php

[Berk]

Whatsup boys.

So basically I'm doing paygol implemention and this is confusing me abit.
When you go to paid.php?custom=Berkay&item=SVIP ,
it should update user Berkay's (habshit plus db) rank_vip to 1 and add a row into purchase_logs table.

Everything is fine, but.
purchase_logs contains this:
-------------------------------------------
id | name | username | approver |
----------------------------------------------------
1 | GVIP | Berkay2 | Shop Staff |
The sql:

$con->query("INSERT INTO purchase_logs(name,username,approver) VALUES('$item','$custom', '')");

for this case $item = "SVIP" and it should add the name SVIP. but it adds each row as ES and its much annoying.
Full paid.php page:

<?php
include("connect.php");
// check that the request comes from PayGol server
/*
if(!in_array($_SERVER['REMOTE_ADDR'],
  array('109.70.3.48', '109.70.3.146', '109.70.3.210'))) {
  header("HTTP/1.0 403 Forbidden");
  die("Nice try.Fuck off now.");
}
*/

// get the variables from PayGol system
$transaction_id    = $_GET['transaction_id'];
$service_id= $_GET['service_id'];
$shortcode= $_GET['shortcode'];
$keyword= $_GET['keyword'];
$message= $_GET['message'];
$sender    = $_GET['sender'];
$operator= $_GET['operator'];
$country= $_GET['country'];
$custom    = $_GET['custom'];
$points    = $_GET['points'];
$price    = $_GET['price'];
$currency= $_GET['currency'];
$item = $_GET['item'];

if($item = "GVIP") {
    
$con->query("UPDATE users SET rank_vip = '2' WHERE username = ". $custom ."");}

if($item  = "SVIP") {
$con->query("UPDATE users SET rank_vip = '1' WHERE username = ".$custom. "");
}
if($item = "ES"){

$con->query("UPDATE users SET rank_vip = 3 WHERE username = " . $custom . "");

}

$con->query("INSERT INTO purchase_logs(name,username,approver) VALUES('$item','$custom', '')"); 
echo $con->error;
include("checkban.php");
header("Location: success.php");
?>

 

[Markshall]

You're going to kick yourself but it's a really easy fix.

It's because you're assigning variables, not checking them.

So instead of doing

if ($item = "ES") {

You should be doing (not just for "ES", but for all of 3 of them)

if ($item == "ES") {

It's falling back on the last if statement, which is 'checking' the value of ES. So it's always going to update each row as "ES" rather than the correct value coming from your $_GET variable.

 

[Berk]

Holy crap. Thanks!

 

[Markshall]

No worries, also, as you add ranks, your if statements are going to become really messy. Consider this:

$ranks = array(
                "GVIP" => "2",
                "SVIP" => "1",
                "ES" => "3"
              );
              
if (in_array($item, $ranks)) {
    $conn->query("UPDATE `users` SET `rank_vip` = '" . $ranks[$item] . "' WHERE `username` = '" . $custom . "'");
} else {
    echo 'Invalid rank.';
}

You can just keep adding more and more ranks to the $ranks array.

 

[BIOS]

Whatsup boys.

So basically I'm doing paygol implemention and this is confusing me abit.
When you go to paid.php?custom=Berkay&item=SVIP ,
it should update user Berkay's (habshit plus db) rank_vip to 1 and add a row into purchase_logs table.

Everything is fine, but.
purchase_logs contains this:
-------------------------------------------
id | name | username | approver |
----------------------------------------------------
1 | GVIP | Berkay2 | Shop Staff |
The sql:

$con->query("INSERT INTO purchase_logs(name,username,approver) VALUES('$item','$custom', '')");

for this case $item = "SVIP" and it should add the name SVIP. but it adds each row as ES and its much annoying.
Full paid.php page:

<?php
include("connect.php");
// check that the request comes from PayGol server
/*
if(!in_array($_SERVER['REMOTE_ADDR'],
  array('109.70.3.48', '109.70.3.146', '109.70.3.210'))) {
  header("HTTP/1.0 403 Forbidden");
  die("Nice try.Fuck off now.");
}
*/

// get the variables from PayGol system
$transaction_id    = $_GET['transaction_id'];
$service_id= $_GET['service_id'];
$shortcode= $_GET['shortcode'];
$keyword= $_GET['keyword'];
$message= $_GET['message'];
$sender    = $_GET['sender'];
$operator= $_GET['operator'];
$country= $_GET['country'];
$custom    = $_GET['custom'];
$points    = $_GET['points'];
$price    = $_GET['price'];
$currency= $_GET['currency'];
$item = $_GET['item'];

if($item = "GVIP") {
   
$con->query("UPDATE users SET rank_vip = '2' WHERE username = ". $custom ."");}

if($item  = "SVIP") {
$con->query("UPDATE users SET rank_vip = '1' WHERE username = ".$custom. "");
}
if($item = "ES"){

$con->query("UPDATE users SET rank_vip = 3 WHERE username = " . $custom . "");

}

$con->query("INSERT INTO purchase_logs(name,username,approver) VALUES('$item','$custom', '')");
echo $con->error;
include("checkban.php");
header("Location: success.php");
?>

Don't forget to escape $custom, if I'm correct that's the response you get back from the PayPal API and shouldn't be trusted as it could be tampered with.

 

[Berk]

Don't forget to escape $custom, if I'm correct that's the response you get back from the PayPal API and shouldn't be trusted as it could be tampered with.

It already checks if you're coming from paypal server or not here:

if(!in_array($_SERVER['REMOTE_ADDR'],
  array('109.70.3.48', '109.70.3.146', '109.70.3.210'))) {
  header("HTTP/1.0 403 Forbidden");
  die("Nice try.Fuck off now.");
}

 

[BIOS]

It already checks if you're coming from paypal server or not here:

if(!in_array($_SERVER['REMOTE_ADDR'],
  array('109.70.3.48', '109.70.3.146', '109.70.3.210'))) {
  header("HTTP/1.0 403 Forbidden");
  die("Nice try.Fuck off now.");
}

Yes but I'm saying the $custom is the initial user input isn't it? So the username on your site which gets forwarded to their API?

Not too sure as I haven't used their API in a while, I'd recommend escaping all input anyhow as it's best to be safe

 

[Berk]

Yes but I'm saying the $custom is the initial user input isn't it? So the username on your site which gets forwarded to their API?

Not too sure as I haven't used their API in a while, I'd recommend escaping all input anyhow as it's best to be safe

Ah yes, thanks for the heads up.