redirect to paypal payment

Question

Evening all. What I am wanting to do is after a user has clicked on a 'buynow' button for paypal, firstly go to a page that stores the items the have bought in a db and then redirect to the paypal payment.

This is what i have:

<?php

if(isset($_POST['cmd']) && isset($_POST['hosted_button_id']) && isset($_POST['diskSpace']) && isset($_POST['bandwidth']) && isset($_POST['subdomains']) && isset($_POST['additionalftp']) && isset($_POST['mysqldatabases']) && isset($_POST['emailforwarding']) && isset($_POST['autoresponders']) && isset($_POST['emaildistribution']) && isset($_POST['mailboxes']) && isset($_POST['oneclick']) && isset($_POST['operatingsystem'])){

    $cmd = $_POST['cmd'];
    $custom =  md5(date("his").microtime());
    $hosted_button_id = $_POST['hosted_button_id'];

    $diskSpace = $_POST['diskSpace'];
    $bandwidth = $_POST['bandwidth'];
    $subdomains = $_POST['subdomains'];
    $additionalftp = $_POST['additionalftp'];
    $mysqldatabases = $_POST['mysqldatabases'];
    $emailforwarding = $_POST['emailforwarding'];
    $autoresponders = $_POST['autoresponders'];
    $emaildistribution = $_POST['emaildistribution'];
    $mailboxes = $_POST['mailboxes'];
    $oneclick = $_POST['oneclick'];
    $operatingsystem = $_POST['operatingsystem'];

    $con = mysql_connect('localhost', '', '');
    $db = mysql_select_db('', $con);    

    if(!mysql_query("SELECT * FROM `hostingAccounts` ORDER BY id")){
        $createTable = ("CREATE TABLE IF NOT EXISTS `hostingAccounts` (
        `id` INT( 10 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
        `ref` TEXT NOT NULL, 
        `disk_space` TEXT NOT NULL, 
        `bandwidth` TEXT NOT NULL, 
        `sub_domains` TEXT NOT NULL, 
        `additional_ftp` TEXT NOT NULL, 
        `mysql_databases` TEXT NOT NULL, 
        `email_forwarding` TEXT NOT NULL, 
        `auto_responders` TEXT NOT NULL, 
        `email_distribution` TEXT NOT NULL, 
        `mailboxes` TEXT NOT NULL, 
        `one_click_apps` TEXT NOT NULL, 
        `operating_system` TEXT NOT NULL, 
        `payer_email` TEXT NOT NULL, 
        `first_name` TEXT NOT NULL, 
        `last_name` TEXT NOT NULL, 
        `payer_id` TEXT NOT NULL, 
        `address_street` TEXT NOT NULL, 
        `address_city` TEXT NOT NULL, 
        `address_state` TEXT NOT NULL, 
        `address_zip` TEXT NOT NULL, 
        `address_country` TEXT NOT NULL
        ) ENGINE = MYISAM CHARACTER SET utf8 COLLATE utf8_general_ci;");

        mysql_query($createTable);
    } 

    mysql_query("INSERT INTO `hostingAccounts` (ref, disk_space, bandwidth, sub_domains, additional_ftp, mysql_databases, email_forwarding, auto_responders, email_distribution, mailboxes, one_click_apps,  operating_system) VALUES ('$custom', '$diskspace', '$bandwidth', '$subdomains', '$additionalftp', '$mysqldatabases', '$emailforwarding', '$autoresponders', '$emaildistribution', '$mailboxes', '$oneclick', '$operatingsystem')") or die (mysql_error());

    $host = "https://www.paypal.com";
    $path = "/cgi-bin/webscr";
    $data = "cmd=".$cmd."&hosted_button_id=".$hosted_button_id."&custom=".$custom;
    $data = urlencode($data);

    header("POST $path HTTP/1.1\r\n" );
    header("Host: $host\r\n" );
    header("Content-type: application/x-www-form-urlencoded\r\n" );
    header("Content-length: " . strlen($data) . "\r\n" );
    header("Connection: close\r\n\r\n" );
    header($data);
}
?> 

problem being it just comes up with "Internal Server Error". Can anyone see what im doing wrong?

Answer 1

• http://www.phpro.org/tutorials/Validating-User-Input.html
• http://php.net/manual/en/security.database.sql-injection.php
• http://www.amazon.com/Pro-PHP-Security-Chris-Snyder/dp/1590595084/ref=sr_1_2?ie=UTF8&s=books&qid=1263399530&sr=1-2

Edit:

header("POST $path HTTP/1.1\r\n" );

You might trying using the curl_* family of functions if you want to a POST within your script.

Also, you need to attempt to sanitize your client's input:

$cmd = $_POST['cmd'];

Also, why not just create the table yourself. Its a lot of needless overhead to be doing that select every request: (not to mention pretty wonky - you have your DB schema in your code ...)

if(!mysql_query("SELECT * FROM `hostingAccounts` ORDER BY id")){
        $createTable = ("CREATE TABLE IF NOT EXISTS `hostingAccounts` (
        `id` INT( 10 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,

Answer 2

header() cannot do POST to another server.
Use curl or Zend_Http or PEAR's Http_Client

Answer 3

Would you be able to tell me why this does not redirect?

$sendTo = "https://www.paypal.com/cgi-bin/webscr"
$header[] = "Content-type: text/html";

$dataArray[] = "cmd=".$cmd;
$dataArray[] = "hosted_button_id=".$hosted_button_id;
$dataArray[] = "custom=".$custom;

$post = implode($dataArray, '&');
$post = urlencode($post);


$ch = curl_init();
curl_setopt($ch, CURLOPT_CONNECTIONTIMEOUT, 30);
curl_setopt($ch, CURLOPT_FAILONERROR, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $header);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post);

die();