您好我设置了PayPal捐赠系统,我正在使用带有隐藏值的表单来制作我的按钮。我只是想到了人们可以查看源并查看这些值的事实。如果他们能够看到类似的内容,是否存在安全威胁:
<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="myemail@myemail.com">
<input type="hidden" name="item_name" value="Coyote Pack">
<input type="hidden" name="item_number" value="200">
<input type="hidden" name="amount" value="4">
<input type="hidden" name="no_shipping" value="0">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="lc" value="AU">
<input type="hidden" name="bn" value="PP-BuyNowBF">
<table>
<tr><td>Player Unique ID</td></tr><tr><td><input type="text" name="custom" maxlength="200"></td></tr>
</table>
<input type="submit" border="0" name="submit" alt="PayPal - The safer, easier way to pay online." value="Coyote Pack - $4">
</form>
我想我的问题不是他们看到了,但他们可以用它玩具以任何方式给出PayPal假值吗?
例如,我正在运行IPN,我的数据库使用该item_number为捐赠者提供某些特权。有人可以复制我的代码,粘贴在他们自己的网站上,将“金额”更改为零并获得免费的东西吗?
答案 0 :(得分:0)
最好的解决方案就是这样。 在你的ipn说:
if(preg_match('@^[0-9a-zA-Z\s]+$@', $itemName) == 1){ // connect to database to retrieve price; }
然后说
if($priceShouldBe != $pricePaid){ // request was modified and the user did not pay the right price; exit; }
最后说
if(preg_match("@^[0-9]+$@", $customVariable) == 1){ /* Check database and then proceed to update database; THIS IS ASSUMING YOU'RE PASSING A NUMERICAL USER ID; Update whatever you need to in the database because the price is right, the name isn't an sqli attempt and the UserId is not an sqli attempt */ }