[英]PayPal IPN security VERIFIED
There is PayPal IPN PHP example code https://www.x.com/developers/PayPal/documentation-tools/code-sample/216623 有PayPal IPN PHP示例代码https://www.x.com/developers/PayPal/documentation-tools/code-sample/216623
Could somebody please tell me how it's secured as I don't get it? 有人可以告诉我它是如何安全的,因为我没有得到它?
Example: I have an internet shop. 示例:我有一家网店。 I dont have https. 我没有https。
Please tell me, where is my mistake. 请告诉我,我的错误在哪里。 I am confused because other payment systems use SecretKey
and then you should verify the hash they sent. 我很困惑,因为其他支付系统使用SecretKey
,然后你应该验证他们发送的哈希。
Your mistake is on step 3; 你的错误在第3步; you're sending the data back to PayPal via HTTPS (to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate to be precise) and PayPal sends a HTTP response on the same (SSL secured) connection with an INVALID/VERIFIED response. 您通过HTTPS将数据发送回PayPal(准确地说是https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate )并且PayPal会在同一时间发送HTTP响应(SSL安全)与INVALID / VERIFIED响应的连接。
As long as you ensure you validate the SSL certificate presented to you, you can rest assured the data is genuine if you receive a 'VERIFIED' response. 只要您确保验证提供给您的SSL证书,您就可以放心, 如果您收到“已验证”回复,则数据是真实的。
Incidentally, the default IPN (PHP) sample code forces certificate and cn validation; 顺便提一下,默认的IPN(PHP)示例代码强制证书和cn验证;
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
Just make sure you specify a CA bundle that you trust when you use it, and you'll be good to go. 只需确保在使用时指定了您信任的CA捆绑包,就可以了。 See also Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl) 另请参见禁用CURLOPT_SSL_VERIFYHOST(libcurl / openssl)的安全后果
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.