Php querry is stoping form post data from sending, and redirection problem

please ignore that i am still using the old mysql query, as i am working on the updated version.
my question is when i submit a payment processing form all the data is posted except the ones after a query to get the customer’s name are not posted, the form is below

<?php require_once("include/session.php");?>
<?php require_once("include/dataconnect.php");?>
<?php require_once("include/functions.php");?>
<!--php print_r($_POST);
die(); -->
<?php $orderno = mysql_real_escape_string(htmlentities(strip_tags($_POST['orderno'])));
$paynow = mysql_real_escape_string(htmlentities(strip_tags($_POST['paynow'])));


<body onload="document.submit2gtpay_form.submit()">

<form name="submit2gtpay_form" action="" target="_self" method="post">

<input type="hidden" name="gtpay_mert_id" value="" />

<input type="hidden" name="gtpay_tranx_id" value="<?php echo $orderno; ?>" />

<input type="hidden" name="gtpay_tranx_amt" value="<?php
$addprodresult = mysql_query("SELECT * FROM outstanding WHERE Uname = '{$_SESSION['username']}'") or die(mysql_error());
$row = mysql_fetch_array($addprodresult);
 echo $row{paynow}; ?>" />

<input type="hidden" name="gtpay_tranx_curr" value="566" />

<input type="hidden" name="gtpay_cust_id" value="<?php echo $_SESSION['username']; ?>" />

<input type="hidden" name="gtpay_cust_name" value="<?php  
$fullname = mysql_query("SELECT * FROM reuser WHERE Uname = '{$_SESSION['username']}'") or die(mysql_error());
$row = mysql_fetch_array($fullname);
 echo $row{fullname};
?>" />

<input type="hidden" name="gtpay_tranx_memo" value="" />

<input type="hidden" name="gtpay_no_show_gtbank" value="yes" />

<input type="hidden" name="gtpay_echo_data" value="ORDER PAYMENT" />

<input type="hidden" name="gtpay_gway_name" value="" />

<input type="hidden" name="gtpay_tranx_noti_url" value="" />

<input type="submit" value="Pay Via GTPay" name="btnSubmit"/>

<input type="hidden" name="gtpay_echo_data" value="">




also when the query for the customer name is removed it post all the parameters(which indicates thats where the problem is),

  1. when the customers name is not requested as in<input type=“hidden” name=“gtpay_cust_name” value=“” /> , the notification page url which is
    <input type=“hidden” name=“gtpay_tranx_noti_url” value=“” />
    i would have expected to redirect to was redirecting to, and i reachea2 is just my hostname.
    please any idea why the query is breaking the form and the redirection is pointing to the url.

So, you open the page above and it populates the form to be submitted on click. If you right-click and “view source” (or however you do that in your browser), what value has it put in for the customer name in the form? In fact, can you display the form and post the source as your browser shows it, before you click ‘submit’?

thanks droopsnoot,

before you click submit the page source is

<form action='gbawo.php' method='Post' class='shlistbar'>
    <input type="text" name="orderno" value="90761933" />
    <table border='1'>
    <th>SHOP NAME</th>
    <th>PRODUCT NAME</th>
    <th>PRODUCT SIZE</th>
    <th>PRODUCT COLOUR</th>
    <td>18 and East Lidia CrissCross Shirt </td>
    <td> </td>
    <input type='text' name='item[0][Pquantity]' id='Pquantity' value='1' readonly />
    <input type='hidden' name='item[0][Pidno]' id='Pidno' value='3550958 ' />
    <input type='text' name='item[0][Price]' id='Pquantity' value='35.00' readonly>
    <td><a href='deleteproduct.php?del=3550958 '>delete</a></td>
    </tr>         <tr>
                <th>Total Price</th>
    <!--Close table and form-->
    <P>The Total price includes the procurement charge exclusive of transportation cost</p>

    <th>PART PAYMENT </th>
    <th>CREDIT </th>
    <th>TO BALANCE</th>
    <th>TO PAY NOW</th>

    <input type='submit' name='submit2' value='SUBMIT' />

and this is after submiting the page it uploads(page source)

<div id="info_area">
                    <div class="content shift25">
                        <div class="shift20">
                            <div class="shift5">You're making a payment to</div>
                            <!-- MERCHANT INFO HERE -->
                            <div class="caption shift5">
    <span id="lblMertName">M COMPANY LTD.</span></div>
                            <div class="green_dot"><img src="assets/img/status_green.png" width="12" height="12" /></div>
                            <div class="float_left comment shy"> <span id="lblsite">DisplayResponse.aspx</span></div>
                            <div class="clear"></div>
                        <div class="shift20">
                            <!-- CUSTOMER INFO/PAYMENT DETAILS HERE (IF AVAILABLE) -->
                            <div class="shy"><span id="lblCustName"></span></div>
                            <div class="shy"><span id="lblCustID">reacheasy</span></div>
                        <!-- AMOUNT HERE -->
                        <div id="orange_ribbon" class="shift20"><span id="lblAmt">&#8358;97.38</span></div>
                        <div class="small shift10">
                            <span class="bold">Transaction ID:  

Sorry, that’s not the code I was hoping to see. I think it’s because the first page you posted has a ‘body onload’ instruction to force it to create the initial form (with all the hidden vars) then submit it straight away, that I didn’t notice. What I wanted to see was that form before it was submitted, because that’s the one that is having trouble.

Could you remove the "onload=“document.submit2gtpay_form.submit()” from the end of the body statement, display the form and then post the page source for that? That’s the form that’s causing trouble after the customer name query.

thanks droopsnoot for pointing me to that page source, i was able to see error from it, and i sorted it.
the second question i asked, which is the notification the page is to redirect, the page returns blank, i tried printing the post variable nothing is coming up, the page source is also blank, any idea to trouble shoot

thisi is code i am using to see all the post data that is to be redirected to the page
//echo $_SESSION[‘username’];
php print_r($_POST);

Have you used session_start() somewhere (presumably you’re using it in the file session.php) before trying to access the $_SESSION array?

yes i have but, what i dont know is since the the customer has left my site due to the processing and then been redirected, if the session will still hold or the session is broken

Add this at the start of the script, right after the initial <?php

ini_set('display_errors', 1);

Then try the script again. Are any errors reported, if so please post the text of the errors

no error is coming up

When you do:


What comes up?

it comes back with

array(1) { [“username”]=> string(9) “reacheasy” } which is the username

i tried it by going directly to the weblink, and through the payment process

//echo $_SESSION['username']; 
php print_r($_POST);

One thing I noticed in the original post’s code is you are using curly brackets when referencing the array.

[Edit] - Scratch that, that does seem to be acceptable syntax. I haven’t seen that before, but I don’t think that’s an issue

Try the select queries in turn directly against the database (via phpMyAdmin), with the value for {$_SESSION[‘username’]} substituted for what it’s meant to be just to make sure that it does return one or more rows in the result set.

One suggestion to help keep things organized and help debug these kinds of issues is to keep code that builds variables separate from where you use it.

$query = mysql_query("SELECT * FROM reuser WHERE Uname = '{$_SESSION['username']}'") or die(mysql_error());
$row = mysql_fetch_array($query);
    $fullname = $row{fullname};

<input type="hidden" name="gtpay_cust_name" value="<?php  echo $fullname; ?>" />

Also, you might want to get rid of “or die(mysql_error()”. I don’t remember why, but I do remember that I used to use that and it would cause issues, even when the query was successful.

In all honesty, I’d switch to PDO, then you can try/catch and handle errors more properly.

To add to what @SpacePhoenix ; suggested, which was a good suggestion, when I get really stuck with a complex query I’ll use a mysql client and run the queries directly, with hard values you know exist. You might get more helpful error messages, and if you don’t then you know there’s an issue with syntax or variable values.

I prefer to use phpmyadmin as I have it installed locally and on my server.

I’m sorry, I don’t mean to go over your head or get too advanced for you, but I see something that I’d like to point out which might be helpful to you in the future. The “right” way that eventually you’ll have to learn. I’d feel irresponsible and feel like I’m not doing my best to help out if I didn’t mention it though :slight_smile:

In production code you never want to store user specific data in a session or cookie, that leaves your site open to exploits like session highjacking.

You might want to have an identifier unique to the user (I use a random hashed value) stored in the session and in the user’s entry in the database. You can then query to see if the value in the session matches the value in the user’s database entry. If the values match you can then check if the password is correct. If that does not fail then you can create a user object (or array if you’d like) that will store the user specific information, like $user->userName, $user->userId, $user->userEmail and what not.

Like I said, I don’t mean to go over your head if you’re just learning, but my moto is “try to learn the right way the first way”. If not, you will find yourself in the position where you have to relearn everything later on.

If you have any questions about what I’ve said, please let me know. If so, I do think that’s a subject for another thread :-p

hello jburns i am just going thru my thread and i saw your comment please could you advice me more on the cookie and session you mentioned.


Have you considered using PHP + CURL to post the data to the payment server?

** UNTESTED and is theoretical **

function sanitize($postdata){
	// in here you put what you want to sanitize your $_POST data
	$postdata = stripslashes($postdata);
	// ... more cleaning ...
	return $postdata; // return cleaned input

// in to the empty array we insert the sanitized data
$fields = array(
					"lname"		=> "",
					"fname"		=> "",
					"title"		=> "",
					"company"	=> "",
					"age" 		=> "",
					"email"		=> "",
					"phone"		=> ""
// do some laundry...
foreach($fields as $accepted_input=>$value)
	if( isset($_POST[$accepted_input]) ){
		$fields[$accepted_input] = urlencode(sanitize($_POST[$accepted_input]));

// build a query string
$url = "";

//open connection
$ch = curl_init();

//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, http_build_query($fields));

//execute post
$result = curl_exec($ch);

//close connection

You can expand on this idea.

It is always best to treat any POST data as suspect and clean the inputs and I always use a whitelist approach to my scripts, accept inputs I designate, not what is in the POST stream. :wink:

I’ve started a new thread to discuss user authentication and secure sessions: