根据新的安全要求(2016 年、2017 年和 2018 年),在“IPN”期间,服务器和 Paypal 之间的交换似乎需要 HTTPS。这个问题与这个主题相关 https://civicrm.stackexchange.com/a/6374并且this https://stackoverflow.com/questions/35759480/paypal-ipn-https-changes-2016.
我们应该如何修改这个 PHP IPN 代码?
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Host: www.paypal.com:80\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);
$req = 'cmd=_notify-validate';
...
fputs ($fp, $header . $req);
将替换两次出现的www.paypal.com
by https://www.paypal.com
足够?
另外,我的商店网站不是HTTPS有问题吗,这个连接会被拒绝吗?
以下是从 Paypal 收到的电子邮件的部分内容:
编辑 (2018/06/22),这是应用接受的答案代码后的实际 IPN 代码。奇怪的是,我仍然得到:“IPN 验证回发到 HTTPS。需要更新:是”。所以这意味着下面的代码仍然不是100%符合HTTPS。为什么?
<?php
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = trim(urlencode(stripslashes($value)));
$req .= "&$key=$value";
}
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Host: www.paypal.com\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen('tls://www.paypal.com', 443, $errno, $errstr, 30);
// variables
$item_name = $_POST['item_name'];
$business = $_POST['business'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
// and many more
if (!$fp)
{
// HTTP ERROR
} else
{
fputs ($fp, $header . $req);
while (!feof($fp))
{
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0)
{
// send email to customer, etc.
}
}
fclose ($fp);
}
?>