Verify iOS in-app purchase receipts

verifyReceipt.php

<?php
include("/var/www/vhosts/xxxxxcom/httpdocs/PHPUtils/dbConfig.php");
include("/var/www/vhosts/xxxxxcom/httpdocs/PHPUtils/DButils.php");

// verifies receipt from iOS in-app purchase
// returns:
// 0 - if params missing
// 1 - if receipt is valid
// 2 - if invalid receipt, or invalid response from verification server 
//      or bundle/in-app IDs are incorrect 
//      or if transaction ID has been used before

// get the parmas from the URL
$testing          = htmlspecialchars($_GET["testing"]);
$receiptData      = $_GET["receipt"];

if ( $testing == "" or $receiptData == "" ){

  echo "0";
  exit;
}

$testing = (bool)$testing;

// verify the receipt
try {

	// quick check
	if(strpos($receiptData,'{') !== false){
		$receiptData = base64_encode($receiptData);
	}

	$info = getReceiptData($receiptData, $testing);

  	if(checkInfo($info) == true){
		echo "1";
  	}
	else{
		echo "2";
	}
}
catch (Exception $ex) {
    // unable to verify receipt, or receipt is not valid
    echo "2";
}

exit;

/**
 * Verify a receipt and return receipt data
 *
 * @param   string  $receipt    Base-64 encoded data
 * @param   bool    $isSandbox  Optional. True if verifying a test receipt
 * @throws  Exception   If the receipt is invalid or cannot be verified
 * @return  array       Receipt info (including product ID and quantity)
 */
function getReceiptData($receipt, $isSandbox = false)
{
    // determine which endpoint to use for verifying the receipt
    if ($isSandbox) {
        $endpoint = 'https://sandbox.itunes.apple.com/verifyReceipt';
    }
    else {
        $endpoint = 'https://buy.itunes.apple.com/verifyReceipt';
    }

    // build the post data
    $postData = json_encode(
        array('receipt-data' => $receipt)
    );

    // create the cURL request
    $ch = curl_init($endpoint);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);

    // execute the cURL request and fetch response data
    $response = curl_exec($ch);
    $errno    = curl_errno($ch);
    $errmsg   = curl_error($ch);
    curl_close($ch);

    // ensure the request succeeded
    if ($errno != 0) {
        throw new Exception($errmsg, $errno);
    }

    // parse the response data
    $data = json_decode($response);

    // ensure response data was a valid JSON string
    if (!is_object($data)) {
        throw new Exception('Invalid response data');
    }

    // ensure the expected data is present
    if (!isset($data->status) || $data->status != 0) {
        throw new Exception('Invalid receipt');
    }

    // build the response array with the returned data
    return array(
        'quantity'       			=>  $data->receipt->quantity,
        'status'       				=>  $data->status,
        'product_id'     			=>  $data->receipt->product_id,
        'transaction_id' 			=>  $data->receipt->transaction_id,
        'original_transaction_id' 	=>  $data->receipt->original_transaction_id,
        'purchase_date'  			=>  $data->receipt->purchase_date,
        'bid'            			=>  $data->receipt->bid,
        'bvrs'           			=>  $data->receipt->bvrs
    );
}

/**
 * Check transactionID has not been used before
 *
 * @param   string  $transactionID    transactionId to check
 * @return  bool      true if new ID (or there is an error, for safety), false if not
 */
function checkTransactionID($transactionID)
{
    /*
    from PHPUtils/dbConfig.php
	assoc array containing db connection info
	e.g.
	$dbConfig['xxxxxx']['server']   = 'localhost';
	$dbConfig['xxxxxx']['user']     = 'username';
	$dbConfig['xxxxxx']['password'] = 'password';
	$dbConfig['xxxxxx']['database'] = 'database';
    */
	global $dbConfig;

	/*
	from PHPUtils/DButils.php
	just does a mysqli_connect with the data from $dbConfig
	with some error checking
	*/
	$link = connectToDBMYSQLI($dbConfig['xxxxxx'], __FILE__, true);

	if (!$link) {
		// for safety, return true, in case db is down
		return true;
	}
	else{

		// in the iOS app, store successful transactions to a db
		$sql = "select count(*) as `tranCount` from `ReceiptsTable` where `transactionID` = '$transactionID'";

		$res = mysqli_query($link, $sql);

		if ($res) {

			$row = mysqli_fetch_assoc($res);

			if($row[tranCount] == 0){
				// this is what we want
				return true;
			}
			else{
				// transactionID already used - a pirate!
				return false;
			}
		}
		else{
			// for safety, return true, in case db is down
			return true;
		}
		
		mysqli_close($link);
	}

	// for safety, return true, shouldn't get here
	return true;
}

/**
 * Check receipt for valid in-appProductID, appBundleID and unique transactionID
 *
 * @param   array  $infoArray    Array returned from getReceiptData()
 * @return  bool      true if all OK, false if not
 */
function checkInfo($infoArray)
{

	$inAppPurchaseID = "com.xxxx.xxxx.inappid";
	$bundleID = "com.xxxxxx.appid";

	if($infoArray[product_id] != $inAppPurchaseID){
		return false;
	}

	if($infoArray[bid] != $bundleID){
		return false;
	}

	if(checkTransactionID($infoArray[transaction_id]) == false){
		return false;
	}

	// probably won't get here - getReceiptData throws Ex on status == 0
	if($infoArray[status] != 0){
		return false;
	}

	return true;
}
?>