0

我使用 IPN 实现了一个动态按钮“立即购买”(未保存在我的 PayPal 帐户中),它工作正常(是的!)。

现在我对他的安全性有疑问,因为如果有人用萤火虫(例如)更改金额值,那么如果我的 IPN 侦听器说金额有问题,该交易对贝宝也有效。

我的问题是“我可以使用 php / codeigniter 库加密表单吗?”

因为我尝试在 IPN 侦听器中检查金额,但 paypal 上的交易继续正确,并且没有被 IPN 阻止。

在这里,您可以找到我的侦听器代码的一部分:

private function isVerifiedIPN(){

    $req = 'cmd=_notify-validate';
    $posts = $this->input->post();
    foreach ($posts as $key => $value){
        $value = urlencode(stripslashes($value));
        $req .= "&$key=$value";
    }

    if($this->config->item('SIMULATION'))
        $url = $this->config->item('SIMULATION_URL');
    else
        $url = $this->config->item('PRODUCTION_URL');


    if(!$this->isVerifiedAmmount() ||
    !$this->isPrimaryPayPalEmail() ||
    !$this->isNotProcessed()){
        $req = '';
    }

    $header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
    $header .= "Host: $url\r\n"; //443
    $header .= "Content-type: application/x-www-form-urlencoded\r\n";
    $header .= "Content-length: " . strlen($req) . "\r\n\r\n";

    $fp = fsockopen ("ssl://$url", 443, $errno, $errstr, 30);

    if (!$fp)
    {
        $this->sendReport("Errore connessione socket");
        return FALSE;
    }
    else
    {
        fputs ($fp, $header . $req);
        while (!feof($fp))
        {
            $res = fgets ($fp, 1024);
            if (strcmp($res, "VERIFIED") == 0)
            {
                // transizione valida
                fclose ($fp);
                return TRUE;
            }
            else if (strcmp ($res, "INVALID") == 0)
            {
                $this->sendReport('Transizione non valida');
                fclose ($fp);
                return FALSE;
            }
        }
    }

}
4

2 回答 2

0

You can dynamically encrypt buttons so that people with Firebug (or similar software) can't edit them. The PayPal API library has an example of this you can use, but I can't find it again right now.

This PayPal help file explains how to get the various keys you need using your server command line.

I also found a tutorial and a certificate builder (I didn't use, so can't confirm how secure it is...)

Once you've generated your key and certificate, you need to put them on your server and set DEFAULT_EWP_PRIVATE_KEY_PATH and DEFAULT_EWP_CERT_PATH to the relevant files.

Upload the public certificate to PayPal (instructions in linked tutorials), and set DEFAULT_CERT_ID to the Cert ID it gives you for that file. It'll also give you a file you can download - add that to your server and set PAYPAL_CERT_PATH to the path for that file.

于 2012-09-11T14:43:07.243 回答
0

For those who find it too hard to use a library to get the encryption going, or have hosting requirement issues with getting that working, the other trick is to not encrypt, but create a hash that you pass so that you can detect tampering, and then validate this hash when the IPN comes in for processing. I explain this here:

How do I make a PayPal encrypted buy now button with custom fields?

于 2013-01-24T16:30:38.130 回答