使用HTTPS进行Paypal IPN验证回发 [英] Paypal IPN Verification Postback with HTTPS

问题描述

根据新的安全要求(2016年，2017年和2018年)，在"IPN"期间，服务器和Paypal之间的交换似乎需要HTTPS. 此问题与该主题相关，也与

According to new security requirements (2016, 2017 and 2018), it seems that HTTPS will be required for exchange between server and Paypal, during an "IPN". This question is linked to this subject and also this.

我们应该如何修改此PHP IPN代码?

$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Host: www.paypal.com:80\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

$req = 'cmd=_notify-validate';

...

fputs ($fp, $header . $req);

将www.paypal.com的两个出现替换为https://www.paypal.com就足够了吗?

Would replacing the two occurences of www.paypal.com by https://www.paypal.com be enough?

此外，我的商店网站不是HTTPS的问题，是否会拒绝此连接?

Also, is the fact my shop website is not HTTPS a problem, will this connection be refused?

以下是从贝宝(Paypal)收到的电子邮件的一部分:

Here is part of the email received from Paypal:

编辑(2018/06/22)，这是应用接受的答案代码后的实际IPN代码.奇怪的是，我仍然得到:"IPN验证回发到HTTPS.需要更新:是".因此，这意味着以下代码仍不是100％兼容HTTPS.为什么?

Edit (2018/06/22), here is the actual IPN code, after applying the accepted answer code. Strangely, I still get: "IPN Verification postback to HTTPS. Update needed: YES". So this means the following code is still not 100% compliant to HTTPS. Why?

<?php
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
  $value = trim(urlencode(stripslashes($value)));
  $req .= "&$key=$value";
}

$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Host: www.paypal.com\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen('tls://www.paypal.com', 443, $errno, $errstr, 30);

// variables
$item_name = $_POST['item_name'];
$business = $_POST['business'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
// and many more

if (!$fp)
{
  // HTTP ERROR
} else
{
  fputs ($fp, $header . $req);
  while (!feof($fp))
  {
    $res = fgets ($fp, 1024);
    if (strcmp ($res, "VERIFIED") == 0)
    {
        // send email to customer, etc.
    }
  }
  fclose ($fp);
}
?>

推荐答案

hostname

如果安装了OpenSSL支持，则可以为hostname加上ssl://或tls://前缀，以使用通过TCP/IP的SSL或TLS客户端连接来连接到远程主机.

If OpenSSL support is installed, you may prefix the hostname with either ssl:// or tls:// to use an SSL or TLS client connection over TCP/IP to connect to the remote host.

http://www.php.net/fsockopen

端口也需要更改为443.所以:

The port would also need to change to 443. So:

$header .= "Host: www.paypal.com\r\n";
...
$fp = fsockopen('ssl://www.paypal.com', 443, $errno, $errstr, 30);
...
fputs ($fp, $header . $req);

https://将不起作用，因为您正在打开 socket ，这是一种低级传输. HTTP是最重要的应用程序级别协议，套接字不知道或不在乎.在套接字级别，这是一个 TLS 连接.

https:// would not work because you're opening a socket, which is a low-level transport. HTTP is an application level protocol on top of that, which the socket doesn't know or care about. At the socket level it's a TLS connection.

此外，我的商店网站不是HTTPS的问题，是否会拒绝此连接?

Also, is the fact my shop website is not HTTPS a problem, will this connection be refused?

浏览器与服务器的连接类型无关紧要，没人知道.您正在打开从PHP程序到Paypal的套接字，也可以直接在命令行中完全不涉及任何"HTTP"连接来完成此操作.

What kind of connection a browser has to your server is irrelevant and nobody knows that. You're opening a socket from a PHP program to Paypal, you may as well be doing that directly from the command line without any "HTTP" connection involved at all.

这篇关于使用HTTPS进行Paypal IPN验证回发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！