PayPal IPN安全验证

Question

There is PayPal IPN PHP example code https://www.x.com/developers/PayPal/documentation-tools/code-sample/216623

Could somebody please tell me how it's secured as I don't get it?

Example: I have an internet shop. I dont have https.

1. receive a data from PayPal on our http://my-magazine.com/process_pp.php This data is not encrypted because my site is on http. Am I right? So (if it's not encrypted) some hacker can change it.
2. We send a https request to verify our payment on paypal.
3. PayPal answers INVALID with http (not https) so hacker can change it again on VERIFIED. Hacker gets profit.

Please tell me, where is my mistake. I am confused because other payment systems use SecretKey and then you should verify the hash they sent.

Answer 1

Your mistake is on step 3; you're sending the data back to PayPal via HTTPS (to https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate to be precise) and PayPal sends a HTTP response on the same (SSL secured) connection with an INVALID/VERIFIED response.
As long as you ensure you validate the SSL certificate presented to you, you can rest assured the data is genuine if you receive a 'VERIFIED' response.

Incidentally, the default IPN (PHP) sample code forces certificate and cn validation;

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);

Just make sure you specify a CA bundle that you trust when you use it, and you'll be good to go. See also Security consequences of disabling CURLOPT_SSL_VERIFYHOST (libcurl/openssl)