Fixed Paypal Script

Sync · Jul 1, 2009

Well this script was made by Sliver and posted in the Paypal Script thread but its at the back and not many people see it. What it does is block the people from using 1 cent donations.

ALL the credits go to Sliver for Making it not possible to make invalid payments, and Credit to Artii and or Gunz for creating the actual script.

Change the

Code:

$mc_gross == "##.##") {

To the ammount your soppose to receive

example:

Code:

$mc_gross == "5.00") {

Heres the full IPN code (Update: He made it Log the paypal Email and the Character name now aswell)

Code:

<?  
$mysql_host = 'localhost'; //Leave at localhost  
$mysql_user = 'root'; //DB User  
$mysql_pass = ''; //DB Pass  
$mysql_db = ''; //DB Name  
$file = 'paypal.log'; //Paypal Log Name will be placed in the same location as your ipn.php file 

$custom = stripslashes(ucwords(strtolower(trim($_REQUEST['custom']))));  
$receiver_email = $_REQUEST['receiver_email'];  
$payment_status = $_REQUEST['payment_status'];  
$mc_gross = $_REQUEST['mc_gross'];  
$payer_email = $_REQUEST['payer_email']; 

$somecode = "'$custom' '$payer_email' '$mc_gross'"; 

// connect db  

$db = mysql_connect($mysql_host, $mysql_user, $mysql_pass);  
mysql_select_db($mysql_db, $db);  
if ($payment_status == "Completed" & $receiver_email == "[email protected]" & $mc_gross == "##.##") {  

$query = "SELECT premium_points FROM accounts WHERE accounts.name = '$custom'";  

$result = mysql_query($query);  

$prem = mysql_fetch_array($result);  

$points = $prem['premium_points'] + 12;  
// $points = mysql_query($prem)  
$qry2 = "UPDATE accounts SET premium_points = '$points' WHERE accounts.name = '$custom'";  
// Log Paypal Transaction 
$hak = fopen($file, "a"); 
fwrite($hak, $somecode); 
fclose($hak); 

$result2 = mysql_query($qry2);  
}  
else  
 {   
 echo("Error.");  
 }  
?>

Red · Jul 1, 2009

Very helpful! Looks nice.
Dare I say, thank you

Although, it's a bit different from Artii's and 0.2 TFS, you may have to post a bit more information on it to be beneficial for everybody

Red

Sliver · Jul 1, 2009

Thanks Chris! I've also created the ipn.php file to log all of the transactions so you can Ban the accounts that do chargebacks.

Anyone interested?

Red · Jul 1, 2009

sliver said:
Thanks Chris! I've also created the ipn.php file to log all of the transactions so you can Ban the accounts that do chargebacks.

Anyone interested?

Very! Send me a PM and add my msn ^_^

Red

Sliver · Jul 1, 2009

chris77 said:

Well this script was made by Sliver and posted in the Paypal Script thread but its at the back and not many people see it. What it does is block the people from using 1 cent donations.

ALL the credits go to Sliver.

Change the

Code:

$mc_gross == "##.##") {

To the ammount your soppose to receive

example:

Code:

$mc_gross == "5.00") {

Heres the full IPN code

Code:

<? 
$mysql_host = 'localhost'; //Leave at localhost 
$mysql_user = 'root'; //DB User 
$mysql_pass = ''; //DB Pass 
$mysql_db = ''; //DB Name 

$custom = stripslashes(ucwords(strtolower(trim($_REQUEST['custom'])))); 
$receiver_email = $_REQUEST['receiver_email']; 
$payment_status = $_REQUEST['payment_status']; 
$mc_gross = $_REQUEST['mc_gross']; 

// connect db 

$db = mysql_connect($mysql_host, $mysql_user, $mysql_pass); 
mysql_select_db($mysql_db, $db); 
if ($payment_status == "Completed" & $receiver_email == "[email protected]" & $mc_gross == "##.##") { 

$query = "SELECT premium_points FROM accounts WHERE accounts.name = '$custom'"; 

$result = mysql_query($query); 

$prem = mysql_fetch_array($result); 

$points = $prem['premium_points'] + 12; 
// $points = mysql_query($prem) 
$qry2 = "UPDATE accounts SET premium_points = '$points' WHERE accounts.name = '$custom'"; 

$result2 = mysql_query($qry2); 
} 
else 
 {  
 echo("Error."); 
 } 
?>

Actually it was Artii and/or Gunz script. I just edited it...

Sliver · Jul 1, 2009

Here is the updated ipn.php version that includes Logging of the account number and buyers email address:

PHP:

<? 
$mysql_host = 'localhost'; //Leave at localhost 
$mysql_user = 'root'; //DB User 
$mysql_pass = ''; //DB Pass 
$mysql_db = ''; //DB Name 
$file = 'paypal.log'; //Paypal Log Name will be placed in the same location as your ipn.php file

$custom = stripslashes(ucwords(strtolower(trim($_REQUEST['custom'])))); 
$receiver_email = $_REQUEST['receiver_email']; 
$payment_status = $_REQUEST['payment_status']; 
$mc_gross = $_REQUEST['mc_gross']; 
$payer_email = $_REQUEST['payer_email'];

$somecode = "'$custom' '$payer_email' '$mc_gross'";

// connect db 

$db = mysql_connect($mysql_host, $mysql_user, $mysql_pass); 
mysql_select_db($mysql_db, $db); 
if ($payment_status == "Completed" & $receiver_email == "[email protected]" & $mc_gross == "##.##") { 

$query = "SELECT premium_points FROM accounts WHERE accounts.name = '$custom'"; 

$result = mysql_query($query); 

$prem = mysql_fetch_array($result); 

$points = $prem['premium_points'] + 12; 
// $points = mysql_query($prem) 
$qry2 = "UPDATE accounts SET premium_points = '$points' WHERE accounts.name = '$custom'"; 
// Log Paypal Transaction
$hak = fopen($file, "a");
fwrite($hak, $somecode);
fclose($hak);

$result2 = mysql_query($qry2); 
} 
else 
 {  
 echo("Error."); 
 } 
?>

Evan · Jul 1, 2009

Thanks a lot sliver!
Now I can fuk those chargebackers...

Sync · Jul 2, 2009

I changed the script on the front page to your updated one sliver. gj btw

Keiro · Jul 2, 2009

how to use this on gesior acc for tfs 0.3.4spl2? , i got the ipn.php but i dont find the other things..with the price "5.00" etc..:O

i mean, where do i find $mc_gross == "5.00") {
?!?!?!?!?!

Sync · Jul 2, 2009

Follow the setup on this thread

http://otland.net/f118/paypal-script-release-24188/

Then change the script to the updated script posted on here.

richux · Jul 2, 2009

Is this one mysql injection safe?

Sliver · Jul 2, 2009

If you followed the original post of the Paypal script from Arti it included and .htaccess file which is placed in the ipn directory. No one should have access to the directory except for Paypal. When someone donates, Paypal send an IPN (Instant Payment Notification) to the address you set within your paypal account. It should be sent to the ipn.php file located on your webserver.

Since Injection schemes need access to files to inject incorrect data, these types of attacks should not work if you have the .htaccess file setup correctly.

Keiro · Jul 2, 2009

chris77 said:
Follow the setup on this thread

http://otland.net/f118/paypal-script-release-24188/

Then change the script to the updated script posted on here.

i know..i have ti configurated already, but after cvhanging the scrpt i dont find mc_gross anywhere!

Keiro · Jul 2, 2009

mc_gross == "##.##") {

this is what i dont find on the script -.-, sry double post, no edit option

Keiro · Jul 2, 2009

nvm found it, triple post my bad, why i got n oedit option? oO

Sync · Jul 7, 2009

Bump, i think some more people might benefit from this

Sync · Jul 20, 2009

Maybe try using the script thats actually updated.. lawl

Victor · Aug 6, 2009

HAHAHAHAHHA. I have nice bug. Its not fixed how it should be. All ots with paypal donations (under this script) will HACKED

.

ScorpiOOn93 · Aug 6, 2009

@Up
Cool

And of course you can't write what is that bug to help everyone and something like that, you just want to be a "cool pr0" with saying that.

Guitar Freak · Aug 6, 2009

ScorpiOOn93 said:
@Up
Cool And of course you can't write what is that bug to help everyone and something like that, you just want to be a "cool pr0" with saying that.

Agreed. But not a "cool pr0", more like a selfish smartass.

Fixed Paypal Script

Ø,ø

Cyntara.org

New Member

Cyntara.org

New Member

New Member

A splendid one to behold

Ø,ø

New Member

Ø,ø

Tibera.org

New Member

New Member

New Member

New Member

Ø,ø

Ø,ø

New Member

etherno.net

_LüA_n☺b_