我只是想问下面的代码是否足够安全,不会受到未授权的虚假IPN请求等的影响?如果你能指出可以改进的地方,或者如果它是好的,因为它已经完美地工作了,我将不胜感激。非常感谢你花时间回答我的问题。
Paypal_Lib.php文件| Validate_IP()函数
function validate_ipn()
{
// parse the paypal URL
$url_parsed = parse_url($this->paypal_url);
// generate the post string from the _POST vars aswell as load the
// _POST vars into an arry so we can play with them from the calling
// script.
$post_string = '';
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("'n", "'r'n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("'n", "'r'n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
$post_string.="cmd=_notify-validate"; // append ipn command
// open the connection to paypal
$fp = fsockopen('ssl://www.sandbox.paypal.com',"443",$err_num,$err_str,30);
if(!$fp)
{
// could not open the connection. If loggin is on, the error message
// will be in the log.
$this->last_error = "fsockopen error no. $errnum: $errstr";
$this->log_ipn_results(false);
return false;
}
else
{
// Post the data back to paypal
fputs($fp, "POST $url_parsed[path] HTTP/1.1'r'n");
fputs($fp, "Host: $url_parsed[host]'r'n");
fputs($fp, "Content-type: application/x-www-form-urlencoded'r'n");
fputs($fp, "Content-length: ".strlen($post_string)."'r'n");
fputs($fp, "Connection: close'r'n'r'n");
fputs($fp, $post_string . "'r'n'r'n");
// loop through the response from the server and append to variable
while(!feof($fp))
$this->ipn_response .= fgets($fp, 1024);
fclose($fp); // close connection
}
if (eregi("VERIFIED",$this->ipn_response))
{
// Valid IPN transaction.
$this->log_ipn_results(true);
return true;
}
else
{
// Invalid IPN transaction. Check the log for details.
$this->last_error = 'IPN Validation Failed.';
$this->log_ipn_results(false);
return false;
}
}
**
Paypal.php控制器用于处理IPN。它检查验证,并且在该示例中金额为197美元。
function ipn()
{
// Payment has been received and IPN is verified. This is where you
// update your database to activate or process the order, or setup
// the database with the user's order details, email an administrator,
// etc. You can access a slew of information via the ipn_data() array.
// Check the paypal documentation for specifics on what information
// is available in the IPN POST variables. Basically, all the POST vars
// which paypal sends, which we send back for validation, are now stored
// in the ipn_data() array.
// For this example, we'll just email ourselves ALL the data.
// IT'S ONLY TEST DATA BELOW!
$item = '507';
$payment_currency = $_POST['mc_gross'];
$payment_currency2 = '197';
if (($payment_currency === $payment_currency2) && ($this->paypal_lib->validate_ipn())) {
$this->db->query( 'update users set users_money=users_money+212345, users_credits=users_credits+2123 WHERE users_id=' . $item );
}
它是安全的
在Paypal_Lib.php文件中,validate_ipn()方法会将POST数据(通过ipn方法接收)发送到贝宝服务器
if (isset($_POST))
{
foreach ($_POST as $field=>$value)
{ // str_replace("'n", "'r'n", $value)
// put line feeds back to CR+LF as that's how PayPal sends them out
// otherwise multi-line data will be rejected as INVALID
$value = str_replace("'n", "'r'n", $value);
$this->ipn_data[$field] = $value;
$post_string .= $field.'='.urlencode(stripslashes($value)).'&';
}
}
以验证POST请求是否来自贝宝或其他服务器。
现在贝宝会用VERIFIED来响应验证请求。如果它被验证意味着付款已经在贝宝服务器上进行,所以你可以继续下一步。
如果它没有用VERIFIED响应验证请求,则意味着这是一个假请求(来自贝宝服务器之外)。
您通常想要检查的不仅仅是总付款。你可能想检查货币类型(例如美元而不是日元),我总是检查购买是否来自正确的用户,但基本上你会想检查你能检查的一切。