基于变量 MYSQL IPN 的 substr 问题答案

【问题标题】：Issue with substr based on variable MYSQL IPN基于变量 MYSQL IPN 的 substr 问题
【发布时间】：2013-07-28 17:45:55
【问题描述】：

您好，我无法弄清楚为什么我的表中的用户名列没有添加内容。我正在尝试使用我的 IPN 中的付款人电子邮件来介绍用于登录的用户名。除用户名外，所有内容都已发布。在用户名变量编辑的位置中我做错了什么吗？是否有我遗漏的东西阻止了此内容的发布？

<?php

// Check to see there are posted variables coming into the script
if ($_SERVER['REQUEST_METHOD'] != "POST") die ("No Post Variables");
// Initialize the $req variable and add CMD key value pair
$req = 'cmd=_notify-validate';
// Read the post from PayPal
foreach ($_POST as $key => $value) {
    $value = urlencode(stripslashes($value));
    $req .= "&$key=$value";
}
// Now Post all of that back to PayPal's server using curl, and validate everything with PayPal
// We will use CURL instead of PHP for this for a more universally operable script (fsockopen has issues on some environments)
//$url = "https://www.sandbox.paypal.com/cgi-bin/webscr";
$url = "https://www.paypal.com/cgi-bin/webscr";
$curl_result=$curl_err='';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/x-www-form-urlencoded", "Content-Length: " . strlen($req)));
curl_setopt($ch, CURLOPT_HEADER , 0);   
curl_setopt($ch, CURLOPT_VERBOSE, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
$curl_result = @curl_exec($ch);
$curl_err = curl_error($ch);
curl_close($ch);

$req = str_replace("&", "\n", $req);  // Make it a nice list in case we want to email it to ourselves for reporting

// Check that the result verifies
if (strpos($curl_result, "VERIFIED") !== false) {
    $req .= "\n\nPaypal Verified OK";
} else {
    $req .= "\n\nData NOT verified from Paypal!";
    mail("chris@test.com", "IPN interaction not verified", "$req", "From: chris@test.com" );
    exit();
}

/* CHECK THESE 4 THINGS BEFORE PROCESSING THE TRANSACTION, HANDLE THEM AS YOU WISH
1. Make sure that business email returned is your business email
2. Make sure that the transaction’s payment status is “completed”
3. Make sure there are no duplicate txn_id
4. Make sure the payment amount matches what you charge for items. (Defeat Price-Jacking) */

// Check Number 1 ------------------------------------------------------------------------------------------------------------
$receiver_email = $_POST['receiver_email'];
if ($receiver_email != "chris@test.com") {
    $message = "Investigate why and how receiver email is wrong. Email = " . $_POST['receiver_email'] . "\n\n\n$req";
    mail("chris@test.com", "Receiver Email is incorrect", $message, "From: chris@test.com" );
    exit(); // exit script
}
// Check number 2 ------------------------------------------------------------------------------------------------------------
if ($_POST['payment_status'] != "Completed") {
    // Handle how you think you should if a payment is not complete yet, a few scenarios can cause a transaction to be incomplete
}
// Connect to database ------------------------------------------------------------------------------------------------------
require_once 'connect_to_mysql.php';
// Check number 3 ------------------------------------------------------------------------------------------------------------
$this_txn = $_POST['txn_id'];
$sql = mysql_query("SELECT id FROM transactions WHERE txn_id='$this_txn' LIMIT 1");
$numRows = mysql_num_rows($sql);
if ($numRows > 0) {
    $message = "Duplicate transaction ID occured so we killed the IPN script. \n\n\n$req";
    mail("chris@test.com", "Duplicate txn_id in the IPN system", $message, "From: chris@test.com" );
    exit(); // exit script
} 
// Check number 4 ------------------------------------------------------------------------------------------------------------
$product_id_string = $_POST['custom'];
$product_id_string = rtrim($product_id_string, ","); // remove last comma
// Explode the string, make it an array, then query all the prices out, add them up, and make sure they match the payment_gross amount
$id_str_array = explode(",", $product_id_string); // Uses Comma(,) as delimiter(break point)
$fullAmount = 0;
foreach ($id_str_array as $key => $value) {

    $id_quantity_pair = explode("-", $value); // Uses Hyphen(-) as delimiter to separate product ID from its quantity
    $product_id = $id_quantity_pair[0]; // Get the product ID
    $product_quantity = $id_quantity_pair[1]; // Get the quantity
    $sql = mysql_query("SELECT price FROM products WHERE id='$product_id' LIMIT 1");
    while($row = mysql_fetch_array($sql)){
        $product_price = $row["price"];
    }
    $product_price = $product_price * $product_quantity;
    $fullAmount = $fullAmount + $product_price;
}
$fullAmount = number_format($fullAmount, 2);
$grossAmount = $_POST['mc_gross']; 
if ($fullAmount != $grossAmount) {
        $message = "Possible Price Jack: " . $_POST['payment_gross'] . " != $fullAmount \n\n\n$req";
        mail("chris@test.com", "Price Jack or Bad Programming", $message, "From: chris@test.com" );
        exit(); // exit script
} 
require_once '../includes/db_conx.php';
//
$payer_email = $_POST['payer_email'];
// Select the member from the users table
$username = substr($payer_email, 0, strpos($payer_email, '@'));
$sql = "SELECT username FROM transactions WHERE username='{$username}%'";
$user_query = mysqli_query($db_conx, $sql);

$numrows = mysqli_num_rows($user_query);
if($numrows < 1){

   $i = 0;

   while ($name_arr = mysqli_fetch_assoc($result)) {

      $name = $name_arr['username'];       

      $after = substr($name, strlen($username));

      if (ctype_digit($after)) {

         if (($after = (int) $after) > $i) {

            $i = $after;

         }

      }

   }

   if ($i > 0) {
      $username .= $i;
   }

}


// END ALL SECURITY CHECKS NOW IN THE DATABASE IT GOES ------------------------------------
////////////////////////////////////////////////////
// Homework - Examples of assigning local variables from the POST variables
$txn_id = $_POST['txn_id'];
$payer_email = $_POST['payer_email'];
$custom = $_POST['custom'];
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$payment_date = $_POST['payment_date'];
$mc_gross = $_POST['mc_gross'];
$payment_currency = $_POST['payment_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payment_type = $_POST['payment_type'];
$payment_status = $_POST['payment_status'];
$txn_type = $_POST['txn_type'];
$payer_status = $_POST['payer_status'];
$address_street = $_POST['address_street'];
$address_city = $_POST['address_city'];
$address_state = $_POST['address_state'];
$address_zip = $_POST['address_zip'];
$address_country = $_POST['address_country'];
$address_status = $_POST['address_status'];
$notify_version = $_POST['notify_version'];
$verify_sign = $_POST['verify_sign'];
$payer_id = $_POST['payer_id'];
$mc_currency = $_POST['mc_currency'];
$mc_fee = $_POST['mc_fee'];
$password = mt_rand(1000, 9999); 
$p_hash = md5($password);
$username = $_POST['username'];

// Place the transaction into the database
$sql = mysql_query("INSERT INTO transactions (product_id_array, payer_email, first_name, last_name, payment_date, mc_gross, payment_currency, txn_id, receiver_email, payment_type, payment_status, txn_type, payer_status, address_street, address_city, address_state, address_zip, address_country, address_status, notify_version, verify_sign, payer_id, mc_currency, mc_fee, password, ip, username) 
   VALUES('$custom','$payer_email','$first_name','$last_name','$payment_date','$mc_gross','$payment_currency','$txn_id','$receiver_email','$payment_type','$payment_status','$txn_type','$payer_status','$address_street','$address_city','$address_state','$address_zip','$address_country','$address_status','$notify_version','$verify_sign','$payer_id','$mc_currency','$mc_fee','$p_hash','$ip','$username')") or die ("unable to execute the query");
$to      = $payer_email;  
$subject = ' Login Credentials';  
$message = ' 

Your officially all ready to go. To login use the information below.

Your account login information 
------------------------- 
Email: '.$payer_email.' 
Password: '.$password.' 
------------------------- 

You can now login at https://www.test.com/signin.php';  
$headers = 'From:noreply@test.com' . "\r\n";  

mail($to, $subject, $message, $headers);  
mysql_close();
// Mail yourself the details
mail("chris@test.com", "NORMAL IPN RESULT YAY MONEY!", $req, "From: chris@test.com");

?>

[28-Jul-2013 16:05:40 America/Denver] PHP 解析错误：语法错误，意外的 T_ELSE 在 /home/lear/public_html/storescripts/my_ipn.php 在第 74 行

[28-Jul-2013 21:06:37 America/Denver] PHP 警告：mysqli_query() 期望参数 1 为 mysqli，在 /home/lear/public_html/storescripts/my_ipn.php 在第 100 行

[28-Jul-2013 21:06:37 America/Denver] PHP 警告：mysqli_num_rows() 期望参数 1 为 mysqli_result，在 /home/lear/public_html/storescripts/my_ipn.php 在第 102 行

编辑：

我刚刚更新了脚本。我收到的错误如下：

[28-Jul-2013 22:18:33 America/Denver] PHP 警告： mysqli_fetch_assoc() 期望参数 1 为 mysqli_result，null 在 /home/learnsit/public_html/storescripts/my_ipn.php 在线给出 108

第 108 行是

while ($name_arr = mysqli_fetch_assoc($result)) {

【问题讨论】：

我不会称其为安全性...无论如何是什么错误，或者贝宝只是抛出错误？
我还没有完成安全性。谢谢你的提醒。没有错误。它只是没有输入到数据库中编辑：刚刚重新加载以找到上面发布的错误。
看起来您正在混合使用 MySQL（已弃用）和 MySQLi 扩展。不要那样做
嗨 Phil 我实际上正在一步一步地转换为 MYSQLI。大声笑我还不是很擅长它，所以它需要一些时间来完成它。你认为这可能是它不发布到数据库的原因吗？所有其他条目都在发布，但这个。这似乎不是用户名帖子的问题，但我不能说。
我不再收到任何错误，但仍然没有发布到数据库作为更新

标签： php mysql paypal-ipn

【解决方案1】：

我没有玩太多，但对我来说主要怀疑的一段代码是：

$sql = "SELECT `username` FROM `transactions` WHERE `username` = \'' . $username . '%\';";

它应该看起来更像

$sql = "SELECT `username` FROM `transactions` WHERE `username` = '{$username}%'";

仅供参考： - PHP 可以处理双引号内的单引号，而不需要反斜杠 () 转义。 - MySQL 引用不需要分号 (;) 转义 - 检查问题是否实际上是 MySQL 查询以供您将来调试的一个好方法是将或 die(mysql_error($db)) 添加到查询函数的末尾，如下所示：

$result = mysqli_query($db_conx, $sql) or die(mysql_error($db_conx));

希望这会有所帮助！

更新：

我已将此添加到结果区域以尝试调试，但我没有收到任何信息。这会出现在您的标准错误页面中吗？

试试

    echo $sql;

进一步查看您的代码后，您似乎看不到 username='{$username}' 的任何内容，因为 $username 是基于尚未声明的 $payer_email 的。您需要将这些用户名检查放入一个函数并在您为变量分配 $_POST 索引后调用它，或者在您首次声明 $username 变量之前将 $_POST["payer_email"] 移动到摆脱 $_POST["username"]... 虽然我没有看到您的表单，但听起来您正在通过付款人电子邮件创建用户名。这是否更有帮助？

更新 2：

你的 mysql_fetch_assoc 错误是因为你没有声明 $result。我相信您可能试图引用 $user_query，在这种情况下，您的第 108 行应该是：

while ($name_arr = mysqli_fetch_assoc($user_query)) {

更新 3：

I got that and I've been able to post to my database finally, but I can't get it to count and add to the username to prevent duplicates.

首先我注意到您使用的是用户名 ='{$username}%'。我有几点要说，我希望你能听听。我在这里给你鱼，但我也想教你。

如果要进行比较，则必须是 username LIKE '{$username}%'
我不清楚你想做什么......如果你想要一个唯一的标识符，我实际上会做一些更像 username='{$username}' 的事情，然后，如果它返回一个结果，在末尾添加一个唯一标识符。

你看，当你用 LIKE {$username}% 做某事时，如果有人试图注册为 awesome_bob，而其他人已经拥有 awesome_bob，你最终会得到两行。我想你会想要一些更随机的东西，或者创建一个更复杂的函数。或者，只需将用户名保留为电子邮件，这样可以保持其唯一性并且是一个非常简单的解决方法。

我将把这篇文章留在那里，因为我认为它已经回答了你最初的问题，然后是一些问题。如果您还有其他问题，我认为人们会很乐意在单独的主题中查看它们。

我是否已经足够回答你的问题了？如果是这样，我会感谢我的努力 +1 :)

【讨论】：

我已将此添加到结果区域以尝试调试，但我没有收到任何信息。这会出现在您的标准错误页面中吗？
也更新了我的回复。
我知道了，我终于可以发布到我的数据库中了，但是我无法将其计数并添加到用户名中以防止重复。
请看我的编辑克里斯。我认为这应该让你更清楚。我建议使用电子邮件作为您的用户名，或者，如果您希望将其分开，则使用类似 str_replace("at","@",$string);或 preg_replace。请注意一开始就使用增量解决方案的挑战。如果你想这样做，它需要一个更复杂的函数，并且考虑到它与你最初的问题有很大的不同，我建议创建一个新主题，这样主持人就不会关闭对话。
感谢您的帮助。我很乐意撞。你能在这里聊天吗？如果您愿意提供帮助，我还有一个问题。