Mirroring the MobilPay library with Composer PSR-4 autoloading.
- PHP
>= 8.3 ext-openssl
OpenSSL 3 note. OpenSSL 3.0 removed RC4 from the default provider. The library detects this and seals payloads with
aes-256-cbcinstead, which requires an initialization vector (IV). The cipher and IV must be relayed to the gateway and back from the IPN — see the wiring below. On OpenSSL < 3 the legacyRC4cipher is used and no IV is produced (getIv()returnsnull).
composer require birkof/netopia-mobilpayuse Mobilpay\Payment\Request\Card;
use Mobilpay\Payment\Invoice;
$request = new Card();
$request->signature = 'YOUR-NETOPIA-SIGNATURE';
$request->orderId = 'ORDER-123';
$request->confirmUrl = 'https://example.com/ipn'; // IPN endpoint (server-to-server)
$request->returnUrl = 'https://example.com/return'; // browser redirect
$invoice = new Invoice();
$invoice->currency = 'RON';
$invoice->amount = '49.99';
$invoice->details = 'Order #123';
$request->invoice = $invoice;
// Seal the request with NETOPIA's public certificate.
$request->encrypt('/path/to/sandbox.YOUR-SIGNATURE.public.cer');encrypt() exposes the sealed envelope through four getters. All four must be
posted so the gateway can open the envelope:
$endpoint = 'http://sandboxsecure.mobilpay.ro'; // live: https://secure.mobilpay.ro
$fields = [
'env_key' => $request->getEnvKey(),
'data' => $request->getEncData(),
'cipher' => $request->getCipher(), // e.g. "aes-256-cbc" (or "RC4" on OpenSSL < 3)
'iv' => $request->getIv(), // base64 IV; null when the cipher is a stream cipher
];
?>
<form id="mobilpay" method="post" action="<?= htmlspecialchars($endpoint) ?>">
<?php foreach ($fields as $name => $value): ?>
<?php if ($value !== null): ?>
<input type="hidden" name="<?= $name ?>" value="<?= htmlspecialchars($value) ?>">
<?php endif; ?>
<?php endforeach; ?>
</form>
<script>document.getElementById('mobilpay').submit();</script>Skip the
ivfield whengetIv()returnsnull(legacy RC4), as shown above.
NETOPIA posts the encrypted response back to your confirmUrl. Forward the
cipher and iv it sends into factoryFromEncrypted() so block-cipher
envelopes decrypt correctly:
use Mobilpay\Payment\Request\RequestAbstract;
$request = RequestAbstract::factoryFromEncrypted(
$_POST['env_key'],
$_POST['data'],
'/path/to/sandbox.YOUR-SIGNATURE.private.key',
null, // private key password, if any
$_POST['cipher'] ?? null, // forward gateway-provided cipher
$_POST['iv'] ?? null // forward gateway-provided IV
);
$notify = $request->objPmNotify;
if ($notify->errorCode == 0) {
switch ($notify->action) {
case 'confirmed': // funds captured
case 'confirmed_pending':
case 'paid_pending':
case 'paid': // authorized, awaiting capture
case 'canceled':
case 'credit': // refund
// update your order using $notify->action / $notify->processedAmount
break;
}
$errorType = RequestAbstract::CONFIRM_ERROR_TYPE_NONE;
$errorCode = 0;
$errorMessage = $notify->action;
} else {
$errorType = RequestAbstract::CONFIRM_ERROR_TYPE_TEMPORARY;
$errorCode = $notify->errorCode;
$errorMessage = $notify->errorMessage;
}
// Acknowledge to NETOPIA.
header('Content-Type: application/xml');
echo "<?xml version=\"1.0\" encoding=\"utf-8\"?>";
echo "<crc error_type=\"{$errorType}\" error_code=\"{$errorCode}\">{$errorMessage}</crc>";Mobilpay\Payment\Request::buildAccessParameters() returns the same values by
reference, including the new cipher/IV outputs:
$cipher = null;
$iv = null;
$request->buildAccessParameters($publicKey, $envKey, $encData, $cipher, $iv);
// $envKey, $encData, $cipher, $iv are now populated (base64 where applicable)MIT