贝宝IPN问题

Question

I got my automated payment system to work using Paypal IPN. There is just one problem. The problem is that the stuff that happens after the paypal payment has been sent happens before that, meaning people could exploit this and not pay but get the item.

    <?php
include("../config/config.php");
include("../config/functions.php");


// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {


// PAYMENT VALIDATED & VERIFIED!


}

else if (strcmp ($res, "INVALID") == 0) {

// PAYMENT INVALID & INVESTIGATE MANUALY!

}
}
fclose ($fp);
}
?>

That is the paypal ipn-listener code I am using.

Why is this happening?

Answer 1

I don't think there is a security issue in your code. Your code looks like it is based on the official PayPal samples. The sequence is this:

• PayPal contacts an address you configure
• You receive a message
• You send the message to PayPal
• They confirm that they indeed sent the message
• If PayPal doesn't confirm, you discard the message

If you want to make it even more secure, include a security token (such as a random encrypted value) as part of the custom parameters which are passed to PayPal as part of the initial transaction. These parameter(s) will be resent to the IPN handler in a query string parameter named custom . You can then validate that the request followed the lifecycle you intended.

Sample

In case I am misreading your code, I'm posting a .Net version which I ported straight from the PayPal SDK. The logic is pretty simple to follow.

byte[] inputBytes = Request.BinaryRead( HttpContext.Current.Request.ContentLength );
string incomingParams = Encoding.ASCII.GetString( inputBytes );
string outgoingParams = incomingParams + "&cmd=_notify-validate";

//
// Create request to send back to PayPal
HttpWebRequest request = (HttpWebRequest)WebRequest.Create( AppSettings.PayPalUrl );
request.Method = "POST";
request.ContentType = "application/x-www-form-urlencoded";
request.ContentLength = outgoingParams.Length;

//
// send the request back to PayPal
StreamWriter streamOut = new StreamWriter( request.GetRequestStream(), System.Text.Encoding.ASCII );
streamOut.Write( outgoingParams );
streamOut.Close();

//
// receive a response from PayPal
StreamReader streamIn = new StreamReader( request.GetResponse().GetResponseStream() );
string verificationStatus = streamIn.ReadToEnd();
streamIn.Close();

if( verificationStatus == "VERIFIED" )
{
    // if the request/response relationship is valid, we can now
    // use the initial parameters received from PayPal.

}
else if( verificationStatus == "INVALID" )
{
    //log for manual investigation
}
else
{
    //log response/ipn data for manual investigation
}