我只是想问下面这段代码是否足够安全,不受非正式的假IPN请求等? 如果你指出可以改进的东西,或者它的好处,它会很好,因为它已经完美地工作了。非常感谢你花时间回答我的问题。
Paypal_Lib.php文件| Validate_IPN()函数
function validate_ipn()
{
// parse the paypal URL
$url_parsed = parse_url($this->paypal_url);
// generate the post string from the _POST vars aswell as load the
// _POST vars into an arry so we can play with them from the calling
// script.
$post_string = '';
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("\n", "\r\n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("\n", "\r\n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
$post_string.="cmd=_notify-validate"; // append ipn command
// open the connection to paypal
$fp = fsockopen('ssl://www.sandbox.paypal.com',"443",$err_num,$err_str,30);
if(!$fp)
{
// could not open the connection. If loggin is on, the error message
// will be in the log.
$this->last_error = "fsockopen error no. $errnum: $errstr";
$this->log_ipn_results(false);
return false;
}
else
{
// Post the data back to paypal
fputs($fp, "POST $url_parsed[path] HTTP/1.1\r\n");
fputs($fp, "Host: $url_parsed[host]\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($post_string)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $post_string . "\r\n\r\n");
// loop through the response from the server and append to variable
while(!feof($fp))
$this->ipn_response .= fgets($fp, 1024);
fclose($fp); // close connection
}
if (eregi("VERIFIED",$this->ipn_response))
{
// Valid IPN transaction.
$this->log_ipn_results(true);
return true;
}
else
{
// Invalid IPN transaction. Check the log for details.
$this->last_error = 'IPN Validation Failed.';
$this->log_ipn_results(false);
return false;
}
}
**
Paypal.php控制器功能来处理IPN。它检查它是否 经过验证,如果在这个例子中金额是197美元。
function ipn()
{
// Payment has been received and IPN is verified. This is where you
// update your database to activate or process the order, or setup
// the database with the user's order details, email an administrator,
// etc. You can access a slew of information via the ipn_data() array.
// Check the paypal documentation for specifics on what information
// is available in the IPN POST variables. Basically, all the POST vars
// which paypal sends, which we send back for validation, are now stored
// in the ipn_data() array.
// For this example, we'll just email ourselves ALL the data.
// IT'S ONLY TEST DATA BELOW!
$item = '507';
$payment_currency = $_POST['mc_gross'];
$payment_currency2 = '197';
if (($payment_currency === $payment_currency2) && ($this->paypal_lib->validate_ipn())) {
$this->db->query( 'update users set users_money=users_money+212345, users_credits=users_credits+2123 WHERE users_id=' . $item );
}
答案 0 :(得分:0)
您通常希望查看的不仅仅是付款总额。你可能想检查货币类型(例如美元而不是日元),我总是检查购买是否来自正确的用户,但基本上你会想要检查你能做的一切。
答案 1 :(得分:0)
安全
在Paypal_Lib.php文件中validate_ipn()方法会将POST数据(收到ipn方法)发送到paypal服务器
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("\n", "\r\n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("\n", "\r\n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
验证POST请求是来自paypal还是其他服务器。
现在,Paypal将以VERIFIED响应验证请求。如果经过验证,则表示已在paypal服务器上付款,因此您可以继续执行下一步。
如果它没有用VERIFIED回复验证请求,则表示这是假请求(来自paypal服务器以外)。