Hello community!

I have an eCommerce site that uses PayPal Advanced, meaning that a PayPal iFrame is embedded in our website. To get the iFrame to load, my code passes several fields to PayPal, then PayPal returns an appropriate result to enable to iFrame to be rendered.

PayPal was doing maintenance on Saturday, Oct. 10, 2015. Beginning quite early on this day, in lieu of the iFrame, customers were getting "User Authentication Failed" errors because the result was 1.

In talking with about 5 PayPal employees, I was told that the credentials I was passing were fine and the account was live, so everything should be working. I asked if this was a security issue and if some syntax/settings had changed during the scheduled maintenance (to all checkout systems), but the employees that helped me said no.

I made a new admin account to use for credentials, made it active, and used it instead in the code (guessing the old one perhaps was too old, as I had not updated my code since 2014). Neither use special characters; they are both alphanumeric only.

Any ideas as to different things to check or turn off/on? Anyone see flaws in my code?

<?php
class PayPalFlowProHelper
{
private static function getPayPalCheckoutURLs($url = 'checkout/')
{
$checkoutURL = "https://" . $_SERVER['HTTP_HOST'] . "/".$url;
return $checkoutURL;
}

public static function renderPayPalFlowCheckoutIFrame($totalAmount = 0)
{

$_SESSION['SECURETOKENID'] = uniqid('MySecTokenID-');
$paypalConfiguration = array(
"PARTNER" => "PayPal",
"VENDOR" => "xxxx",
"USER" => "xxxx",
"PWD" => "xxxx",
"TRXTYPE" => "S",
"AMT" => $totalAmount,
"CURRENCY" => "USD",
"CREATESECURETOKEN" => "Y",
"SECURETOKENID" => $_SESSION['SECURETOKENID'], //Should be unique, never used before
"RETURNURL" => self::getPayPalCheckoutURLs("paypal-checkout-return/"),
"CANCELURL" => self::getPayPalCheckoutURLs("paypal-canceled-checkout/"),
"ERRORURL" => self::getPayPalCheckoutURLs("paypal-error-checkout/"),
"BILLTOFIRSTNAME" => $_POST['first_name'],
"BILLTOLASTNAME" => $_POST['last_name'],
"BILLTOSTREET" => $_POST['address1'],
"BILLTOCITY" => $_POST['city'],
"BILLTOSTATE" => $_POST['state'],
"BILLTOZIP" => $_POST['zip'],
"BILLTOCOUNTRY" => $_POST['country'],

"SHIPTOFIRSTNAME" => $_POST['first_name'],
"SHIPTOLASTNAME" => $_POST['last_name'],
"SHIPTOSTREET" => $_POST['address1'],
"SHIPTOCITY" => $_POST['city'],
"SHIPTOSTATE" => $_POST['state'],
"SHIPTOZIP" => $_POST['zip'],
"SHIPTOCOUNTRY" => $_POST['country'],
);

$paypalResponse = self::runPayFlowCall($paypalConfiguration);

if ($paypalResponse == FALSE || $paypalResponse['RESULT'] != 0) {
return false;
}
$secureToken = $paypalResponse['SECURETOKEN'];
$secureTokenID = $paypalResponse['SECURETOKENID'];
self::displayPayFlowIFrame($secureToken,$secureTokenID);
}

private static function displayPayFlowIFrame($secureToken,$secureTokenID){
global $environment;
$mode = 'LIVE';
if ($environment == "sandbox" || $environment == "pilot") {
$mode = 'TEST';
};
echo '<div style="margin: 0 auto 10px;width:492px; height:auto;background:#ffffff">';
// wrap iframe in a dashed wireframe for demo purposes
echo " <input type='hidden' name='siddu' value='" . self::getPayPalCheckoutURLs("advanced.php") . "'> ";
echo " <iframe src='https://payflowlink.paypal.com?SECURETOKEN=$secureToken&SECURETOKENID=$secureTokenID&MODE=$mode' width='490' height='565' border='0' frameborder='0' scrolling='no' allowtransparency='false'>\n</iframe>";
}
private static function parsePayFlowString($str)
{
$workstr = $str;
$out = array();

while (strlen($workstr) > 0) {
$loc = strpos($workstr, '=');
if ($loc === FALSE) {
// Truncate the rest of the string, it's not valid
$workstr = "";
continue;
}

$substr = substr($workstr, 0, $loc);
$workstr = substr($workstr, $loc + 1); // "+1" because we need to get rid of the "="

if (preg_match('/^(\w+)\[(\d+)]$/', $substr, $matches)) {
// This one has a length tag with it. Read the number of characters
// specified by $matches[2].
$count = intval($matches[2]);

$out[$matches[1]] = substr($workstr, 0, $count);
$workstr = substr($workstr, $count + 1); // "+1" because we need to get rid of the "&"
} else {
// Read up to the next "&"
$count = strpos($workstr, '&');
if ($count === FALSE) { // No more "&"'s, read up to the end of the string
$out[$substr] = $workstr;
$workstr = "";
} else {
$out[$substr] = substr($workstr, 0, $count);
$workstr = substr($workstr, $count + 1); // "+1" because we need to get rid of the "&"
}
}
}

return $out;
}
// run_payflow_call: Runs a Payflow API call. $params is an associative array of
// Payflow API parameters. Returns FALSE on failure, or an associative array of response
// parameters on success.
private static function runPayFlowCall($params)
{
global $environment;

$paramList = array();
foreach ($params as $index => $value) {
$paramList[] = $index . "[" . strlen($value) . "]=" . $value;
}

$apiStr = implode("&", $paramList);

// Which endpoint will we be using?
if ($environment == "pilot" || $environment == "sandbox")
$endpoint = "https://pilot-payflowpro.paypal.com/";
else $endpoint = "https://payflowpro.paypal.com";

// Initialize our cURL handle.
$curl = curl_init($endpoint);

curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);

// If you get connection errors, it may be necessary to uncomment
// the following two lines:
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);

curl_setopt($curl, CURLOPT_POST, TRUE);
curl_setopt($curl, CURLOPT_POSTFIELDS, $apiStr);

$result = curl_exec($curl);
if ($result === FALSE) {
echo curl_error($curl);
return FALSE;
} else return self::parsePayFlowString($result);
}
}