====== PHP XML Payments with 3D Secure ======

In this section, you can find sample code for the **3D Secure** redirect before the payment. 

Once you receive the response to the "MPI Receipt URL" you will have an MPIREF parameter. 
You should then process a payment and include that parameter. The sample code for the **XML payment stage** is [[developer:sample_codes:php_xml_payments|here]].

You should also use this [[developer:integration_docs:testing-guide|Testing Guide]] that also contains test card details.

**Settings file (%gatewaySampleFileName_account.inc):**

<file php %gatewaySampleFileName_account.inc>

<?php

# These values are used to identify and validate the account that you are using. They are mandatory.
$gateway = '';			# This is the %Gateway payments gateway that you should use, assigned to the site by %Gateway.
$terminalId = '';       # This is the Terminal ID assigned to the site by %Gateway.
$currency = '';			# This is the 3 digit ISO currency code for the above Terminal ID.
$secret = '';			# This shared secret is used when generating the hash validation strings. 
						# It must be set exactly as it is in the %Gateway %SelfCare system.
#$testAccount = true;   # Commented out as there is no functional test MPI page

# These are used only in the case where the response hash is incorrect, which should
# never happen in the live environment unless someone is attempting fraud.
$adminEmail = '';
$adminPhone = '';

?>

</file>
----
\\

**3D Secure redirect (%gatewaySampleFileName_payment.php):**

<file php %gatewaySampleFileName_payment.php>

<?php

# This is the file that contains the account settings for %Gateway.
require('%gatewaySampleFileName_account.inc');

# This is a helper file for intgerating to the %Gateway HPP in PHP.
require('%gatewaySampleFileName_hpp_functions.inc');

# These values are specific to the cardholder.
$cardNumber = '';		# This is the full PAN (card number) of the credit card. It must be digits only (i.e. no spaces or other characters).
$cardType = '';			# This can only be one of a set number of values (VISA,DELTA,MASTERCARD,MAESTRO,UK MAESTRO,LASER,AMEX,DINERS,JCB,SECURECARD for example). Check with %Gateway what values you can send.
$cardExpiry = '';		# The 4 digit expiry date (MMYY)
$cvv = '';			# (optional) 3 digit (4 for AMEX cards) security digit on the back of the card.

# These values are specific to the transaction.
$orderId = '';			# This should be unique per transaction.
$amount = '';			# This should include the decimal point.
$host = '';				# This is your host eg. http://localhost:8000
$dateTime = requestDateTime();

# If there's no orderId set then generate a unique time-based order ID.
if(!isset($orderId) || $orderId == '') $orderId = generateUniqueOrderId();

# Verification string

$requestHash = mpiRequestHash($orderId, $cardNumber, $cardExpiry, $cardType, $amount, $dateTime);
$requestURL = $host.'/merchant/mpi';

# Write the HTML of the submission form
echo "<html><body><form id='%gatewaySampleFileNamempiform' action='" . $requestURL . "' method='post'>\n";
writeHiddenField("TERMINALID", $terminalId);
writeHiddenField("CARDNUMBER", $cardNumber);
writeHiddenField("CARDTYPE", $cardType);
writeHiddenField("CARDEXPIRY", $cardExpiry);
writeHiddenField("AMOUNT", $amount);
writeHiddenField("CURRENCY", $currency);
writeHiddenField("ORDERID", $orderId);
if(isset($cvv) && $cvv != '') writeHiddenField("CVV", $cvv);
writeHiddenField("DATETIME", $dateTime);
writeHiddenField("HASH", $requestHash);

# Write the JavaScript that will submit the form to %Gateway.
echo '</form>Submitting order to %Gateway for Payment...<script language="JavaScript">document.getElementById("%gatewaySampleFileNamempiform").submit();</script></body></html>';

?>

</file>
----
\\

Response page (**%gatewaySampleFileName_mpi_response.php**) (URL for this page is setup as “MPI Receipt URL” through Terminal Setup in the %SelfCare):

<file php %gatewaySampleFileName_mpi_response.php>

<?php

# This is the file that contains the account settings for %Gateway.
require('%gatewaySampleFileName_account.inc');

# This is a helper file for intgerating to the %Gateway HPP in PHP.
require('%gatewaySampleFileName_hpp_functions.inc');

if(mpiResponseHashIsValid($_REQUEST["RESULT"], $_REQUEST["MPIREF"], $_REQUEST["ORDERID"], $_REQUEST["DATETIME"], $_REQUEST["HASH"])) {
	switch($_REQUEST["RESULT"]) {
		case "A" :	# 3D Secure validation successfully attempted. Proceed with transaction including the below reference in the authorisation request:
				$mpiRef = $_REQUEST["MPIREF"];
				break;
		default  :	# 3D Secure validation failed. Do not proceed with the transaction.
				echo '3D SECURE VALIDATION FAILED! Please try again with another card.';
	}
} else {
	echo '3D SECURE VALIDATION FAILED: INVALID RESPONSE HASH. Please contact <a href="mailto:' . $adminEmail . '">' . $adminEmail . '</a> or call ' . $adminPhone . ' to inform them of this error.';
	if(isset($_REQUEST["ORDERID"])) echo 'Please quote %Gateway Terminal ID: ' . $terminalId . ', and Order ID: ' . $_REQUEST["ORDERID"] . ' when mailling or calling.';
}

?>

</file>
----
\\

**Helper file (%gatewaySampleFileName_hpp_functions.inc):**

<file php %gatewaySampleFileName_hpp_functions.inc>

<?php

# This function returns the URL that should be used as the "action" for the form posting the %Gateway's servers.
function mpiURL() {
	global $gateway, $testAccount;
	$url = 'https://';
	# if($testAccount) $url .= 'test';       # Commented out as there is no functional test MPI page
	switch (strtolower($gateway)) {
		default :
		case '%gatewaySampleFileName'  : $url .= 'payments.%gatewayTestURL'; break;
		case 'cashflows' : $url .= 'cashflows.%gatewayTestURL'; break;
		case 'payius' : $url .= 'payments.payius.com'; break;
		case 'pago' : $url .= 'payments.pagotechnology.com'; break;
	}
	$url .= '/merchant/mpi';
	return $url;
}

# This simply reduces the PHP code required to build the form.
function writeHiddenField($fieldName, $fieldValue) {
	echo "<input type='hidden' name='" . $fieldName . "' value='" . $fieldValue . "' />\r";
}

# This generates a DATETIME value in the correct format expected in the request.
function requestDateTime() {
	return date('d-m-Y:H:i:s:000');
}

# If you are not using your own Order ID's and need to use unique random ones, this function will generate one for you.
function generateUniqueOrderId() {
	$seconds = date('H')*3600+date('i')*60+date('s');
	return date('zy') . $seconds;
}

# This is used to generate the Authorisation Request Hash.
function mpiRequestHash($orderId, $cardNumber, $cardExpiry, $cardType, $amount, $dateTime) {
	global $terminalId, $secret;
	return md5($terminalId . $orderId . $cardNumber . $cardExpiry . $cardType . $amount . $dateTime . $secret);
}

# This function is used to validate that the MPI Response Hash from the server is correct.
#     If mpiResponseHashIsValid(...) != $_REQUEST["HASH"] then an error should be shown and the 3D Secure should not be validated.
function mpiResponseHashIsValid($result, $mpiRef, $orderId, $dateTime, $responseHash) {
	global $secret;
	return (md5($result . $mpiRef . $orderId . $dateTime . $secret)==$responseHash);
}

?>

</file>