PayPal IPN - short (original script by stian) v.1, v.2, v.3

[5mok3]

z

I actually should logg their email address too and then just add the blocked emails instead of ip. IP would be bad idea, as they can change it easily.

Agree

 

[JoSePh15_]

Here's my (only ipn.php)

<?PHP
## SCRIPTED BY ZONET=BOYKA
require('../config.php');
$paypal['email'] = "[email protected]";
$account_name = stripslashes(ucwords(strtolower(trim($_REQUEST['custom']))));
$myEmail = $_REQUEST['receiver_email'];
$status = $_REQUEST['payment_status'];
$points = $_REQUEST['item_name'];
$mysqli = new mysqli($config['database']['host'], $config['database']['login'], $config['database']['password'], $config['database']['database']) or die('Cant connect');

if(gethostbyaddr($_SERVER['REMOTE_ADDR']) != 'notify.paypal.com') {
    exit('...');
}
if($status == "Completed" && $myEmail == $paypal['email']) {
	$mysqli->query('UPDATE `accounts` SET `premium_points` = `premium_points`+'.$points.' WHERE `name` = "'.$mysqli->real_escape_string($account_name).'";');
	$f = fopen("paypal.txt", "a");
	$log = "Status: ".$status.", Points: ".$points.", Account: ".$account_name."\n";
	fwrite($f, $log);
	fclose($f);
}
else
	echo 'Error.';
?>

I added the gethostbyaddr when I saw Talaturens post, but it worked well before too.

I think it should be like this

else {
    echo 'Error.';
}

Correct me if im wrong

 

[chojrak]

I think it should be like this

else {
    echo 'Error.';
}

Correct me if im wrong

You are wrong.

 

[Zonet]

I think it should be like this

else {
    echo 'Error.';
}

Correct me if im wrong

Single line doesn't need any brackets.

 

[Archez]

What about this version?

<?php
	
	## ## ## ## ## ## ## ##
	## PayPal IPN script ##
	##     by archez     ##
	## ## ## ## ## ## ## ##
	##  fixes at otland  ##
	## ## ## ## ## ## ## ##
	## first  script  by ##
	## stian,  at otland ##
	## http://otland.net ##
	## ## ## ## ## ## ## ##
	
	if(gethostbyaddr($_SERVER['REMOTE_ADDR']) != 'notify.paypal.com')
	{ 
		exit();
	}
	
	if($_REQUEST['debug'])
	{
		ini_set('display_errors', true);
		error_reporting(E_ALL);
	}
	
	// MySQLi connection
	$mysql = new mysqli('localhost', 'root', 'password', 'database');
	
	// Variables, don't touch!
	$receiverEmail = $_REQUEST['receiver_email'];
	$paymentStatus = $_REQUEST['payment_status'];
	$mcGross = $_REQUEST['mc_gross'];
	$mcCurrency = $_REQUEST['mc_currency'];
	$customValue = stripslashes(ucwords(strtolower(trim($_REQUEST['custom']))));  
	
	// Prices
	$prices = array('10.00' => 20, '20.00' => 40, '30.00' => 60, '40.00' => 80);
	
	// Setup
	$receiver = '[email protected]';
	$currency = 'EUR';
	$whatToDo = 1; // 1 - delete, 2 - custom
	
	// Unwanted people IP addresses
	$unwanted = array('66.211.170.66', '216.113.188.202', '216.113.188.203', '216.113.188.204', '216.113.188.205', '66.135.197.163', '66.135.197.164', ' 66.135.197.162',  '66.135.197.141', '216.113.191.33');
	
	if(in_array($_SERVER['REMOTE_ADDR'], $unwanted))
	{
		exit();
	}
	
	if($paymentStatus == 'Completed' && $receiverEmail == $receiver && isset($prices[$mcGross]) && $mcCurrency == $currency)
	{
		$mysql->query('UPDATE `accounts` SET `premium_points` = `premium_points` + ' . $prices[$mc_gross] . ' WHERE `name` = "' . $customValue . '"');
	}
	elseif($paymentStatus == 'Reversed' && $receiverEmail == $receiver)
	{
		if($whatToDo == 1)
		{
			$mysql->query('DELETE FROM `accounts` WHERE `name` = "' . $customValue . '"');
		}
		elseif($whatToDo == 2)
		{
			// if not deleting, what to do?
		}
	}
	else
	{
		exit();
	}
	
?>

 

[Zonet]

Archez, its just useless that u are checking for the $unwanted as u already did at the top so only paypal can access. And that how it should be. If u have unwanteds block them by their email, ip address can easily be changed.

 

[Archez]

Archez, its just useless that u are checking for the $unwanted as u already did at the top so only paypal can access. And that how it should be. If u have unwanteds block them by their email, ip address can easily be changed.

Yeah, I was thinking about that (as it was stian's decision or artii's to put that list of ips), I also think is useless, so I'll remove it. '.'

 

[JoSePh15_]

Single line doesn't need any brackets.

but it's not wrong if there is brackets?

 

[Archez]

but it's not wrong if there is brackets?

No.

 

[stian]

$unwanted = array('66.211.170.66', '216.113.188.202', '216.113.188.203', '216.113.188.204', '216.113.188.205', '66.135.197.163', '66.135.197.164', ' 66.135.197.162',  '66.135.197.141', '216.113.191.33');
    
    if(in_array($_SERVER['REMOTE_ADDR'], $unwanted))

LOL? Your blocking of all the paypal ips? Sure, you can use the thing on the top, but it will be rendered useless now that you block everything else. Btw, both methods is wrong. And your method allow me to use a tiny bit of a backdoor to make fake IPN requests (dont ask me about). Here is a good method doing it the proper way:

<?php

    // MySQLi connection
    $mysql = new mysqli('localhost', 'root', 'password', 'database');
    
    // Variables, don't touch!
    $receiverEmail = $_POST['receiver_email'];
    $paymentStatus = $_POST['payment_status'];
    $mcGross = $_POST['mc_gross'];
    $mcCurrency = $_POST['mc_currency'];
    $customValue = stripslashes(ucwords(strtolower(trim($_POST['custom']))));  
    
    // Prices
    $prices = array('10.00' => 20, '20.00' => 40, '30.00' => 60, '40.00' => 80);
    
    // Setup
    $receiver = '[email protected]';
    $currency = 'EUR';
    $whatToDo = 1; // 1 - delete, 2 - custom

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);


if(!$fp) {
        die("Error."); // No respons from paypal server

}
@fputs ($fp, $header . $req);
while (!feof($fp)) {
        $res = fgets ($fp, 1024);

        if(strcmp($res, "INVALID") == 0) {
          die("Error."); // INVALID 
        }
}
if(strcmp($res, "VERIFIED") != 0) {
 die("Error."); // Not VERTIFIED
}
    
    if($paymentStatus == 'Completed' && $receiverEmail == $receiver && isset($prices[$mcGross]) && $mcCurrency == $currency)
    {
        $mysql->query('UPDATE `accounts` SET `premium_points` = `premium_points` + ' . $prices[$mc_gross] . ' WHERE `name` = "' . $customValue . '"');
    }
    elseif($paymentStatus == 'Reversed' && $receiverEmail == $receiver)
    {
        if($whatToDo == 1)
        {
            $mysql->query('DELETE FROM `accounts` WHERE `name` = "' . $customValue . '"');
        }
        elseif($whatToDo == 2)
        {
            // if not deleting, what to do?
        }
    }
?>

 

[chojrak]

$unwanted = array('66.211.170.66', '216.113.188.202', '216.113.188.203', '216.113.188.204', '216.113.188.205', '66.135.197.163', '66.135.197.164', ' 66.135.197.162',  '66.135.197.141', '216.113.191.33');
    
    if(in_array($_SERVER['REMOTE_ADDR'], $unwanted))

LOL? Your blocking of all the paypal ips? Sure, you can use the thing on the top, but it will be rendered useless now that you block everything else. Btw, both methods is wrong. And your method allow me to use a tiny bit of a backdoor to make fake IPN requests (dont ask me about). Here is a good method doing it the proper way:

<?php

    // MySQLi connection
    $mysql = new mysqli('localhost', 'root', 'password', 'database');
    
    // Variables, don't touch!
    $receiverEmail = $_POST['receiver_email'];
    $paymentStatus = $_POST['payment_status'];
    $mcGross = $_POST['mc_gross'];
    $mcCurrency = $_POST['mc_currency'];
    $customValue = stripslashes(ucwords(strtolower(trim($_POST['custom']))));  
    
    // Prices
    $prices = array('10.00' => 20, '20.00' => 40, '30.00' => 60, '40.00' => 80);
    
    // Setup
    $receiver = '[email protected]';
    $currency = 'EUR';
    $whatToDo = 1; // 1 - delete, 2 - custom

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);


if(!$fp) {
        die("Error."); // No respons from paypal server

}
@fputs ($fp, $header . $req);
while (!feof($fp)) {
        $res = fgets ($fp, 1024);

        if(strcmp($res, "INVALID") == 0) {
          die("Error."); // INVALID 
        }
}
if(strcmp($res, "VERIFIED") != 0) {
 die("Error."); // Not VERTIFIED
}
    
    if($paymentStatus == 'Completed' && $receiverEmail == $receiver && isset($prices[$mcGross]) && $mcCurrency == $currency)
    {
        $mysql->query('UPDATE `accounts` SET `premium_points` = `premium_points` + ' . $prices[$mc_gross] . ' WHERE `name` = "' . $customValue . '"');
    }
    elseif($paymentStatus == 'Reversed' && $receiverEmail == $receiver)
    {
        if($whatToDo == 1)
        {
            $mysql->query('DELETE FROM `accounts` WHERE `name` = "' . $customValue . '"');
        }
        elseif($whatToDo == 2)
        {
            // if not deleting, what to do?
        }
    }
?>

And where the hell you define $payment_status? :/

@Edit:
Mine ipn btw:

<?PHP
	if(gethostbyaddr($_SERVER['REMOTE_ADDR']) != 'notify.paypal.com' || !isSet($_REQUEST['receiver_email']) || !isSet($_REQUEST['payment_status']) || !isSet($_REQUEST['mc_gross']))
		die('<html><title>Don\'t fuck with me.</title><body bgcolor="black"><center><img src="./images/dontfuck.png" /></center></body></html>');

	include('./POT/OTS.php');
	$ots = POT::getInstance();
	$ots->connect(POT::DB_MYSQL, array('host' => 'host', 'user' => 'user', 'password' => 'password', 'database' => 'db'));

	$costs = array('2.0' => 150, '4.0' => 400, '6.0' => 700);
	if(!$costs[$_REQUEST['mc_gross']]) die;

	$account = new OTS_Account();
	$account->load($_REQUEST['custom']);
	if(!$account->isLoaded()) die;

	if($_REQUEST['payment_status'] == 'Completed')
		$account->setPremiumPoints($account->getPremiumPoints() + $costs[$_REQUEST['mc_gross']]);
	else($_REQUEST['payment_status'] == 'Reversed')
		$account->setDeleted();
	else
		die('Unhandled payment status.');

	unSet($account);
	unSet($SQL);
	unSet($ots);
?>

 

[stian]

What was wrong here?

$paymentStatus = $_POST['payment_status'];

 

[chojrak]

What was wrong here?

$paymentStatus = $_POST['payment_status'];

My Chrome failed to find lol, when I saw if $paymentStatus~ I opened CTRL+F and tried to find it but Chrome didn't show .

 

[stian]

My Chrome failed to find lol, when I saw if $paymentStatus~ I opened CTRL+F and tried to find it but Chrome didn't show .

Proff that chrome sucks

 

[Chebera]

In $paymentsStatus=='reserved', i want ban account forever!
Someone can make this script for me?
Ty!

 

[Chebera]

reversed sorry (i can't edit my post)

 

[stian]

In $paymentsStatus=='reserved', i want ban account forever!
Someone can make this script for me?
Ty!

Why not use one of the scripts posted here (for instance mine 3-4 revs back), it will delete the account if they do a chargeback, much faster to load then bans forever.

 

[Amiroslo]

v3 works automatic?

 

[Amiroslo]

Im woundering about this line
if(gethostbyaddr($_SERVER['REMOTE_ADDR']) != 'notify.paypal.com')

can someone explain it, should i change it? cuz there is no link called notify.paypal.com

 

[Ninja]

Yes, you should change it since PayPal have changed their IPN addresses.

if(!in_array($_SERVER['REMOTE_ADDR'], array('173.0.81.1','173.0.81.33','66.211.170.66')))
{
    exit;
}