Save this code as verifypurchase.php:


include “connection.php”;


function check_txnid($con, $txnid)


$valid_txnid = false;

//get result set

$strsql = “SELECT * FROM tblorders “.

” WHERE txnid = ‘$txnid'”;

$rs = $con->query($strsql);

if($rs->num_rows == 0)


$valid_txnid = true;


return $valid_txnid;



function check_price($con, $price, $inventoryid)


$valid_price = false;

//get result set

$strsql = “SELECT listprice FROM tblbooks “.

” WHERE inventorynumber = ‘$inventoryid'”;

$rs = $con->query($strsql);

$row = $rs->fetch_array();

$num = (float)$row[0];

if($num == $price)


$valid_price = true;


return $valid_price;



function check_email($email)


$valid_email = false;

//compare to paypal merchant email

if($email == “” )


$valid_email = true;


return $valid_email;



function do_post($data)


//now send back to paypal

$c = curl_init(‘’);

curl_setopt($c, CURLOPT_POST,1);

curl_setopt($c, CURLOPT_POSTFIELDS, $data);


curl_setopt($c, CURLOPT_RETURNTRANSFER, 1);

$status = curl_exec($c);


return $status;



//loop for posted values

$data = “”;

foreach($_POST as $key => $value)


$value = urlencode(stripslashes($value));

$data .= “$key=$value&”;


//must add this before returning to paypal

$data .= “cmd=_notify-validate”;

$status = do_post($data);

//strip CR

$status = rtrim($status);

$payment_status = $_POST[‘payment_status’];

//get transaction id

$txn_id = $_POST[‘txn_id’];

if ($status == “VERIFIED” && $payment_status == “Completed”)


//need these variables

$price = $_POST[‘mc_gross’];

//get order number

$orderid = $_POST[‘custom’];

$inventoryid = $_POST[‘item_number’];

//merchant’s email i.e. paypal account

//equals business in paynow.html

$receiver_email = $_POST[‘receiver_email’];

//create a mysqli connection

$con = new mysqli($hostname, $username, $password, $databasename, 3306,


//check merchant email, price & not recycled txn id

//no need to change syntax to pass object by reference

$valid_txnid = check_txnid($con, $txn_id);

$valid_price = check_price($con, $price, $inventoryid);

$valid_email = check_email($receiver_email);

//if all checks write record

if($valid_price && $valid_email && $valid_txnid)


//update database with txn id

$strsql = “UPDATE tblorders SET txnid = ‘$txn_id’ “.

“WHERE orderid = $orderid”;


$message =”Successful, transaction id: $txn_id\n”;




//unsuccessful transaction

$message =”Unsuccessful, transaction id: $txn_id\n”;



else if($status == “INVALID”)


//notify suspicious transaction

$message =”Suspicious IPN with transaction id: $txn_id”;




//deal with other types

$message =”Incomplete purchase with transaction id: $txn_id”;


mail (“”, “PayPal”, $message);


Running the Hack

First you will need a PayPal account. Create one by going to the PayPal home page and signing up for a business account.

Then you need to alter the files to your specifications. Your buynow.html file will of course reflect the product you are selling. You will also need to change the email addresses in both the buynow.html file and the verifypurchase.php file. Replace “” with the email address associated with your PayPal account. This is important because it identifies the account that will receive payment. Change “” to the appropriate address for receiving confirmation of payment. You may not need a payment confirmation at all or you may want to replace it with code to write a log file, especially in the case of a failed payment. Change the connection.php file to reflect values appropriate to your MySQL server. No changes are required for the presubmit.php file unless you change the database structure.

You will doubtless create a database suited to your specific business needs but, if you wish to test this code as is, here are the SQL statements that will create the minimum required database structure:

CREATE TABLE `tblbooks` (

`inventorynumber` int(11) NOT NULL auto_increment,

`title` varchar(150) NOT NULL default ”,

`author` varchar(100) NOT NULL default ”,

`cost` float(6,2) NOT NULL default ‘0.00’,

`listprice` float(7,2) NOT NULL default ‘0.00’,

`publicationdate` varchar(4) default NULL,

`publisher` varchar(4) NOT NULL default ”,

PRIMARY KEY  (`inventorynumber`),

KEY `authidx` (`author`),

KEY `titleidx` (`title`),


CREATE TABLE `tblorders` (

`orderid` int(11) NOT NULL auto_increment,

`customerid` int(11) default NULL,

`orderdate` date default NULL,

`txnid` varchar(17) default NULL,

PRIMARY KEY  (`orderid`)


CREATE TABLE `tblorderitems` (

`orderid` int(11) NOT NULL default ‘0’,

`inventorynumber` int(11) NOT NULL default ‘0’,

PRIMARY KEY  (`orderid`,`inventorynumber`)


Next, upload the files to your server ensuring that the connection.php, buynow.html and presubmit.php files are all in the same directory. You can put the verifypurchase.php file in the same directory as well but it’s probably better off in its own directory. If you do put it in a separate directory be sure to change the include path for the connection.php file.

Go to your PayPal account, turn on IPN and enter the fully qualified URL for the verifypurchase.php file. To make a purchase point your browser at buynow.php. You will know that everything is working when you click on the “Buy Now” button, are taken to the PayPal site and, when payment is complete, you then receive an email containing the transaction id.

Leave a Reply

Your email address will not be published.

You may use these <abbr title="HyperText Markup Language">HTML</abbr> tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>