Review my Paypal IPN Handler Please

Question

Hey guys!

I wrote an automated donations system for someone, so that people who play on his game servers can enter their information, donate, and automatically be added to a database. Its working great, but im not very php saavy, so I am hoping you guys can take a look and tell me what else I should add. I need to remove them when the subscription ends, which I think is subscr_eot, but I cant find any good examples of using it. And as for the rest I am just hoping it looks okay, thanks!

<?php

// database
include_once('config.php');

//Connect
$db_connect = mysql_connect($DB_host, $DB_username, $DB_password) or die(mysql_error());
mysql_select_db($DB_name) or die(mysql_error());

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value)
{
    $value = urlencode(stripslashes($value));
    $req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$txn_type = $_POST['txn_type'];
$receiver_email = $_POST['receiver_email'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$payer_email = $_POST['payer_email'];
$steam_id = $_POST['custom'];

if ($fp)
{
    fputs ($fp, $header . $req);
    while (!feof($fp))
    {
        $res = fgets ($fp, 1024);
        switch ($res)
        {
            //Payment is Validated
            case 'VERIFIED':

                if(strcmp($payment_status, "Completed") == 0)
                {
                    $firstlast = $first_name[0] . $last_name;
                    $username = strtolower($firstlast);

                    $query = "INSERT INTO sb_admins (user, authid, password, gid, email, validate, extraflags, immunity, srv_group, srv_password) VALUES('". $username ."', '". $steam_id ."', '', -1, '". mysql_real_escape_string($payer_email) ."', 0, 0, 0, '". $sm_group ."', 'password')";
                    mysql_query($query) or die(mysql_error());
                }

                // check that txn_id has not been previously processed
                // check that receiver_email is your Primary PayPal email
                // check that payment_amount/payment_currency are correct
                // process payment
                break;

            case 'INVALID':

                // PAYMENT INVALID & INVESTIGATE MANUALLY!
                $to      = $receiver_email;
                $subject = 'XA - BattleClan | Invalid Donation';
                $message = '

                Dear Administrator,

                A donation has been made but is flagged as INVALID.
                Please verify the payment manually and contact the donator.

                Donator Email: '.$email.'
                ';
                $headers = 'From:[email protected]' . "\r\n";

                mail($to, $subject, $message, $headers);
                break;

            default:
                break;
        }
    }
fclose ($fp);
}

?>

Answer 1

For anyone looking in the future, paypal does call your handler again. It sends notification to whatever url you have for notify_url set to.