PHP postback / callback

Hello,

http://domain.com/callback.php?user_id=58044&currency=10&transaction_id=100&&ms=1b13e00b47bdfbcb39046d0

I am not sure how to create the callback.php. this is what I have so far.

[php]

<?php include('inc/config.php'); $con = mysql_connect($dbhost,$dbuser,$dbpass); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db($dbname); session_start(); $usrid = $_REQUEST["USER_ID"]; $currency = $_Get["currency"]; $transid = $_Get["transaction_id"]; $ms = $_Get["ms"]; mysql_query($sql); { $sql="Update `oto_members` set glacierbux=glacierbux+$currency where Id=$usrid limit 1"; mysql_query($sql); } ?>

[/php]

What am I doing wrong. the call back url is suposed to get the information from http://domain.com/callback.php?user_id=58044&currency=10&transaction_id=100&&ms=1b13e00b47bdfbcb39046d0 and use it in the php file to tell what user to credit how many glacierbux or currency.

Please help

Thanks

David Schmader

Clues for you
This USER_ID is not the same as user_id
This $_Get is not the same as $_GET

Are you doing an e-currency site? If so you’re going to be hacked in no-time, this code is so vulnerable it hurts.

You should definitely look into changing to mysqli or pdo, and using parameterized queries.

Could you guys help get do this correctly?

I am really not sure what do do from here.

Thanks

You could start with this but this whole code is riddled with issues that no one is going fix for you. Google SQL injection and read up on that first.
[php]
$usrid = $_GET[“user_id”];

$currency = $_GET[“currency”];
$transid = $_GET[“transaction_id”];
$ms = $_GET[“ms”];
[/php]
Also you have an extra & in this part of the url you provided - transaction_id=100&&ms=1b13e00b47bdfbcb39046d0

Ty.

I have a lot to learn.

It is working now, i just need to figure out to make it more secure

[php]<?php
include(‘inc/config.php’);
$con = mysql_connect($dbhost,$dbuser,$dbpass);
if (!$con)
{
die('Could not connect: ’ . mysql_error());
}
mysql_select_db($dbname);

//////session_start();
/////$usrid = $_REQUEST[“USER_ID”];
/////$currency = $_POST[‘currency’];

$usrid = $_GET[“user_id”];

$currency = $_GET[“currency”];
$transid = $_GET[“transaction_id”];
$ms = $_GET[“ms”];

mysql_query($sql);

{
$sql=“Update oto_members set glacierbux=glacierbux+$currency where Id=$usrid limit 1”;
mysql_query($sql);
}
?>[/php]

http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/

Sponsor our Newsletter | Privacy Policy | Terms of Service