如何验证PayPal IPN POST请求是否确实来自于PayPal发送到我指定的notifyURL?
我的意思不是将数据与之前发送的内容进行比较,而是如何验证此PayPal请求所来自的服务器/IP地址是否确实有效?
如何验证PayPal IPN POST请求是否确实来自于PayPal发送到我指定的notifyURL?
我的意思不是将数据与之前发送的内容进行比较,而是如何验证此PayPal请求所来自的服务器/IP地址是否确实有效?
这是我发现的最简单的方法,也是PayPal建议的方法。我使用http_build_query()从PayPal发送到站点的POST构造URL。PayPal文档指出,您应该将此发送回进行验证,这就是我们使用file_get_contents的原因。您会注意到我使用strstr检查是否存在“VERIFIED”一词,如果不存在,则在函数中返回false...
$verify_url = 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate&' . http_build_query( $_POST );
if( !strstr( file_get_contents( $verify_url ), 'VERIFIED' ) ) return false;
https://gist.github.com/mrded/a596b0d005e84bc27bad
function paypal_is_transaction_valid($data) {
$context = stream_context_create(array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($data),
),
));
$content = file_get_contents('https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate', false, $context);
return (bool) strstr($content, 'VERIFIED');
}
现在需要HTTP头中的User-Agent!
$vrf = file_get_contents('https://www.paypal.com/cgi-bin/webscr?cmd=_notify-validate', false, stream_context_create(array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\nUser-Agent: MyAPP 1.0\r\n",
'method' => 'POST',
'content' => http_build_query($_POST)
)
)));
if ( $vrf == 'VERIFIED' ) {
// Check that the payment_status is Completed
// Check that txn_id has not been previously processed
// Check that receiver_email is your Primary PayPal email
// Check that payment_amount/payment_currency are correct
// process payment
}
这是我使用的东西:
if (preg_match('~^(?:.+[.])?paypal[.]com$~', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
// came from paypal.com (unless your server got r00ted)
}
[.]
应该可以解决这个问题。 - aularon^
。 - Alix Axel