贝宝安全漏洞? [英] Paypal Security Flaw?
问题描述
在预订过程结束时(简化),我有以下表格:
I have a the following form at the end of a booking process (simplified):
<form action="https://www.paypal.com/cgi-bin/webscr" name="paypalForm" method="post">
<input type="hidden" name="amount" value="<?=$price;?>">
<input type="hidden" name="business" value="business@email.co.uk">
<input type="hidden" name="notify_url" value="http://website.co.uk/ipn">
</form>
我只保留了地址名称之类的东西.因此,当他们通过Paypal付款时,我正在使用Paypal IPN在数据库中将其标记为已付款. 但是 ..
I have only left out things like address name etc. So when they pay via Paypal, I am using paypal IPN to mark them in the database as paid. However..
我已经结束预订系统,查看了网页的来源,修改了公司的电子邮件地址和金额.我还没有尝试进行完整的交易,但是可以肯定的是,那里有Paypal的"notify_url"可以向我的服务器发送IPN消息,并将此人标记为已付款吗?这不是很糟糕的安全性吗?当然,这不是所有贝宝付款方式的工作方式,我一定会错过一些东西.
I have gone to the end of my booking system and viewed source of the webpage, modified the business email address and amount. I haven't tried a full transaction yet, but surely with the 'notify_url' in there Paypal with send an IPN message to my server and will mark the person off as paid? Isn't this terrible security? Surely this not how all paypal payments work, I must be missing something.
我想到的两件事可能会阻止这种情况:
There are two things I can think of that might prevent this:
- 如果我删除"notify_url",我在贝宝(Paypal)中设置的IPN URL可以代替吗?贝宝在隐藏的var
notify_url上放置什么值,它会覆盖贝宝后端的设置吗? - 在我的IPN代码中,我可以检查业务和金额.我目前不在,因为我没有在文档中的任何地方阅读.但是现在,我认为也许这将是一个非常好的主意.
- If I remove the "notify_url", will the IPN URL that I have set in paypal work instead? What value does paypal place on the hidden var
notify_url, does it override the settings in the back end of paypal? - In my IPN code I could check for business and Amount. I don't currently, as I didn't read any where in the documentation that I should. But now, I am thinking that maybe it would be a terribly good idea.
推荐答案
贝宝(PayPal)无法进行任何检查,以了解应使用的正确金额或电子邮件地址或IPN URL只能与特定的PayPal帐户一起使用.您的选项将像您已经提到的那样写在其他检查中.除了您已经提到的两种解决方法外,第三个选择是使用PayPal的
There isn't any check that can be done by PayPal to know what the correct amount, or email address should be that was used, or that the IPN URL should only be used with a particular PayPal account. Your options would to be write in the additional checks like you have already mentioned. In additional to what you already stated about your 2 workarounds, a 3rd option would be to create a hosted or encrypted button on the fly using PayPal's BMCreateButton API. Then the buyer would only see the encrypted button code, they would not be able to view your HTML button code. Therefore they would not be able to modify any of the variables, or see what they are currently set to.
这篇关于贝宝安全漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
