卷发功能被闻到有多安全? [英] How safe is a curl function from being sniffed?

问题描述

您好，而不是使用Paypal API，我设计了一个使用php和curl的网页，以检查某个电子邮件是否已在Paypal上验证.为此，我必须允许脚本在Paypal的网站上为我登录.现在，我使用的是伪造的贝宝(Paypal)帐户，只是为了检查电子邮件是否已通过验证，但是我的问题是，输入贝宝(Paypal)网站的用户名和密码的安全性如何.如果它不安全并且可以被监视服务器通信的人轻易地嗅出，我该如何防范呢?

Hi instead of using the Paypal API I designed a webpage using php and curl to check whether a certain email is verified on Paypal or not. In order to do so I have to allow the script to login for me on Paypal's website. Now I am using a fake paypal account just to check if an email is verified or not, but my question is how secure is that username and password that is being entered onto paypal's website. If it is unsecure and can be easily sniffed out by someone monitoring the server communications, how can I protect against that?

请注意，我不使用贝宝(Paypal)的API，因为它需要太多的工作才能整合到您的网站中，并且如果验证电子邮件(名字，姓氏等)，则需要额外的字段才能返回.

Please note I am not using Paypal's API because it requires way too much work to incorporate onto your website, and it requires extra fields to return if an email is verified (first name, last name, etc).

代码如下:

<?php
//email address to check
$verifyEmail = 'randomemail@blah.com';

//paypal login info
$loginEmail = '###';
$password = '###';

if (!isLogin($loginEmail, $password)) {
    echo 'Login failed';
} else if (isVerified($verifyEmail)) {
    echo 'Verified';
} else {
    echo 'Not verified';
}


#########################################
function isVerified($verifyEmail) {
    $url = 'https://www.paypal.com/us/verified/pal='.$verifyEmail;
    $response = curl_get($url);
    if(strpos($response, '<td class="emphasis">Verified</td>')) {
        return true;
    } else {
        return false;
    }
}

function isLogin($email, $password) {
    // Get login page 
    $response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run');
    $postFields = getHiddenFormInputs($response, 'login_form');
    if (!$postFields) {
        return false;
    }
    // Post login
    $postFields['login_email'] = $email;
    $postFields['login_password'] = $password;
    $postFields = serializePostFields($postFields);
    $response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit', $postFields);
    if(!strpos($response, 'login_cmd=_login-done')) {
        return false;
    } else {
        return true;
    }
}

function curl_get($url, $postfields=false) {
    static $curl;
    if(empty($curl)) {
        $cookiejar = 'curl_cookiejar.txt';
        @unlink($cookiejar);
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_COOKIEJAR,  $cookiejar);
        curl_setopt($curl, CURLOPT_COOKIEFILE, $cookiejar);
        curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 1);
        curl_setopt($curl, CURLOPT_MAXREDIRS, 5);

    }
    curl_setopt($curl, CURLOPT_URL, $url);
    if(stripos($url, 'https')!==false) {
        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); 
    }
    if ($postfields) {
        curl_setopt($curl, CURLOPT_POST, 1);    
        curl_setopt($curl, CURLOPT_POSTFIELDS, $postfields);
    }
    $response = curl_exec($curl);
    return $response;
}

function getHiddenFormInputs($html) {
    if(!preg_match('|<form[^>]+login_form[^>]+>.*</form>|Usi', $html, $form)) {
        return '';
    }
    if(!preg_match_all('/<input[^>]+hidden[^>]*>/i', $form[0], $inputs)) {
        return '';
    }
    $hiddenInputs = array();
    foreach($inputs[0] as $input){
        if (preg_match('|name\s*=\s*[\'"]([^\'"]+)[\'"]|i', $input, $name)) {
            $hiddenInputs[$name[1]] = '';
            if (preg_match('|value\s*=\s*[\'"]([^\'"]*)[\'"]|i', $input, $value)) {
                $hiddenInputs[$name[1]] = $value[1];
            }
        }
    }
    return $hiddenInputs;
}

function serializePostFields($postFields) {
    foreach($postFields as $key => $value) {
        $value = urlencode($value);
        $postFields[$key] = "$key=$value";
    }
    $postFields = implode($postFields, '&');
    return $postFields;
}


?>

推荐答案

忽略正在使用的方法(API更健壮，如果更改登录名，当前方法可能会中断)，CURL与来自任何标准请求的安全性一样高浏览器.从脚本中，我可以看到您对请求使用了https，所以应该没事.

Ignoring the method being used (the API is more robust, and current method could break if they change the login), CURL is as secure as any standard request from a browser. From the script I can see you are using https for the request, so you should be fine.

这篇关于卷发功能被闻到有多安全?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！