JSON Returning Null in PHP

Question

Here is the two scripts I have

Script 1:

  <?

include('config.php');
$json = $_POST['payload'];
$fine = var_dump($json);
$secret = "78f12668216b562a79d46b170dc59f695070e532";
$obj = json_decode($json, true);
$fp = fopen('data.txt', 'w');
fwrite($fp, $json);
fwrite($fp, $fine);
fclose($fp);

if(sha1($json . $secret) == $_POST['signature']) {
    $conversion_id = md5(($obj['amount']));
    echo "OK";
    echo $conversion_id;
    mysql_query("INSERT INTO completed (`id`,`uid`,`completedid`) VALUES ('','".$obj['uid']."','".$conversion_id."')");
} else {

}
?>

Script 2:

<?
$json = $_POST['payload'];
$secret = "78f12668216b562a79d46b170dc59f695070e532";
$obj = json_decode($json);

if(sha1($json+$secret) == $_POST['signature']) {
    print "OK";
} else {

}
?>

The problem here is that it is returning all NULL values. I am not an expert with JSON so I have no idea what is going on here. I really have no way of testing it because the information is coming from an outside website sending information such as this:

{
  payload: {
    uid: "900af657a65e",
    amount: 50,
    adjusted_amount: 25
  },
  signature: "4dd0f5da77ecaf88628967bbd91d9506"
}

The site allows me to test the script, but because json_decode is providing NULL values it will not get through the signature block.

According to Google Chrome's Dev Tools the response it sends when I try to test the script from their server is {"error":"The start uri returned a non-200 response."} that is all of the information it gives me it does not state what is being sent, only received

Is there a way I can test it myself? Or is there a simple error in this script that I may have just looked over?

EDIT

I set up a file to write the information being passed and this is what is being sent by their server

{"job_id":1337,"job_title":"CrowdFlower test job","amount":30,"uid":"inspire","adjusted_amount":50}

at first there was slashes so I added stripslashes() to the $json variable and that obviously got rid of the slashes, but once it hits the json_decode() it does not pull the information is there something wrong with the information being passed?

Answer 1

When I tried to validate your JSON, I get the following error:

Parse error on line 1:
{    payload: {        u
-----^
Expecting 'STRING', '}'

And are you trying to concatenate or add?

if(sha1($json+$secret) == $_POST['signature'])

If concatenation, replace the + with . as . is the concatenation operator in PHP.

if(sha1($json . $secret) == $_POST['signature'])

Answer 2

A complete edit has been made to this answer

What you are required to do is to get the JSON data sent to you via POST-request and validate the signature with the payload and the secret key. The JSON is brought to you as raw HTTP POST data ( I'm not sure if this is the correct term ) and therefore it is not accessible through PHP's $_POST - global. So here is the solution:

$myJSON = file_get_contents('php://input');

$decodedJSON = json_decode($myJSON);

if (sha1($decodedJSON['payload'] . $secret) == $decodedJSON['signature']) {
  /* 
     If you need to do some database actions or such prior to sending the 
     response 200, you can do it here. Just don't output anything to the 
     screen before.
  */
  header("HTTP/1.1 200 OK");
}
else {
  // sha1 test failed, do something else here
}

Answer 3

Looks like ($json+$secret) is messing up your data-structure. Try $json['secret'] = NUMBER or $json->secret = NUMBER

Answer 4

Depending on how the outside site send the data, but my guess is

$_POST['payload'] is already an array , and you don't need to decode it. Just use var_dump($_POST) to check it.

For example, the data is sent by the outside site like below with javascript:

var data = {
  payload: {
    uid: "900af657a65e",
    amount: 50,
    adjusted_amount: 25
  },
  signature: "4dd0f5da77ecaf88628967bbd91d9506"
};

$.ajax({
  url: ....,
  data: data,
  //....

});