贝宝IPN验证

Question

我有一个IPN，可以将消息正确发送到我的文件中，我已经确认我已收到消息，首先是我的代码：

echo "test";
// Response from Paypal

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
    $value = urlencode(stripslashes($value));
    $value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}',$value);// IPN fix
    $req .= "&$key=$value";
}

// assign posted variables to local variables
$data['item_name']          = $_POST['item_name'];
$data['item_number']        = $_POST['item_number'];
$data['payment_status']     = $_POST['payment_status'];
$data['payment_amount']     = $_POST['mc_gross'];
$data['payment_currency']   = $_POST['mc_currency'];
$data['txn_id']             = $_POST['txn_id'];
$data['receiver_email']     = $_POST['receiver_email'];
$data['payer_email']        = $_POST['payer_email'];
$data['custom']             = $_POST['custom'];

// post back to PayPal system to validate
$header  = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Host: www.sanbox.paypal.com\r\n";
$header .= "Accept: */*\r\n";
$header .= "Connection: Close\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "\r\n";

$fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30); 
if ($fp === FALSE) {
exit("Could not open socket");
}else{
if (!$fp) {
    echo "Error code: 200";
}else{

    fputs ($fp, $header . $req);
$res = stream_get_contents($fp, 2048);
echo "test2";
$res = trim($res);
        if (strcmp($res, "VERIFIED") == 0){
        echo "test3";
            // Used for debugging
            //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Verified Response<br />data = <pre>".print_r($post, true)."</pre>");

            // Validate payment (Check unique txnid & correct price)
            $valid_txnid = check_txnid($data['txn_id']);
            $valid_price = check_price($data['payment_amount'], $data['item_number']);
            // PAYMENT VALIDATED & VERIFIED!
            if($valid_txnid && $valid_price){
                $orderid = updatePayments($data);       
                if($orderid){       
                   echo "thanks for your payment!";
                   $lel = mysqli_query($con,"UPDATE stats SET stats.bankedgold = 10000 WHERE stats.id = $id4");
                    // Payment has been made & successfully inserted into the Database                              
                }else{                          
                    echo "Error code: 100";
                    // E-mail admin or alert user
                }
            }else{
                echo "Error code: 130";
                // Payment made but data has been changed
                // E-mail admin or alert user
            }                       

        }else if (strcmp ($res, "INVALID") == 0) {
             echo "Error code: 170";
            // PAYMENT INVALID & INVESTIGATE MANUALY! 
            // E-mail admin or alert user

            // Used for debugging
            //@mail("you@youremail.com", "PAYPAL DEBUGGING", "Invalid     Response<br />data = <pre>".print_r($post, true)."</pre>");
        }       
    echo strcmp($res,"VERIFIED" == 0);      
fclose ($fp);
}   

}
}

现在，$ res的var_dump给出：

HTTP/1.1 200 OK
Date: Mon, 02 Mar 2015 11:24:35 GMT 
Server: Apache X-Frame-  
Options: SAMEORIGIN 
Set-Cookie: <REDACTED_FOR_PRIVACY>
Set-Cookie: navcmd=_notify-validate; domain=.paypal.com; path=/; Secure; HttpOnly 
Set-Cookie: navlns=0.0; expires=Wed, 01-Mar-2017 11:24:35 GMT; domain=.paypal.com; path=/; Secure; HttpOnly
Set-Cookie: Apache=10.72.108.11.1425295475397401; path=/; expires=Wed, 22-Feb-45 11:24:35 GMT
Vary: Accept-Encoding,User-Agent Connection: close 
Set-Cookie: <REDACTED_FOR_PRIVACY>
Set-Cookie: X-PP-SILOVER=; Expires=Thu, 01 Jan 1970 00:00:01 GMT    
Set-Cookie: Apache=10.72.128.11.1425295475383817; path=/; expires=Wed, 22-Feb-45 11:24:35 GMT
Strict-Transport-Security: max-age=14400 
Transfer-Encoding: chunked 
Content-Type: text/html; charset=UTF-8 8

VERIFIED 0

但是我需要说的是“已验证”或“无效”，以便我可以从那里确定要做什么。

对我来说，一个简单的解决方法是添加“ strpos”，然后看看它是否包含单词，但我想与您确认专家是否这将是一个好的解决方案？

Answer 1

PayPal已开始使用HTTP / 1.1发送其响应。 这意味着，除其他外，您Transfer-Encoding: chunked在响应Transfer-Encoding: chunked 。

分块编码需要解析。 通常情况如下：

8
VERIFIED

0

翻译后，得出“长度为8的块=已VERIFIED ||长度为0的块=流的末尾”

如果您无法解析此响应，则可以通过在验证响应中指定HTTP/1.0来尝试强制PayPal不使用分块编码。 或者，使用更好的库（例如cURL）为您进行解析-PayPal的演示IPN代码是为非常老版本的PHP编写的，或者至少是一个未启用扩展名的代码。 程序员似乎不了解如何正确编码$req验证数据的http_build_query函数，这实在令人难过。 你会认为贝宝能买得起主管开发商_^*啊哈*但无论如何...我个人仅仅阅读“解决”它Content-Length头-贝宝可以把这里有不同长度的所有响应。 有点作弊，但是有效。

希望这可以帮助 ：）

Answer 2

更改此行：

$value = urlencode(stripslashes($value));

对此：

$value = urlencode($value);

如果要在启用了魔术引号的情况下运行PHP，则仅需在此处使用反斜杠。 从PHP 5.4开始，（幸好）不再可能。

Paypal允许用户数据包含反斜杠（我已经在address_street变量的IPN数据中看到了反斜杠）。 如果从包含反斜杠的IPN数据中删除反斜杠，则Paypal将返回INVALID响应。