash['hash']; $hashSid = $hash['sid']); $hashTotal = '135.00'; $hashOrder = $_REQUEST['order_number']; $StringToHash = strtoupper(md5($hashSecretWord . $hashSid . $hashOrder . $hashTotal)); if ($StringToHash != $_REQUEST['key']) { //No order processing } else { //Processing order } Code (markup): Important! Have you checked the IPN message notification from your 2checkout account? 2Checkout INS Documentation Above could should be placed in your IPN Listener like TwoCo.php example; www.yoursite.com/TwoCo.php ( above codes in this file) this will be your IPN notification URL in 2checkout account setup Try it and update me my friend good luck[/quote] It Works Thanks a Lot urock_ltd You code works for me without any problem. had another mistake which you really pointed me the right direction i put wrong URL in 2checkout admin panel You Saved me. Thank you very much for every one who helped me...