如何传递paypal API凭证SECURELY in与php（为什么这被认为是安全的） [英] How to pass paypal API credentials SECURELY in with php (and why is this not considered secure)

问题描述

显然，paypal API代码不是很容易阅读或理解，也不是提供的文档。 这个家伙同意我的意见。

如果您在PayPal文档中花费了超过几分钟的时间，就会知道手动解密1024位RSA私钥比使用Express Checkout API更容易理解PayPal数字商品。

所以我终于想出了如何通过这个示例代码让PHP与paypal API通信：

https://ppmts.custhelp.com/app/answers/ detail / a_id / 945 / kw / php

然而，PayPal完全远离他们提供的样本，他们必须对开发人员有兴趣花费几个小时找出系统，而不是给他们的代码，很容易实现，并开始得到报酬。我不知道他们是如何成功...

事实上，示例代码甚至说它不安全，不应该用于生产：

  //设置API凭证和版本大于65.1，还设置端点和重定向url 
 
 // ********************************************* ***** // 
 //这是您设置您的API凭据的位置// 
 //请注意这不是SECURE这个// 
 //是示例。不推荐使用// 
 //这种方法在生产中........................ // 
 // **************************************************** // 
 
 $ APIUSERNAME =xxxx; 
 $ APIPASSWORD =xxxx; 
 $ APISIGNATURE =xxxx; 
 $ ENDPOINT =https://api-3t.sandbox.paypal.com/nvp; 
  

基本上会发生什么是这些变量用于创建一个字符串，其中包含所有的购买信息以及API凭证。该字符串由每个索引和值对组成，并用&符号 $ req_str =USER = xxxx& PWD = xxxx; 等连接。这个字符串被传递给一个函数 PPHttpPost（$ ENDPOINT，$ req_str）; 。此函数使用 curl_init（）; 和相关函数以某种方式与paypal服务器通信，并返回唯一键来标识事务及其值。

我不知道这个函数是如何工作的，但它在我上面在functions.php下提供的链接上。

两个问题：

1。）为什么认为这不安全？

2。）如果通过将它们写入变量来告知应用程序有关您的API凭据不安全，那么

解决方案

1。）为什么这不算安全？

因为这些值是以文档根目录中的普通.php文件编写的。如果由于一些配置错误，你的.php文件最终被作为正常文本，或者你允许一个包含有问题的行的堆栈跟踪写入，然后你只是泄露你的秘密给所有和各种。这种情况比你想象的更频繁。

2。）如果通过将它们写入变量，那么是什么？

你可以把它们放在变量中，但是一般都接受， - 它们是数据库凭证，API密钥还是其他秘密值 - 是从位于文档根目录之外的配置文件中读取的，它们不会被意外地提供。

p PS。他们的示例代码也有不正确的处理URL编码和HTML编码，导致可能的XSS。如果我是他们，我也会离开它！

So obviously the paypal API code is not very easy to read or understand, neither is the documentation which is provided. This guy agrees with me.

If you’ve spent more than a few minutes in the PayPal documentation, you will know it’s easier to manually decrypt a 1024 bit RSA private key than to understand the PayPal Digital Goods with Express Checkout API.

So I finally figured out how to get PHP to communicate with the paypal API through this sample code:

https://ppmts.custhelp.com/app/answers/detail/a_id/945/kw/php

However PayPal completely distances themselves from the samples they provide, they must have an interest in developers spending hours and hours to figure out the system, rather than to just give them code that's easy to implement and start getting paid. I wonder how they got so successful...

As a matter of fact the sample code even says that it's not secure and should not be used for production:

// Set API creds and version greater than 65.1, also set endpoint and redirect url

//**************************************************// 
// This is where you would set your API Credentials // 
// Please note this is not considered "SECURE" this // 
// is an example only. It is NOT Recommended to use // 
// this method in production........................// 
//**************************************************//   

$APIUSERNAME  = "xxxx";   
$APIPASSWORD  = "xxxx";   
$APISIGNATURE = "xxxx";   
$ENDPOINT     = "https://api-3t.sandbox.paypal.com/nvp";  

Essentially what happens is these variables are used to create a string which contains all the information about the purchase as well as the API credentials. The string is made up of each index and value pair and connected with ampersands $req_str = "USER=xxxx&PWD=xxxx"; and so on. This string gets passed to a function PPHttpPost($ENDPOINT, $req_str);. This function uses curl_init(); and related functions to somehow communicates with the paypal server and returns a unique key to identify the transaction and it's values.

I am not exactly sure how this function works but it is listed on the link I provided above under "functions.php".

Two questions:

1.) Why is this not considered secure?

2.) If it's not secure to tell the application about your API credentials by writing them into variables, then what is ?

解决方案

1.) Why is this not considered secure?

Because the values are written in a plain .php file inside the document root. If due to some misconfiguration your .php file ends up getting served as regular text, or you allowed a stacktrace containing the lines in question to get written, then you just leaked your secrets to all and sundry. This happens more often than you would think.

2.) If it's not secure to tell the application about your API credentials by writing them into variables, then what is ?

You can certainly put them in variables, but it's generally accepted that the way to get the values in there—whether they're database credentials, API keys or other secret values—is to read them in from configuration files which are located outside the document root, where they will never be accidentally served.

PS. their example code also has improper handling of URL-encoding and HTML-encoding, leading to possible XSS. If I were them I'd distance myself from it too!

这篇关于如何传递paypal API凭证SECURELY in与php（为什么这被认为是安全的）的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！