Issues in Subscriptions-PayPal.php - Failed Issues - Inspection of "Properly clears out fake $user_info in CreatePost-..." - Yoshi2889/SMF2.1 - Measure and Improve Code Quality continuously with Scrutinizer

Failed Conditions

Push — release-2.1 ( e0848c...8d1977 )

by Rick

created 2019-10-18 11:48 UTC

Sources/Subscriptions-PayPal.php (5 issues)

Labels

Severity

Major 5

<?php

/**
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines http://www.simplemachines.org
 * @copyright 2019 Simple Machines and individual contributors
 * @license http://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.1 RC2
 */

// This won't be dedicated without this - this must exist in each gateway!
// SMF Payment Gateway: paypal

if (!defined('SMF'))
	die('No direct access...');

/**
 * Class for returning available form data for this gateway
 */
class paypal_display
{
	/**
	 * @var string Name of this payment gateway
	 */
	public $title = 'PayPal';

	/**
	 * Return the admin settings for this gateway
	 *
	 * @return array An array of settings data
	 */
	public function getGatewaySettings()
	{
		global $txt;

		$setting_data = array(
			array(
				'email', 'paypal_email',
				'subtext' => $txt['paypal_email_desc'],
				'size' => 60
			),
			array(
				'email', 'paypal_additional_emails',
				'subtext' => $txt['paypal_additional_emails_desc'],
				'size' => 60
			),
			array(
				'email', 'paypal_sandbox_email',
				'subtext' => $txt['paypal_sandbox_email_desc'],
				'size' => 60
			),
		);

		return $setting_data;
	}

	/**
	 * Is this enabled for new payments?
	 *
	 * @return boolean Whether this gateway is enabled (for PayPal, whether the PayPal email is set)
	 */
	public function gatewayEnabled()
	{
		global $modSettings;

		return !empty($modSettings['paypal_email']);
	}

	/**
	 * What do we want?
	 *
	 * Called from Profile-Actions.php to return a unique set of fields for the given gateway
	 * plus all the standard ones for the subscription form
	 *
	 * @param string $unique_id The unique ID of this gateway
	 * @param array $sub_data Subscription data
	 * @param int|float $value The amount of the subscription
	 * @param string $period
	 * @param string $return_url The URL to return the user to after processing the payment
	 * @return array An array of data for the form
	 */
	public function fetchGatewayFields($unique_id, $sub_data, $value, $period, $return_url)
	{
		global $modSettings, $txt, $boardurl;

		$return_data = array(
			'form' => 'https://www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com/cgi-bin/webscr',
			'id' => 'paypal',
			'hidden' => array(),
			'title' => $txt['paypal'],
			'desc' => $txt['paid_confirm_paypal'],
			'submit' => $txt['paid_paypal_order'],
			'javascript' => '',
		);

		// All the standard bits.
		$return_data['hidden']['business'] = $modSettings['paypal_email'];
		$return_data['hidden']['item_name'] = $sub_data['name'] . ' ' . $txt['subscription'];
		$return_data['hidden']['item_number'] = $unique_id;
		$return_data['hidden']['currency_code'] = strtoupper($modSettings['paid_currency_code']);
		$return_data['hidden']['no_shipping'] = 1;
		$return_data['hidden']['no_note'] = 1;
		$return_data['hidden']['amount'] = $value;
		$return_data['hidden']['cmd'] = !$sub_data['repeatable'] ? '_xclick' : '_xclick-subscriptions';
		$return_data['hidden']['return'] = $return_url;
		$return_data['hidden']['a3'] = $value;
		$return_data['hidden']['src'] = 1;
		$return_data['hidden']['notify_url'] = $boardurl . '/subscriptions.php';

		// If possible let's use the language we know we need.
		$return_data['hidden']['lc'] = !empty($txt['lang_paypal']) ? $txt['lang_paypal'] : 'US';

		// Now stuff dependant on what we're doing.
		if ($sub_data['flexible'])
		{
			$return_data['hidden']['p3'] = 1;
			$return_data['hidden']['t3'] = strtoupper(substr($period, 0, 1));
		}
		else
		{
			preg_match('~(\d*)(\w)~', $sub_data['real_length'], $match);
			$unit = $match[1];
			$period = $match[2];

			$return_data['hidden']['p3'] = $unit;
			$return_data['hidden']['t3'] = $period;
		}

		// If it's repeatable do some javascript to respect this idea.
		if (!empty($sub_data['repeatable']))
			$return_data['javascript'] = '
				document.write(\'<label for="do_paypal_recur"><input type="checkbox" name="do_paypal_recur" id="do_paypal_recur" checked onclick="switchPaypalRecur();">' . $txt['paid_make_recurring'] . '</label><br>\');

				function switchPaypalRecur()
				{
					document.getElementById("paypal_cmd").value = document.getElementById("do_paypal_recur").checked ? "_xclick-subscriptions" : "_xclick";
				}';

		return $return_data;
	}
}

/**
 * Class of functions to validate a IPN response and provide details of the payment
 */
class paypal_payment
{
	private $return_data;

	/**
	 * This function returns true/false for whether this gateway thinks the data is intended for it.
	 *
	 * @return boolean Whether this gateway things the data is valid
	 */
	public function isValid()
	{
		global $modSettings;

		// Has the user set up an email address?
		if ((empty($modSettings['paidsubs_test']) && empty($modSettings['paypal_email'])) || (!empty($modSettings['paidsubs_test']) && empty($modSettings['paypal_sandbox_email'])))
			return false;
		// Check the correct transaction types are even here.
		if ((!isset($_POST['txn_type']) && !isset($_POST['payment_status'])) || (!isset($_POST['business']) && !isset($_POST['receiver_email'])))
			return false;
		// Correct email address?
		if (!isset($_POST['business']))
			$_POST['business'] = $_POST['receiver_email'];

		// Are we testing?
		if (!empty($modSettings['paidsubs_test']) && strtolower($modSettings['paypal_sandbox_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) || !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails'])))))
			return false;
		elseif (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) || !in_array(strtolower($_POST['business']), explode(',', $modSettings['paypal_additional_emails']))))
			return false;
		return true;
	}

	/**
	 * Post the IPN data received back to paypal for validation
	 * Sends the complete unaltered message back to PayPal. The message must contain the same fields
	 * in the same order and be encoded in the same way as the original message
	 * PayPal will respond back with a single word, which is either VERIFIED if the message originated with PayPal or INVALID
	 *
	 * If valid returns the subscription and member IDs we are going to process if it passes
	 *
	 * @return string A string containing the subscription ID and member ID, separated by a +
	 */
	public function precheck()
	{
		global $modSettings, $txt;

		// Put this to some default value.
		if (!isset($_POST['txn_type']))
			$_POST['txn_type'] = '';

		// Build the request string - starting with the minimum requirement.
		$requestString = 'cmd=_notify-validate';

		// Now my dear, add all the posted bits in the order we got them
		foreach ($_POST as $k => $v)
			$requestString .= '&' . $k . '=' . urlencode($v);

		// Can we use curl?
		if (function_exists('curl_init') && $curl = curl_init((!empty($modSettings['paidsubs_test']) ? 'https://www.sandbox.' : 'https://www.') . 'paypal.com/cgi-bin/webscr'))
		{
			// Set the post data.
			curl_setopt($curl, CURLOPT_POST, true);
			curl_setopt($curl, CURLOPT_POSTFIELDSIZE, 0);

			curl_setopt($curl, CURLOPT_POSTFIELDS, $requestString);

			// Set up the headers so paypal will accept the post
			curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
			curl_setopt($curl, CURLOPT_FORBID_REUSE, 1);
			curl_setopt($curl, CURLOPT_HTTPHEADER, array(
				'Host: www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com',
				'Connection: close'
			));

			// Fetch the data returned as a string.
			curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);

			// Fetch the data.
			$this->return_data = curl_exec($curl);

			// Close the session.
			curl_close($curl);
		}
		// Otherwise good old HTTP.
		else
		{
			// Setup the headers.
			$header = 'POST /cgi-bin/webscr HTTP/1.1' . "\r\n";
			$header .= 'content-type: application/x-www-form-urlencoded' . "\r\n";
			$header .= 'Host: www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com' . "\r\n";
			$header .= 'content-length: ' . strlen($requestString) . "\r\n";
			$header .= 'connection: close' . "\r\n\r\n";

			// Open the connection.
			if (!empty($modSettings['paidsubs_test']))
				$fp = fsockopen('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
			else
				$fp = fsockopen('www.paypal.com', 80, $errno, $errstr, 30);

			// Did it work?
			if (!$fp)
				generateSubscriptionError($txt['paypal_could_not_connect']);

			// Put the data to the port.
			fputs($fp, $header . $requestString);

			// Get the data back...
			while (!feof($fp))
			{
				$this->return_data = fgets($fp, 1024);
				if (strcmp(trim($this->return_data), 'VERIFIED') === 0)
					break;
			}

			// Clean up.
			fclose($fp);
		}

		// If this isn't verified then give up...
		if (strcmp(trim($this->return_data), 'VERIFIED') !== 0)
			exit;


		// Check that this is intended for us.
		if (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) || !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails'])))))
			exit;


		// Is this a subscription - and if so is it a secondary payment that we need to process?
		// If so, make sure we get it in the expected format. Seems PayPal sometimes sends it without urlencoding.
		if (!empty($_POST['item_number']) && strpos($_POST['item_number'], ' ') !== false)
			$_POST['item_number'] = str_replace(' ', '+', $_POST['item_number']);
		if ($this->isSubscription() && (empty($_POST['item_number']) || strpos($_POST['item_number'], '+') === false))
			// Calculate the subscription it relates to!
			$this->_findSubscription();

		// Verify the currency!
		if (strtolower($_POST['mc_currency']) !== strtolower($modSettings['paid_currency_code']))
			exit;


		// Can't exist if it doesn't contain anything.
		if (empty($_POST['item_number']))
			exit;


		// Return the id_sub and id_member
		return explode('+', $_POST['item_number']);
	}

	/**
	 * Is this a refund?
	 *
	 * @return boolean Whether this is a refund
	 */
	public function isRefund()
	{
		if ($_POST['payment_status'] === 'Refunded' || $_POST['payment_status'] === 'Reversed' || $_POST['txn_type'] === 'Refunded' || ($_POST['txn_type'] === 'reversal' && $_POST['payment_status'] === 'Completed'))
			return true;
		else
			return false;
	}

	/**
	 * Is this a subscription?
	 *
	 * @return boolean Whether this is a subscription
	 */
	public function isSubscription()
	{
		if (substr($_POST['txn_type'], 0, 14) === 'subscr_payment' && $_POST['payment_status'] === 'Completed')
			return true;
		else
			return false;
	}

	/**
	 * Is this a normal payment?
	 *
	 * @return boolean Whether this is a normal payment
	 */
	public function isPayment()
	{
		if ($_POST['payment_status'] === 'Completed' && $_POST['txn_type'] === 'web_accept')
			return true;
		else
			return false;
	}

	/**
	 * Is this a cancellation?
	 *
	 * @return boolean Whether this is a cancellation
	 */
	public function isCancellation()
	{
		// subscr_cancel is sent when the user cancels, subscr_eot is sent when the subscription reaches final payment
		// Neither require us to *do* anything as per performCancel().
		// subscr_eot, if sent, indicates an end of payments term.
		if (substr($_POST['txn_type'], 0, 13) === 'subscr_cancel' || substr($_POST['txn_type'], 0, 10) === 'subscr_eot')
			return true;
		else
			return false;
	}

	/**
	 * Things to do in the event of a cancellation
	 *
	 * @param string $subscription_id
	 * @param int $member_id
	 * @param array $subscription_info
	 */
	public function performCancel($subscription_id, $member_id, $subscription_info)
	{
		// PayPal doesn't require SMF to notify it every time the subscription is up for renewal.
		// A cancellation should not cause the user to be immediately dropped from their subscription, but
		// let it expire normally. Some systems require taking action in the database to deal with this, but
		// PayPal does not, so we actually just do nothing. But this is a nice prototype/example just in case.
	}

	/**
	 * How much was paid?
	 *
	 * @return float The amount paid
	 */
	public function getCost()
	{
		return (isset($_POST['tax']) ? $_POST['tax'] : 0) + $_POST['mc_gross'];
	}

	/**
	 * Record the transaction reference to finish up.
	 *
	 */
	public function close()
	{
		global $smcFunc, $subscription_id;

		// If it's a subscription record the reference.
		if ($_POST['txn_type'] == 'subscr_payment' && !empty($_POST['subscr_id']))
		{
			$smcFunc['db_query']('', '
				UPDATE {db_prefix}log_subscribed
				SET vendor_ref = {string:vendor_ref}
				WHERE id_sublog = {int:current_subscription}',
				array(
					'current_subscription' => $subscription_id,
					'vendor_ref' => $_POST['subscr_id'],
				)
			);
		}
	}

	/**
	 * A private function to find out the subscription details.
	 *
	 * @access private
	 * @return boolean|void False on failure, otherwise just sets $_POST['item_number']
	 */
	private function _findSubscription()
	{
		global $smcFunc;

		// Assume we have this?
		if (empty($_POST['subscr_id']))
			return false;

		// Do we have this in the database?
		$request = $smcFunc['db_query']('', '
			SELECT id_member, id_subscribe
			FROM {db_prefix}log_subscribed
			WHERE vendor_ref = {string:vendor_ref}
			LIMIT 1',
			array(
				'vendor_ref' => $_POST['subscr_id'],
			)
		);
		// No joy?
		if ($smcFunc['db_num_rows']($request) == 0)
		{
			// Can we identify them by email?
			if (!empty($_POST['payer_email']))
			{
				$smcFunc['db_free_result']($request);
				$request = $smcFunc['db_query']('', '
					SELECT ls.id_member, ls.id_subscribe
					FROM {db_prefix}log_subscribed AS ls
						INNER JOIN {db_prefix}members AS mem ON (mem.id_member = ls.id_member)
					WHERE mem.email_address = {string:payer_email}
					LIMIT 1',
					array(
						'payer_email' => $_POST['payer_email'],
					)
				);
				if ($smcFunc['db_num_rows']($request) === 0)
					return false;
			}
			else
				return false;
		}
		list ($member_id, $subscription_id) = $smcFunc['db_fetch_row']($request);
		$_POST['item_number'] = $member_id . '+' . $subscription_id;
		$smcFunc['db_free_result']($request);
	}
}

?>

1			<?php
2
3			/**
4			* Simple Machines Forum (SMF)
5			*
6			* @package SMF
7			* @author Simple Machines http://www.simplemachines.org
8			* @copyright 2019 Simple Machines and individual contributors
9			* @license http://www.simplemachines.org/about/smf/license.php BSD
10			*
11			* @version 2.1 RC2
12			*/
13
14			// This won't be dedicated without this - this must exist in each gateway!
15			// SMF Payment Gateway: paypal
16
17			if (!defined('SMF'))
18			die('No direct access...');
19
20			/**
21			* Class for returning available form data for this gateway
22			*/
23			class paypal_display
24			{
25			/**
26			* @var string Name of this payment gateway
27			*/
28			public $title = 'PayPal';
29
30			/**
31			* Return the admin settings for this gateway
32			*
33			* @return array An array of settings data
34			*/
35			public function getGatewaySettings()
36			{
37			global $txt;
38
39			$setting_data = array(
40			array(
41			'email', 'paypal_email',
42			'subtext' => $txt['paypal_email_desc'],
43			'size' => 60
44			),
45			array(
46			'email', 'paypal_additional_emails',
47			'subtext' => $txt['paypal_additional_emails_desc'],
48			'size' => 60
49			),
50			array(
51			'email', 'paypal_sandbox_email',
52			'subtext' => $txt['paypal_sandbox_email_desc'],
53			'size' => 60
54			),
55			);
56
57			return $setting_data;
58			}
59
60			/**
61			* Is this enabled for new payments?
62			*
63			* @return boolean Whether this gateway is enabled (for PayPal, whether the PayPal email is set)
64			*/
65			public function gatewayEnabled()
66			{
67			global $modSettings;
68
69			return !empty($modSettings['paypal_email']);
70			}
71
72			/**
73			* What do we want?
74			*
75			* Called from Profile-Actions.php to return a unique set of fields for the given gateway
76			* plus all the standard ones for the subscription form
77			*
78			* @param string $unique_id The unique ID of this gateway
79			* @param array $sub_data Subscription data
80			* @param int\|float $value The amount of the subscription
81			* @param string $period
82			* @param string $return_url The URL to return the user to after processing the payment
83			* @return array An array of data for the form
84			*/
85			public function fetchGatewayFields($unique_id, $sub_data, $value, $period, $return_url)
86			{
87			global $modSettings, $txt, $boardurl;
88
89			$return_data = array(
90			'form' => 'https://www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com/cgi-bin/webscr',
91			'id' => 'paypal',
92			'hidden' => array(),
93			'title' => $txt['paypal'],
94			'desc' => $txt['paid_confirm_paypal'],
95			'submit' => $txt['paid_paypal_order'],
96			'javascript' => '',
97			);
98
99			// All the standard bits.
100			$return_data['hidden']['business'] = $modSettings['paypal_email'];
101			$return_data['hidden']['item_name'] = $sub_data['name'] . ' ' . $txt['subscription'];
102			$return_data['hidden']['item_number'] = $unique_id;
103			$return_data['hidden']['currency_code'] = strtoupper($modSettings['paid_currency_code']);
104			$return_data['hidden']['no_shipping'] = 1;
105			$return_data['hidden']['no_note'] = 1;
106			$return_data['hidden']['amount'] = $value;
107			$return_data['hidden']['cmd'] = !$sub_data['repeatable'] ? '_xclick' : '_xclick-subscriptions';
108			$return_data['hidden']['return'] = $return_url;
109			$return_data['hidden']['a3'] = $value;
110			$return_data['hidden']['src'] = 1;
111			$return_data['hidden']['notify_url'] = $boardurl . '/subscriptions.php';
112
113			// If possible let's use the language we know we need.
114			$return_data['hidden']['lc'] = !empty($txt['lang_paypal']) ? $txt['lang_paypal'] : 'US';
115
116			// Now stuff dependant on what we're doing.
117			if ($sub_data['flexible'])
118			{
119			$return_data['hidden']['p3'] = 1;
120			$return_data['hidden']['t3'] = strtoupper(substr($period, 0, 1));
121			}
122			else
123			{
124			preg_match('~(\d*)(\w)~', $sub_data['real_length'], $match);
125			$unit = $match[1];
126			$period = $match[2];
127
128			$return_data['hidden']['p3'] = $unit;
129			$return_data['hidden']['t3'] = $period;
130			}
131
132			// If it's repeatable do some javascript to respect this idea.
133			if (!empty($sub_data['repeatable']))
134			$return_data['javascript'] = '
135			document.write(\'<label for="do_paypal_recur"><input type="checkbox" name="do_paypal_recur" id="do_paypal_recur" checked onclick="switchPaypalRecur();">' . $txt['paid_make_recurring'] . '</label><br>\');
136
137			function switchPaypalRecur()
138			{
139			document.getElementById("paypal_cmd").value = document.getElementById("do_paypal_recur").checked ? "_xclick-subscriptions" : "_xclick";
140			}';
141
142			return $return_data;
143			}
144			}
145
146			/**
147			* Class of functions to validate a IPN response and provide details of the payment
148			*/
149			class paypal_payment
150			{
151			private $return_data;
152
153			/**
154			* This function returns true/false for whether this gateway thinks the data is intended for it.
155			*
156			* @return boolean Whether this gateway things the data is valid
157			*/
158			public function isValid()
159			{
160			global $modSettings;
161
162			// Has the user set up an email address?
163			if ((empty($modSettings['paidsubs_test']) && empty($modSettings['paypal_email'])) \|\| (!empty($modSettings['paidsubs_test']) && empty($modSettings['paypal_sandbox_email'])))
164			return false;
165			// Check the correct transaction types are even here.
166			if ((!isset($_POST['txn_type']) && !isset($_POST['payment_status'])) \|\| (!isset($_POST['business']) && !isset($_POST['receiver_email'])))
167			return false;
168			// Correct email address?
169			if (!isset($_POST['business']))
170			$_POST['business'] = $_POST['receiver_email'];
171
172			// Are we testing?
173			if (!empty($modSettings['paidsubs_test']) && strtolower($modSettings['paypal_sandbox_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) \|\| !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails'])))))
174			return false;
175			elseif (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) \|\| !in_array(strtolower($_POST['business']), explode(',', $modSettings['paypal_additional_emails']))))
176			return false;
177			return true;
178			}
179
180			/**
181			* Post the IPN data received back to paypal for validation
182			* Sends the complete unaltered message back to PayPal. The message must contain the same fields
183			* in the same order and be encoded in the same way as the original message
184			* PayPal will respond back with a single word, which is either VERIFIED if the message originated with PayPal or INVALID
185			*
186			* If valid returns the subscription and member IDs we are going to process if it passes
187			*
188			* @return string A string containing the subscription ID and member ID, separated by a +
189			*/
190			public function precheck()
191			{
192			global $modSettings, $txt;
193
194			// Put this to some default value.
195			if (!isset($_POST['txn_type']))
196			$_POST['txn_type'] = '';
197
198			// Build the request string - starting with the minimum requirement.
199			$requestString = 'cmd=_notify-validate';
200
201			// Now my dear, add all the posted bits in the order we got them
202			foreach ($_POST as $k => $v)
203			$requestString .= '&' . $k . '=' . urlencode($v);
204
205			// Can we use curl?
206			if (function_exists('curl_init') && $curl = curl_init((!empty($modSettings['paidsubs_test']) ? 'https://www.sandbox.' : 'https://www.') . 'paypal.com/cgi-bin/webscr'))
207			{
208			// Set the post data.
209			curl_setopt($curl, CURLOPT_POST, true);
210			curl_setopt($curl, CURLOPT_POSTFIELDSIZE, 0);
			0 ignored issues – show Bug introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this The constant `CURLOPT_POSTFIELDSIZE` was not found. Maybe you did not declare it correctly or list all dependencies? Loading history...
211			curl_setopt($curl, CURLOPT_POSTFIELDS, $requestString);
212
213			// Set up the headers so paypal will accept the post
214			curl_setopt($curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
215			curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 1);
216			curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 2);
217			curl_setopt($curl, CURLOPT_FORBID_REUSE, 1);
218			curl_setopt($curl, CURLOPT_HTTPHEADER, array(
219			'Host: www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com',
220			'Connection: close'
221			));
222
223			// Fetch the data returned as a string.
224			curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
225
226			// Fetch the data.
227			$this->return_data = curl_exec($curl);
228
229			// Close the session.
230			curl_close($curl);
231			}
232			// Otherwise good old HTTP.
233			else
234			{
235			// Setup the headers.
236			$header = 'POST /cgi-bin/webscr HTTP/1.1' . "\r\n";
237			$header .= 'content-type: application/x-www-form-urlencoded' . "\r\n";
238			$header .= 'Host: www.' . (!empty($modSettings['paidsubs_test']) ? 'sandbox.' : '') . 'paypal.com' . "\r\n";
239			$header .= 'content-length: ' . strlen($requestString) . "\r\n";
240			$header .= 'connection: close' . "\r\n\r\n";
241
242			// Open the connection.
243			if (!empty($modSettings['paidsubs_test']))
244			$fp = fsockopen('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
245			else
246			$fp = fsockopen('www.paypal.com', 80, $errno, $errstr, 30);
247
248			// Did it work?
249			if (!$fp)
250			generateSubscriptionError($txt['paypal_could_not_connect']);
251
252			// Put the data to the port.
253			fputs($fp, $header . $requestString);
254
255			// Get the data back...
256			while (!feof($fp))
257			{
258			$this->return_data = fgets($fp, 1024);
259			if (strcmp(trim($this->return_data), 'VERIFIED') === 0)
260			break;
261			}
262
263			// Clean up.
264			fclose($fp);
265			}
266
267			// If this isn't verified then give up...
268			if (strcmp(trim($this->return_data), 'VERIFIED') !== 0)
269			exit;
			0 ignored issues – show Best Practice introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
270
271			// Check that this is intended for us.
272			if (strtolower($modSettings['paypal_email']) != strtolower($_POST['business']) && (empty($modSettings['paypal_additional_emails']) \|\| !in_array(strtolower($_POST['business']), explode(',', strtolower($modSettings['paypal_additional_emails'])))))
273			exit;
			0 ignored issues – show Best Practice introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
274
275			// Is this a subscription - and if so is it a secondary payment that we need to process?
276			// If so, make sure we get it in the expected format. Seems PayPal sometimes sends it without urlencoding.
277			if (!empty($_POST['item_number']) && strpos($_POST['item_number'], ' ') !== false)
278			$_POST['item_number'] = str_replace(' ', '+', $_POST['item_number']);
279			if ($this->isSubscription() && (empty($_POST['item_number']) \|\| strpos($_POST['item_number'], '+') === false))
280			// Calculate the subscription it relates to!
281			$this->_findSubscription();
282
283			// Verify the currency!
284			if (strtolower($_POST['mc_currency']) !== strtolower($modSettings['paid_currency_code']))
285			exit;
			0 ignored issues – show Best Practice introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
286
287			// Can't exist if it doesn't contain anything.
288			if (empty($_POST['item_number']))
289			exit;
			0 ignored issues – show Best Practice introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
290
291			// Return the id_sub and id_member
292			return explode('+', $_POST['item_number']);
293			}
294
295			/**
296			* Is this a refund?
297			*
298			* @return boolean Whether this is a refund
299			*/
300			public function isRefund()
301			{
302			if ($_POST['payment_status'] === 'Refunded' \|\| $_POST['payment_status'] === 'Reversed' \|\| $_POST['txn_type'] === 'Refunded' \|\| ($_POST['txn_type'] === 'reversal' && $_POST['payment_status'] === 'Completed'))
303			return true;
304			else
305			return false;
306			}
307
308			/**
309			* Is this a subscription?
310			*
311			* @return boolean Whether this is a subscription
312			*/
313			public function isSubscription()
314			{
315			if (substr($_POST['txn_type'], 0, 14) === 'subscr_payment' && $_POST['payment_status'] === 'Completed')
316			return true;
317			else
318			return false;
319			}
320
321			/**
322			* Is this a normal payment?
323			*
324			* @return boolean Whether this is a normal payment
325			*/
326			public function isPayment()
327			{
328			if ($_POST['payment_status'] === 'Completed' && $_POST['txn_type'] === 'web_accept')
329			return true;
330			else
331			return false;
332			}
333
334			/**
335			* Is this a cancellation?
336			*
337			* @return boolean Whether this is a cancellation
338			*/
339			public function isCancellation()
340			{
341			// subscr_cancel is sent when the user cancels, subscr_eot is sent when the subscription reaches final payment
342			// Neither require us to do anything as per performCancel().
343			// subscr_eot, if sent, indicates an end of payments term.
344			if (substr($_POST['txn_type'], 0, 13) === 'subscr_cancel' \|\| substr($_POST['txn_type'], 0, 10) === 'subscr_eot')
345			return true;
346			else
347			return false;
348			}
349
350			/**
351			* Things to do in the event of a cancellation
352			*
353			* @param string $subscription_id
354			* @param int $member_id
355			* @param array $subscription_info
356			*/
357			public function performCancel($subscription_id, $member_id, $subscription_info)
358			{
359			// PayPal doesn't require SMF to notify it every time the subscription is up for renewal.
360			// A cancellation should not cause the user to be immediately dropped from their subscription, but
361			// let it expire normally. Some systems require taking action in the database to deal with this, but
362			// PayPal does not, so we actually just do nothing. But this is a nice prototype/example just in case.
363			}
364
365			/**
366			* How much was paid?
367			*
368			* @return float The amount paid
369			*/
370			public function getCost()
371			{
372			return (isset($_POST['tax']) ? $_POST['tax'] : 0) + $_POST['mc_gross'];
373			}
374
375			/**
376			* Record the transaction reference to finish up.
377			*
378			*/
379			public function close()
380			{
381			global $smcFunc, $subscription_id;
382
383			// If it's a subscription record the reference.
384			if ($_POST['txn_type'] == 'subscr_payment' && !empty($_POST['subscr_id']))
385			{
386			$smcFunc['db_query']('', '
387			UPDATE {db_prefix}log_subscribed
388			SET vendor_ref = {string:vendor_ref}
389			WHERE id_sublog = {int:current_subscription}',
390			array(
391			'current_subscription' => $subscription_id,
392			'vendor_ref' => $_POST['subscr_id'],
393			)
394			);
395			}
396			}
397
398			/**
399			* A private function to find out the subscription details.
400			*
401			* @access private
402			* @return boolean\|void False on failure, otherwise just sets $_POST['item_number']
403			*/
404			private function _findSubscription()
405			{
406			global $smcFunc;
407
408			// Assume we have this?
409			if (empty($_POST['subscr_id']))
410			return false;
411
412			// Do we have this in the database?
413			$request = $smcFunc['db_query']('', '
414			SELECT id_member, id_subscribe
415			FROM {db_prefix}log_subscribed
416			WHERE vendor_ref = {string:vendor_ref}
417			LIMIT 1',
418			array(
419			'vendor_ref' => $_POST['subscr_id'],
420			)
421			);
422			// No joy?
423			if ($smcFunc['db_num_rows']($request) == 0)
424			{
425			// Can we identify them by email?
426			if (!empty($_POST['payer_email']))
427			{
428			$smcFunc['db_free_result']($request);
429			$request = $smcFunc['db_query']('', '
430			SELECT ls.id_member, ls.id_subscribe
431			FROM {db_prefix}log_subscribed AS ls
432			INNER JOIN {db_prefix}members AS mem ON (mem.id_member = ls.id_member)
433			WHERE mem.email_address = {string:payer_email}
434			LIMIT 1',
435			array(
436			'payer_email' => $_POST['payer_email'],
437			)
438			);
439			if ($smcFunc['db_num_rows']($request) === 0)
440			return false;
441			}
442			else
443			return false;
444			}
445			list ($member_id, $subscription_id) = $smcFunc['db_fetch_row']($request);
446			$_POST['item_number'] = $member_id . '+' . $subscription_id;
447			$smcFunc['db_free_result']($request);
448			}
449			}
450
451			?>

Yoshi2889 / SMF2.1

Push — release-2.1 ( e0848c...8d1977 )

Sources/Subscriptions-PayPal.php (5 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like