PayPal IPN未经过验证

时间:2013-11-06 02:55:33

标签: php paypal paypal-ipn

我有以下CakePHP 2.x代码

<?php
App::uses('HttpSocket', 'Network/Http');

class PaypalUtility
{
    public static function isValidPayPalIPN( $data )
    {
        $result = false;
        $HttpSocket = new HttpSocket();
        $data[ "cmd" ] = "_notify-validate";
        $response = $HttpSocket->post( 'https://www.sandbox.paypal.com/cgi-bin/webscr', $data );

        if( trim( $response->body ) == "VERIFIED" )
        {
            $result = true;
        }

        return $result;
    }
}
?>

以下代码在我的控制器中

debug( PaypalUtility::isValidPayPalIPN( $this->getTestIPN() ) );
debug( PaypalUtility::isValidPayPalIPN( $this->getRealIPN() ) );

public function getRealIPN()
{
    return json_decode
    (
        '{
            "mc_gross": "77.00",
            "protection_eligibility": "Eligible",
            "address_status": "confirmed",
            "payer_id": "",
            "tax": "0.00",
            "address_street": "",
            "payment_date": "16:58:02 Oct 28, 2013 PDT",
            "payment_status": "Completed",
            "charset": "windows-1252",
            "address_zip": "",
            "first_name": "",
            "mc_fee": "2.53",
            "address_country_code": "US",
            "address_name": "",
            "notify_version": "3.7",
            "custom": "5269cf50-b898-4c45-bff0-0eea48a70080",
            "payer_status": "unverified",
            "business": "",
            "address_country": "United States",
            "address_city": "",
            "quantity": "1",
            "verify_sign": "AnPnM9mwa.0sVUNKppvjyOwMkqbKAABVDC8dkcXYOK4e-cpFzVuF4YvS",
            "payer_email": "",
            "txn_id": "",
            "payment_type": "instant",
            "last_name": "",
            "address_state": "",
            "receiver_email": "",
            "payment_fee": "",
            "receiver_id": "",
            "txn_type": "web_accept",
            "item_name": "",
            "mc_currency": "USD",
            "item_number": "",
            "residence_country": "",
            "handling_amount": "0.00",
            "transaction_subject": "5269cf50-b898-4c45-bff0-0eea48a70080",
            "payment_gross": "77.00",
            "shipping": "0.00",
            "ipn_track_id": ""
        }',
        true
    );
}

public function getTestIPN()
{
    return json_decode
    (
        '{
            "residence_country": "US",
            "invoice": "abc1234",
            "address_city": "San Jose",
            "first_name": "John",
            "payer_id": "TESTBUYERID01",
            "shipping": "3.04",
            "mc_fee": "0.44",
            "txn_id": "611422392",
            "receiver_email": "seller@paypalsandbox.com",
            "quantity": "1",
            "custom": "xyz123",
            "payment_date": "22:29:21 28 Oct 2013 PDT",
            "address_country_code": "US",
            "address_zip": "95131",
            "tax": "2.02",
            "item_name": "something",
            "address_name": "John Smith",
            "last_name": "Smith",
            "receiver_id": "seller@paypalsandbox.com",
            "item_number": "AK-1234",
            "verify_sign": "AiPC9BjkCyDFQXbSkoZcgqH3hpacAaChsjNZq2jHG82F97aoFSMa6SED",
            "address_country": "United States",
            "payment_status": "Completed",
            "address_status": "confirmed",
            "business": "seller@paypalsandbox.com",
            "payer_email": "buyer@paypalsandbox.com",
            "notify_version": "2.1",
            "txn_type": "web_accept",
            "test_ipn": "1",
            "payer_status": "verified",
            "mc_currency": "USD",
            "mc_gross": "12.34",
            "address_state": "CA",
            "mc_gross1": "12.34",
            "payment_type": "echeck",
            "address_street": "123, any street"
        }',
        true
    );
}

已从realIPN功能中删除字段以保护买方的隐私。

以下是代码的输出: http://i.imgur.com/9xcM7hL.png

您会注意到来自IPN模拟器的测试IPN是有效的,但我作为请求捕获的真实数据被确定为无效。 (我还验证了PayPal正在为验证realipn返回'INVALID'。

有谁知道我的isValidPayPalIPN函数有什么问题,或者为什么真正的IPN数据没有被验证?我必须想象与通知版本有关。

1 个答案:

答案 0 :(得分:1)

该函数是硬编码https://www.sandbox.paypal.com作为端点。当你上线,必须切换到www.paypal.com。否则,它正在验证错误的服务器,因此您确实会失效。

处理它的最佳方法是根据某处的配置文件动态填充该端点值。