shell bypass 403
<?php
//require('config.php');
require_once(APPPATH.'views/razorpay/config.php');
require_once(APPPATH.'views/razorpay/RazorPay/Razorpay.php');
use Razorpay\Api\Api;
$api = new Api($keyId, $keySecret);
// print_r($_POST);
$amount=$_POST['amount'];
$orderData = [
'receipt' => 'Gutlooks',
'amount' => $amount * 100, // 2000 rupees in paise
'currency' => 'INR',
'payment_capture' => 1 // auto capture
];
$razorpayOrder = $api->order->create($orderData);
$razorpayOrderId = $razorpayOrder['id'];
$_SESSION['razorpay_order_id'] = $razorpayOrderId;
$_SESSION['razorpay_amount'] = $amount;
$displayAmount = $amount = $orderData['amount'];
if ($displayCurrency !== 'INR')
{
$url = "https://api.fixer.io/latest?symbols=$displayCurrency&base=INR";
$exchange = json_decode(file_get_contents($url), true);
$displayAmount = $exchange['rates'][$displayCurrency] * $amount / 100;
}
// $checkout = 'automatic';
// if (isset($_GET['checkout']) and in_array($_GET['checkout'], ['automatic', 'manual'], true))
// {
// $checkout = $_GET['checkout'];
// }
$this->db->where('order_no', $_POST['txnid']);
$this->db->select('*');
$this->db->from('tb_order');
$query = $this->db->get();
$user_details = $query->result();
$data = array('pay_transaction_id'=>$razorpayOrderId);
$this->db->where('order_no', $_POST['txnid']);
$this->db->update('tb_order',$data);
//
// print_r($user_details);
$data_pay_p = [
"key" => $keyId,
"amount" => $orderData['amount'],
"name" => "Gutlooks",
"description" => "Gutlooks",
"image" => base_url('images/gutlooks.jpeg'),
"prefill" => [
"name" => $user_details[0]->full_name,
"email" => $user_details[0]->email,
"contact" => $user_details[0]->mobile,
],
"notes" => [
"address" => $user_details[0]->address,
"merchant_order_id" => "",
],
"theme" => [
"color" => "#f08a38"
],
"order_id" => $razorpayOrderId,
];
if ($displayCurrency !== 'INR')
{
$data_pay_p['display_currency'] = $displayCurrency;
$data_pay_p['display_amount'] = $displayAmount;
}
$json = json_encode($data_pay_p);
?>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.7.1/jquery.min.js"></script>
<script>
$(document).ready(function(){
$('.razorpay-payment-button').trigger('submit');
});
</script>
<script>
$(document).ready(function(){
$('.razorpay-payment-button').hide();
$('#clickmepayment').hide();
});
</script>
<div class="pro-btn">
<div id="load">
<!--<button href="#" id="place_order" class="btn-round">Place order</button>-->
<form action="<?=base_url().'razorpay/payment';?>" method="POST" >
<script
src="https://checkout.razorpay.com/v1/checkout.js"
data-key="<?php echo $data_pay_p['key']?>"
data-amount="<?php echo $data_pay_p['amount']?>"
data-currency="INR"
data-name="<?php echo $data_pay_p['name']?>"
data-image="<?php echo $data_pay_p['image']?>"
data-description="<?php echo $data_pay_p['description']?>"
data-prefill.name="<?php echo $data_pay_p['prefill']['name']?>"
data-prefill.email="<?php echo $data_pay_p['prefill']['email']?>"
data-prefill.contact="<?php echo $data_pay_p['prefill']['contact']?>"
data-notes.shopping_order_id="<?php echo $_POST['txnid']?>"
data-order_id="<?php echo $data_pay_p['order_id']?>"
<?php if ($displayCurrency !== 'INR') { ?> data-display_amount="<?php echo $data_pay_p['display_amount']?>" <?php } ?>
<?php if ($displayCurrency !== 'INR') { ?> data-display_currency="<?php echo $data_pay_p['display_currency']?>" <?php } ?>
>
</script>
<!-- Any extra fields to be submitted with the form but not sent to Razorpay -->
<input type="hidden" name="shopping_order_id" value="<?php if(isset($data_pay_p['amount'])){ echo $data_pay_p['amount']; }?>" >
</form>
</div>
</div>