我们有一个 PHP 系统,我们正在使用 Micah Carrick 的“PHP Paypal IPN 集成类”(http://www.micahcarrick.com/php-paypal-ipn-integration-class.html)。
在他的示例代码中,他建议我们在将 POST 变量传递到 PayPal 之前对其进行验证
switch ($_GET['action']) {
case 'process': // Process and order...
...
// This is where you would have your form validation and all that jazz.
// You would take your POST vars and load them into the class like below,
// only using the POST values instead of constant string expressions.
// For example, after ensureing all the POST variables from your custom
// order form are valid, you might have:
//
// $p->add_field('first_name', $_POST['first_name']);
// $p->add_field('last_name', $_POST['last_name']);
...
$custom=$_SESSION['sess_user_id']."~".$_POST['promo_code'];
$p->add_field('user_id', $_SESSION['sess_user_id']);
$p->add_field('custom', $custom);
$p->add_field('amount', $_POST['amount']);
...
$p->submit_paypal_post(); // submit the fields to paypal
break;
但是,我们并没有对上面提到的变量这样做。
我们应该在 (a) 这个阶段还是在 PayPal (b) 返回数据的阶段进行验证,还是两者兼而有之?
我们还应该如何验证数据?