我只是想问下面这段代码是否足够安全,可以防止未经授权的虚假 IPN 请求等? 如果您指出可以改进的地方,或者如果它是好的,因为它已经完美地工作,我们将不胜感激。非常感谢您花时间回答我的问题。
Paypal_Lib.php file | Validate_IPN() function
function validate_ipn()
{
// parse the paypal URL
$url_parsed = parse_url($this->paypal_url);
// generate the post string from the _POST vars aswell as load the
// _POST vars into an arry so we can play with them from the calling
// script.
$post_string = '';
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("\n", "\r\n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("\n", "\r\n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
$post_string.="cmd=_notify-validate"; // append ipn command
// open the connection to paypal
$fp = fsockopen('ssl://www.sandbox.paypal.com',"443",$err_num,$err_str,30);
if(!$fp)
{
// could not open the connection. If loggin is on, the error message
// will be in the log.
$this->last_error = "fsockopen error no. $errnum: $errstr";
$this->log_ipn_results(false);
return false;
}
else
{
// Post the data back to paypal
fputs($fp, "POST $url_parsed[path] HTTP/1.1\r\n");
fputs($fp, "Host: $url_parsed[host]\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($post_string)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $post_string . "\r\n\r\n");
// loop through the response from the server and append to variable
while(!feof($fp))
$this->ipn_response .= fgets($fp, 1024);
fclose($fp); // close connection
}
if (eregi("VERIFIED",$this->ipn_response))
{
// Valid IPN transaction.
$this->log_ipn_results(true);
return true;
}
else
{
// Invalid IPN transaction. Check the log for details.
$this->last_error = 'IPN Validation Failed.';
$this->log_ipn_results(false);
return false;
}
}
**
Paypal.php controller function to handle the IPN. It checks if its validated and if the amount is 197 USD in this example.
function ipn()
{
// Payment has been received and IPN is verified. This is where you
// update your database to activate or process the order, or setup
// the database with the user's order details, email an administrator,
// etc. You can access a slew of information via the ipn_data() array.
// Check the paypal documentation for specifics on what information
// is available in the IPN POST variables. Basically, all the POST vars
// which paypal sends, which we send back for validation, are now stored
// in the ipn_data() array.
// For this example, we'll just email ourselves ALL the data.
// IT'S ONLY TEST DATA BELOW!
$item = '507';
$payment_currency = $_POST['mc_gross'];
$payment_currency2 = '197';
if (($payment_currency === $payment_currency2) && ($this->paypal_lib->validate_ipn())) {
$this->db->query( 'update users set users_money=users_money+212345, users_credits=users_credits+2123 WHERE users_id=' . $item );
}
最佳答案
很安全
在Paypal_Lib.php 文件中,validate_ipn() 方法将发送POST 数据(通过ipn 方法接收)到paypal 服务器
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("\n", "\r\n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("\n", "\r\n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
验证该 POST 请求是否来自 paypal 或其他服务器。
现在 Paypal 将以 VERIFIED 或不响应验证请求。如果通过验证,则表示付款已在 paypal 服务器中进行,因此您可以继续执行后续步骤。
如果它没有响应 VERIFIED 验证请求,则表示这是假请求(来自 paypal 服务器以外的请求)。
关于php - 这个 Codeigniter Paypal IPN 库和 Controller 是否足够安全,免受任何恶意行为的侵害?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/25828310/