1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:22 am Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

PHP Form, XML response

         

marianocr

9:02 pm on Sep 18, 2012 (gmt 0)

10+ Year Member



Hi there. I'm trying to integrate with a payment gateway API, and as I'm fairly new to PHP, I'm having some trouble to proceed.

Basically, I have a form that goes to a specific URL (submitting URL). From the documentation: "Request information is submitted to payment platform with HttpsClient , and submitting mode is POST."

There is the customer-registration.php file, which requires the functions.php file that contains the information to md5-encrypt a string composed of several variables from the form. There is also a notify-url.php file which is the redirection page after registering a user.

Some variables are passed to the submitting URL on the payment server, but the XML response I get from there displays empty nodes for 3 variables that I should read back in order to complete the process (dateRegister, registerId and activationURL)

XML Response from the payment server: 

<response><operation>90</operation><resultCode>0</resultCode><merNo>10157</merNo><email>me@gmail.com</email><cardNumber>4111111111111111</cardNumber><dateRegister/><registerId/><activationURL/><remark>Invalid MD5Info</remark><md5Info>FC0BB07DA01C551296054FBF167824B1</md5Info></response>


The customer-registration.php file looks like this: 


<html>
<head>
<title>Customer Registration</title>

<?
require("functions.php");

//START SET VARIABLES
$merNo="10157";
$dateRequest="20120918073500";//AUTOMATE THIS!
$language="ENG";
$notifyURL="http://www.mydomain.com/notify-url.php";
//END SET VARIABLES

//START FORM FORCED VARIABLES
$email="me@gmail.com";
$cardNumber="4111111111111111";
$firstName="John";
$lastName="Smith";
$phone="9535658659";
$zipCode="98656";
$address="123 North Ave.";
$city="Geekytown";
$state="AZ";
$country="US";
//END FORM FORCED VARIABLES

$md5Key="44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0"; //MD5 key
$md5Info=MD5Encrypt($merNo,$email,$cardNumber,$dateRequest,$md5Key);
$crrurl="https://paymentdomain.com/xcp/register.jsp"; //Request submitting URL
?>

</head>

<body>

<form method="post" action="<?php echo $crrurl; ?>">

<input type=hidden name="merNo" value="<?php echo $merNo; ?>">
<input type=hidden name="dateRequest" value="<?php echo $dateRequest; ?>">
<input type=hidden name="language" value="<?php echo $language; ?>">
<input type=hidden name="notifyURL" value="<?php echo $notifyURL; ?>">
<input type=hidden name="md5Info" value="<?php echo $md5Info; ?>">

<!--START HIDDEN FORCED VARIABLES-->
<input type=hidden name="email" value="<?php echo $email; ?>">
<input type=hidden name="cardNumber" value="<?php echo $cardNumber; ?>">
<input type=hidden name="firstName" value="<?php echo $firstName; ?>">
<input type=hidden name="lastName" value="<?php echo $lastName; ?>">
<input type=hidden name="phone" value="<?php echo $phone; ?>">
<input type=hidden name="zipCode" value="<?php echo $zipCode; ?>">
<input type=hidden name="address" value="<?php echo $address; ?>">
<input type=hidden name="city" value="<?php echo $city; ?>">
<input type=hidden name="state" value="<?php echo $state; ?>">
<input type=hidden name="country" value="<?php echo $country; ?>">
<!--END HIDDEN FORCED VARIABLES-->

<INPUT TYPE="submit" value="submit">

</form>

</body>
</html>


Right now, I'm passing the pre-declared variables as hidden text inputs (later I'll change that so it's an actual user input form)

The functions.php file looks like this: 

<?php
$merNo = $_POST["merNo"];
$email = $_POST["email"];
$cardNumber = $_POST["cardNumber"];
$dateRequest = $_POST["dateRequest"];
$md5Key="44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0"; //MD5 key

function MD5Encrypt($merNo,$email,$cardNumber,$dateRequest,$md5Key)
{
$str = "$merNo|$email|$cardNumber|$dateRequest|$md5Key";
$encryptedMD5 = md5($str);
return $encryptedMD5;
}

$completeurl = "https://paymentdomain.com/xcp/register.jsp";
$xml = simplexml_load_file($completeurl);

$operation = $xml->operation;
$resultCode = $xml->resultCode;
$merNo = $xml->merNo;
$email = $xml->email;
$cardNumber = $xml->cardNumber;
$dateRegister = $xml->dateRegister;
$registerId = $xml->registerId;
$activationURL = $xml->activationURL;
$remark = $xml->remark;
$md5Info = $xml->md5Info;

function verifyMD5($resultCode,$merNo,$email,$cardNumber,$registerId,$dateRegister,$activationURL,$md5Key, $md5Info)
{
$str = "$resultCode|$merNo|$email|$cardNumber|$registerId|$dateRegister|$activationURL|$md5Key";
 $encryptedMD5 = md5($str);
//echo $str."<BR>";
//echo "Generated CheckSum: ".$encryptedMD5."<BR>";
//echo "Received Checksum: ".$md5Info."<BR>";
 if($encryptedMD5 == $md5Info)
return "true" ;
 else
return "false" ;
}
?>


I'm not sure if I'm retrieving the XML response correctly. As per the API docs: "Response information is returned to client’s platform as XML."

And lastly, the notify-url.php file looks like this: 

<html>
<head>
<title>Notify URL</title>
</head>
<body>

<?php
require("functions.php");

$md5Key = "44q9dn7WCUrLHgi8bPsdiBIlLi6WaHI0" ; //put in the 32 bit alphanumeric key in the quotes provided here

$retval = verifyMD5 ($resultCode,$merNo,$email,$cardNumber,$registerId,$dateRegister,$activationURL,$md5Key);

if($retval == "true" && $resultCode == "1")
{
echo "Thank you for shopping with us. Your credit card has been charged and your transaction is successful. We will be shipping your order to you soon.";

//Here you need to put in the routines for a successful 
//transaction such as sending an email to customer,
//setting database status, informing logistics etc etc

}
else if($retval == "true" && $resultCode == "0")
{
echo "Thank you for shopping with us. However it seems your credit card transaction failed.";

//Here you need to put in the routines for a failed
//transaction such as sending an email to customer
//setting database status etc etc

}
else if($retval == "true" && $resultCode == "2")
{
echo "Account was registered before, only Card Information has been added";

//Here you need to put in, the routines for a HIGH RISK 
//transaction such as sending an email to customer and explaining him a procedure,
//setting database status etc etc

}
else
{
echo "Security Error. Illegal access detected";

//Here you need to simply ignore this and dont need
//to perform any operation in this condition

}
?>
</body>
</html>


So, basically I would like to see if the logic is right at this point and then figure out why does the response from the payment server is not complete. As stated there: "Invalid MD5Info"

Thank you very much for any assistance, it would be greatly appreciated!

Austin80ss

1:21 pm on Oct 18, 2012 (gmt 0)

10+ Year Member



MD5 info connected to hash-function > one sided information coding method.

swa66

8:07 pm on Oct 18, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



md5 "encrypted". That's a new one.
md5 is a one-way hash function, a quite broken one as well.

Essentially it is a checksum:

You send some values and you calculate the hash of it concatenated with a salt (the "md5key").

The other side knows the values, the salt and can calculate the hash themselves to see if the one you provided is the same as they calculated.
Now there are tricky bits in there:
- e.g. the DATE: they can -to protect against replays not use the date you supply, but the date they know it is
- e.g. using a different order or different salt than they expect is enough to give different results in the hash and them not accepting it at all.

The response you seem to get tells you the hash was rejected.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 12:22 am Apr 28, 2026