Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

PHP Form, XML response

9:02 pm on Sep 18, 2012 (gmt 0)

New User

5+ Year Member

joined:Sept 18, 2012
posts: 1
votes: 0

Hi there. I'm trying to integrate with a payment gateway API, and as I'm fairly new to PHP, I'm having some trouble to proceed.

Basically, I have a form that goes to a specific URL (submitting URL). From the documentation: "Request information is submitted to payment platform with HttpsClient , and submitting mode is POST."

There is the customer-registration.php file, which requires the functions.php file that contains the information to md5-encrypt a string composed of several variables from the form. There is also a notify-url.php file which is the redirection page after registering a user.

Some variables are passed to the submitting URL on the payment server, but the XML response I get from there displays empty nodes for 3 variables that I should read back in order to complete the process (dateRegister, registerId and activationURL)

XML Response from the payment server:

<response><operation>90</operation><resultCode>0</resultCode><merNo>10157</merNo><email>me@gmail.com</email><cardNumber>4111111111111111</cardNumber><dateRegister/><registerId/><activationURL/><remark>Invalid MD5Info</remark><md5Info>FC0BB07DA01C551296054FBF167824B1</md5Info></response>

The customer-registration.php file looks like this:

<title>Customer Registration</title>


$dateRequest="20120918073500";//AUTOMATE THIS!

$address="123 North Ave.";

$md5Key="44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0"; //MD5 key
$crrurl="https://paymentdomain.com/xcp/register.jsp"; //Request submitting URL



<form method="post" action="<?php echo $crrurl; ?>">

<input type=hidden name="merNo" value="<?php echo $merNo; ?>">
<input type=hidden name="dateRequest" value="<?php echo $dateRequest; ?>">
<input type=hidden name="language" value="<?php echo $language; ?>">
<input type=hidden name="notifyURL" value="<?php echo $notifyURL; ?>">
<input type=hidden name="md5Info" value="<?php echo $md5Info; ?>">

<input type=hidden name="email" value="<?php echo $email; ?>">
<input type=hidden name="cardNumber" value="<?php echo $cardNumber; ?>">
<input type=hidden name="firstName" value="<?php echo $firstName; ?>">
<input type=hidden name="lastName" value="<?php echo $lastName; ?>">
<input type=hidden name="phone" value="<?php echo $phone; ?>">
<input type=hidden name="zipCode" value="<?php echo $zipCode; ?>">
<input type=hidden name="address" value="<?php echo $address; ?>">
<input type=hidden name="city" value="<?php echo $city; ?>">
<input type=hidden name="state" value="<?php echo $state; ?>">
<input type=hidden name="country" value="<?php echo $country; ?>">

<INPUT TYPE="submit" value="submit">



Right now, I'm passing the pre-declared variables as hidden text inputs (later I'll change that so it's an actual user input form)

The functions.php file looks like this:

$merNo = $_POST["merNo"];
$email = $_POST["email"];
$cardNumber = $_POST["cardNumber"];
$dateRequest = $_POST["dateRequest"];
$md5Key="44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0"; //MD5 key

function MD5Encrypt($merNo,$email,$cardNumber,$dateRequest,$md5Key)
$str = "$merNo|$email|$cardNumber|$dateRequest|$md5Key";
$encryptedMD5 = md5($str);
return $encryptedMD5;

$completeurl = "https://paymentdomain.com/xcp/register.jsp";
$xml = simplexml_load_file($completeurl);

$operation = $xml->operation;
$resultCode = $xml->resultCode;
$merNo = $xml->merNo;
$email = $xml->email;
$cardNumber = $xml->cardNumber;
$dateRegister = $xml->dateRegister;
$registerId = $xml->registerId;
$activationURL = $xml->activationURL;
$remark = $xml->remark;
$md5Info = $xml->md5Info;

function verifyMD5($resultCode,$merNo,$email,$cardNumber,$registerId,$dateRegister,$activationURL,$md5Key, $md5Info)
$str = "$resultCode|$merNo|$email|$cardNumber|$registerId|$dateRegister|$activationURL|$md5Key";
$encryptedMD5 = md5($str);
//echo $str."<BR>";
//echo "Generated CheckSum: ".$encryptedMD5."<BR>";
//echo "Received Checksum: ".$md5Info."<BR>";
if($encryptedMD5 == $md5Info)
return "true" ;
return "false" ;

I'm not sure if I'm retrieving the XML response correctly. As per the API docs: "Response information is returned to client’s platform as XML."

And lastly, the notify-url.php file looks like this:

<title>Notify URL</title>


$md5Key = "44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0" ; //put in the 32 bit alphanumeric key in the quotes provided here

$retval = verifyMD5 ($resultCode,$merNo,$email,$cardNumber,$registerId,$dateRegister,$activationURL,$md5Key);

if($retval == "true" && $resultCode == "1")
echo "Thank you for shopping with us. Your credit card has been charged and your transaction is successful. We will be shipping your order to you soon.";

//Here you need to put in the routines for a successful
//transaction such as sending an email to customer,
//setting database status, informing logistics etc etc

else if($retval == "true" && $resultCode == "0")
echo "Thank you for shopping with us. However it seems your credit card transaction failed.";

//Here you need to put in the routines for a failed
//transaction such as sending an email to customer
//setting database status etc etc

else if($retval == "true" && $resultCode == "2")
echo "Account was registered before, only Card Information has been added";

//Here you need to put in, the routines for a HIGH RISK
//transaction such as sending an email to customer and explaining him a procedure,
//setting database status etc etc

echo "Security Error. Illegal access detected";

//Here you need to simply ignore this and dont need
//to perform any operation in this condition


So, basically I would like to see if the logic is right at this point and then figure out why does the response from the payment server is not complete. As stated there: "Invalid MD5Info"

Thank you very much for any assistance, it would be greatly appreciated!
1:21 pm on Oct 18, 2012 (gmt 0)

New User

5+ Year Member

joined:Oct 17, 2012
votes: 0

MD5 info connected to hash-function > one sided information coding method.
8:07 pm on Oct 18, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
votes: 0

md5 "encrypted". That's a new one.
md5 is a one-way hash function, a quite broken one as well.

Essentially it is a checksum:

You send some values and you calculate the hash of it concatenated with a salt (the "md5key").

The other side knows the values, the salt and can calculate the hash themselves to see if the one you provided is the same as they calculated.
Now there are tricky bits in there:
- e.g. the DATE: they can -to protect against replays not use the date you supply, but the date they know it is
- e.g. using a different order or different salt than they expect is enough to give different results in the hash and them not accepting it at all.

The response you seem to get tells you the hash was rejected.

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members