Signature: generated signature does not match submitted signature

Question

1.00/5 (1 vote)

See more:

Hi Team

I have an error when trying to use payfast payment integration, its complaining about 404 Bad request " [signature: Generated signature does not match submitted signature]". I have used what is on the documentation. How do i fix this in order for me test my application?

What I have tried:

<?php
session_start();
// PayFast Integration Logic

// Get the order details from the checkout process
//$orderID = $_POST['order_id'];
//$products = $_POST['products'];
//$grandTotal = $_POST['grand_total'];
$amount = $_POST['amount'] = 100;
//$signature = $_POST['signature'];
$allItems = $_SESSION['allItems'];
$grand_total = $_SESSION['grand_total'];
//$name = $_POST['name'];
//$email = $_POST['email'];
//$phone = $_POST['phone'];
//$address = $_POST['address'];

// Set your PayFast merchant details
$merchantID = '10010868'; // Replace with your actual merchant ID
$merchantKey = 'exnibu0q9zmuz'; // Replace with your actual merchant key

// Set the PayFast URL based on your environment (testing or production)
$isTestingMode = true; // Set to true for testing environment or false for production environment
$payfastURL = $isTestingMode ? 'https://sandbox.payfast.co.za/eng/process' : 'https://www.payfast.co.za/eng/process';

$merchantID = '10010868'; // Replace with your actual merchant ID
$merchantKey = 'exnibu0q9zmuz'; // Replace with your actual merchant key
$passphrase = ''; // Replace with your actual passphrase (if applicable)

$data = array(
    'merchant_id' => $merchantID,
    'merchant_key' => $merchantKey,
    'return_url' => 'http://example.com/payment_success.php',
    'cancel_url' => 'http://example.com/payment_cancel.php',
    'notify_url' => 'http://example.com/payment_notify.php',
    'amount' => $amount,
    'item_name' => 'Cell Phone',
    'item_description' => 'Electronics',
    'email_address' => 'gcira2023@outlook.com',
    'name_first' => 'John',
    'name_last' => 'Doe',
);

// Generate the signature
$passphrase = ''; // Replace with your actual passphrase, if applicable
$signature = generateSignature($data, $passphrase);

// Add the signature to the payment data
$data['signature'] = $signature;

// If in testing mode, use the sandbox URL, otherwise use the production URL
$testingMode = true;
$pfHost = $testingMode ? 'sandbox.payfast.co.za' : 'www.payfast.co.za';

// Create the HTML form
$htmlForm = '<form action="https://' . $pfHost . '/eng/process" method="post">';
foreach ($data as $name => $value) {
    $htmlForm .= '<input name="' . $name . '" type="hidden" value=\'' . $value . '\' />';
}
$htmlForm .= '<input type="submit" value="Pay Now" /></form>';

echo $htmlForm;

// Function to generate the signature
function generateSignature($data, $merchantKey)
{
    ksort($data);
    $signature = '';
    foreach ($data as $key => $value) {
        if ($key !== 'signature') {
            $signature .= $key . '=' . $value . '&';
        }
    }
    $signature .= $merchantKey;
    $signature = md5($signature);

    return $signature;
}
?>

Posted 14-Jun-23 13:38pm

Gcobani Mkontwana

Updated 15-Jun-23 1:52am

Add a Solution

Comments

Richard Deeming 15-Jun-23 3:39am

If the code they provide doesn't work, then talk to their support.

If their support can't (or won't) help, then find a better payment provider.

2 solutions

Solution 2

As per the documentation found at - Step 2: Create security signature [^] your code is incorrect. You have cleared '$passphrase' as an empty string, documentation gave it a value.
Your 'generateSignature' function also differ from theirs. Use the link above to re-code your function and HTML as per their requirements (this includes the order of the returned data array) and your error will disappear -

1. Concatenation of the name value pairs of all the non-blank variables with '&' used as a separator

Quote:
Variable order: The pairs must be listed in the order in which they appear in the attributes description. eg. name_first=John&name_last=Doe&email_address=…
* Do not use the API signature format, which uses alphabetical ordering!

2. Add your passphrase (Important part right here, an empty string will not do)
The passphrase is an extra security feature, used as a ‘salt’, and is set by the Merchant in the Settings section of their Payfast Dashboard.
Add the passphrase to the end of the below string.
E.g. name_first=John&name_last=Doe&email_address=…&passphrase=... The resultant URL encoding must be in upper case (eg. http%3A%2F%2F), and spaces encoded as ‘+’.
3. MD5 the parameter string and pass it as a hidden input named “signature”.

Security Signature holder -

<input type="hidden" name="signature" value="f103e22c0418655fb03991538c51bfd5">

Signature function generation -

/**
 * @param array $data
 * @param null $passPhrase
 * @return string
 */
function generateSignature($data, $passPhrase = null) {
    // Create parameter string
    $pfOutput = '';
    foreach( $data as $key => $val ) {
        if($val !== '') {
            $pfOutput .= $key .'='. urlencode( trim( $val ) ) .'&';
        }
    }
    // Remove last ampersand
    $getString = substr( $pfOutput, 0, -1 );
    if( $passPhrase !== null ) {
        $getString .= '&passphrase='. urlencode( trim( $passPhrase ) );
    }
    return md5( $getString );
}

Full form implementation -

/ Construct variables
$cartTotal = 10.00; // This amount needs to be sourced from your application
$passphrase = 'jt7NOE43FZPn';
$data = array(
    // Merchant details
    'merchant_id' => '10000100',
    'merchant_key' => '46f0cd694581a',
    'return_url' => 'http://www.yourdomain.co.za/return.php',
    'cancel_url' => 'http://www.yourdomain.co.za/cancel.php',
    'notify_url' => 'http://www.yourdomain.co.za/notify.php',
    // Buyer details
    'name_first' => 'First Name',
    'name_last'  => 'Last Name',
    'email_address'=> 'test@test.com',
    // Transaction details
    'm_payment_id' => '1234', //Unique payment ID to pass through to notify_url
    'amount' => number_format( sprintf( '%.2f', $cartTotal ), 2, '.', '' ),
    'item_name' => 'Order#123'
);

$signature = generateSignature($data, $passphrase);
$data['signature'] = $signature;

// If in testing mode make use of either sandbox.payfast.co.za or www.payfast.co.za
$testingMode = true;
$pfHost = $testingMode ? 'sandbox.payfast.co.za' : 'www.payfast.co.za';
$htmlForm = '<form action="https://'.$pfHost.'/eng/process" method="post">';
foreach($data as $name=> $value)
{
    $htmlForm .= '<input name="'.$name.'" type="hidden" value=\''.$value.'\' />';
}
$htmlForm .= '<input type="submit" value="Pay Now" /></form>';
echo $htmlForm;

Posted 15-Jun-23 1:52am

Andre Oosthuizen

Updated 15-Jun-23 1:54am

v2

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Accepted Answer · 2023-06-14T21:50:00

I think maybe there is an issue with your generateSignature function. If I remove the call to md5, and print the result I get ...

amount=100&cancel_url=http://example.com/payment_cancel.php&email_address=gcira2023@outlook.com&item_description=Electronics&item_name=Cell Phone&merchant_id=10010868&merchant_key=exnibu0q9zmuz&name_first=John&name_last=Doe¬ify_url=http://example.com/payment_notify.php&return_url=http://example.com/payment_success.php&

... which looks a bit strange to me.
The code that does this is the lines at:

PHP

foreach ($data as $key => $value) {
    if ($key !== 'signature') {
        $signature .= $key . '=' . $value . '&';
    }
}

Is the signature really to be constructed from every key and its value?