We have a PHP system on which we're using Micah Carrick's "PHP Paypal IPN Integration Class" (http://www.micahcarrick.com/php-paypal-ipn-integration-class.html).
In his sample code, he recommends that we verify POST variables before passing them onto PayPal
switch ($_GET['action']) {
case 'process': // Process and order...
...
// This is where you would have your form validation and all that jazz.
// You would take your POST vars and load them into the class like below,
// only using the POST values instead of constant string expressions.
// For example, after ensureing all the POST variables from your custom
// order form are valid, you might have:
//
// $p->add_field('first_name', $_POST['first_name']);
// $p->add_field('last_name', $_POST['last_name'])开发者_Python百科;
...
$custom=$_SESSION['sess_user_id']."~".$_POST['promo_code'];
$p->add_field('user_id', $_SESSION['sess_user_id']);
$p->add_field('custom', $custom);
$p->add_field('amount', $_POST['amount']);
...
$p->submit_paypal_post(); // submit the fields to paypal
break;
However, we're not doing that for the variables mentioned above.
Should we verify at (a) this stage or at the stage that PayPal (b) returns the data or both?
How should we be verifying the data as well?
You should Validate and Verify your data at both ends - before you send the user off to PayPal, and when you recieve the PayPal IPN Message confirming the payment.
Validation Before ensures that the user is paying the correct amount, that they are being sent to the correct PayPal Account, and you have an identifier against the transation (in the "custom" variable) to allow you to marry the payment against the correct user/purchase when it is confirmed by PayPal.
Validation After ensures that, again, the correct amount has been paid, the transaction identifier is present, valid and correct, and the user/purchase is updated to reflect the transation result.
You should verify them before they are sent to PayPal. You should check for things like empty variables, the type is correct (amount shouldn't contain letters for example), the amount of characters (if applicable) is correct. Basically the fields should reflect what you would expect to find in there.
My guess is in both cases.
Validation before sending the data is mandatory.
On response, I think it is a good thing to do.
精彩评论