PHP postback / callback

dschmader · September 17, 2013, 10:29pm

Hello,

http://domain.com/callback.php?user_id=58044&currency=10&transaction_id=100&&ms=1b13e00b47bdfbcb39046d0

I am not sure how to create the callback.php. this is what I have so far.

[php]

<?php include('inc/config.php'); $con = mysql_connect($dbhost,$dbuser,$dbpass); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db($dbname); session_start(); $usrid = $_REQUEST["USER_ID"]; $currency = $_Get["currency"]; $transid = $_Get["transaction_id"]; $ms = $_Get["ms"]; mysql_query($sql); { $sql="Update `oto_members` set glacierbux=glacierbux+$currency where Id=$usrid limit 1"; mysql_query($sql); } ?>

[/php]

What am I doing wrong. the call back url is suposed to get the information from http://domain.com/callback.php?user_id=58044&currency=10&transaction_id=100&&ms=1b13e00b47bdfbcb39046d0 and use it in the php file to tell what user to credit how many glacierbux or currency.

Please help

Thanks

David Schmader

fastsol · September 18, 2013, 4:45am

Clues for you
This USER_ID is not the same as user_id
This $_Get is not the same as $_GET

JimL · September 18, 2013, 4:50am

Are you doing an e-currency site? If so you’re going to be hacked in no-time, this code is so vulnerable it hurts.

You should definitely look into changing to mysqli or pdo, and using parameterized queries.

dschmader · September 18, 2013, 12:42pm

Could you guys help get do this correctly?

I am really not sure what do do from here.

Thanks

fastsol · September 18, 2013, 1:55pm

You could start with this but this whole code is riddled with issues that no one is going fix for you. Google SQL injection and read up on that first.
[php]
$usrid = $_GET[“user_id”];

$currency = $_GET[“currency”];
$transid = $_GET[“transaction_id”];
$ms = $_GET[“ms”];
[/php]
Also you have an extra & in this part of the url you provided - transaction_id=100&&ms=1b13e00b47bdfbcb39046d0

dschmader · September 18, 2013, 2:50pm

Ty.

I have a lot to learn.

It is working now, i just need to figure out to make it more secure

[php]<?php
include(‘inc/config.php’);
$con = mysql_connect($dbhost,$dbuser,$dbpass);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}
mysql_select_db($dbname);

//////session_start();
/////$usrid = $_REQUEST[“USER_ID”];
/////$currency = $_POST[‘currency’];

$usrid = $_GET[“user_id”];

$currency = $_GET[“currency”];
$transid = $_GET[“transaction_id”];
$ms = $_GET[“ms”];

mysql_query($sql);

{
$sql=“Update oto_members set glacierbux=glacierbux+$currency where Id=$usrid limit 1”;
mysql_query($sql);
}
?>[/php]

JimL · September 18, 2013, 8:27pm

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/