保护接收paypal IPN通知的php脚本

时间:2022-10-14 16:46:58

In my website, I've integrated a php script that receive an IPN notification and send a license key to the customer. This script is in a folder with other 2 php files required by the php script... How can I protect this folder? If I place in it an .htaccess with:

在我的网站中,我集成了一个接收IPN通知的PHP脚本,并向客户发送许可证密钥。此脚本位于php脚本所需的其他2个php文件的文件夹中...如何保护此文件夹?如果我放入一个.htaccess:

order allow,deny
deny from all

I block the paypal notifications too.

我也阻止了paypal通知。

How can I protect it? Do I need to?

我该如何保护它?我需要吗?

7 个解决方案

#1


You can safely limit access to your IPN script only to the following list of IP addresses:

您可以安全地将对IPN脚本的访问权限限制为以下IP地址列表:

216.113.188.202
216.113.188.203
216.113.188.204
66.211.170.66

This can be done in the following way:

这可以通过以下方式完成:

if (!in_array($_SERVER['REMOTE_ADDR'],array('216.113.188.202','216.113.188.203','216.113.188.204','66.211.170.66')) {
header("HTTP/1.0 404 Not Found");
exit();
}

In this way ONLY Paypal will be able to access the IPN script.

这样,只有Paypal才能访问IPN脚本。

This list of IP address has been rather stable for years. In case if Paypal adds a new address, you can add reporting to email and review such cases manually.

这个IP地址列表多年来一直相当稳定。如果Paypal添加了新地址,您可以向电子邮件添加报告并手动查看此类案例。

#2


There are many things you can do:

你可以做很多事情:

  1. Give your script an obscure name so that it is not easily guessable.
  2. 给你的脚本一个不起眼的名字,这样就不容易猜到了。

  3. Disable directory listings in the folder
  4. 禁用文件夹中的目录列表

  5. Check if the calling site is paypal.com (or related IP address etc.)
  6. 检查呼叫站点是否为paypal.com(或相关的IP地址等)

#3


why you are trying to do this?

你为什么要这样做?

in IPN system, you first just bounce the variables that are passed to your ipn script back to paypal using cURL or fshock or what ever... looking into the response you can tell if it's a valid transaction or not... someone can not fake a transaction variable that does not exists in paypal itself... all they can do is to reuse an older transaction info again to fool your script.. since it exists on paypal your script will be assuming that it's a successfull payment...

在IPN系统中,你首先只是将使用cURL或fshock传递给你的ipn脚本的变量反弹回paypal或者是什么......如果它是一个有效的交易,你可以判断你的反应...有人不能伪造一个在paypal本身不存在的交易变量......他们所能做的只是重复使用旧的交易信息来欺骗你的脚本..因为它存在于paypal上,你的脚本将假设它是一个成功的付款......

so you can prevent this just by comparing txn_id against your database and if already exists in your database this means someone is trying to fool you using an already recorded transaction info...

所以你可以通过将txn_id与你的数据库进行比较来防止这种情况,如果数据库中已经存在,这意味着有人试图用已经记录的交易信息欺骗你...

since you do those checks who cares about the ones that call this ipn script... it wont be working for them since you check the variables against paypal and your database...

因为你做那些关心那些调用这个ipn脚本的检查...它不会为他们工作,因为你检查变量对paypal和你的数据库...

in any exceptions print out a nice sentence to tell them "This script is robust! Dont Try to fool us!"

在任何例外中打印出一个好句子告诉他们“这个剧本很健壮!不要试图欺骗我们!”

#4


If you know the IP from which PayPal will use the script try:

如果您知道PayPal将使用该脚本的IP,请尝试:

order deny, allow
deny from all
allow from [Paypal-IP]

#5


I wouldn't recommend shutting out all IPs, since you can't be sure that Paypal will keep the requests coming from the same IP all the time. If they ever decide to change their IP range, your setup will break, probably without notification to you.

我不建议关闭所有IP,因为您无法确定Paypal是否会始终保持来自同一IP的请求。如果他们决定更改他们的IP范围,您的设置将会中断,可能没有通知您。

I think the script that processes the Paypal request is the place to handle this - in that script you need to make sure that the request is actually coming from Paypal. You can do this by using some obscure URL that isn't easily guessed as has been suggested.

我认为处理Paypal请求的脚本是处理此问题的地方 - 在该脚本中,您需要确保请求实际来自Paypal。你可以使用一些不容易猜到的模糊URL来做到这一点。

If at all possible, look into the shared secret setup for IPN - this way you have a better way of checking that the request is actually coming from Paypal, although it is a bit harder to set up.

如果可能,请查看IPN的共享密钥设置 - 这样您就可以更好地检查请求是否实际来自Paypal,尽管设置起来有点困难。

Hope this helps!

希望这可以帮助!

#6


Check out the go live checklist:

查看现场检查清单:

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_golivechecklist

(Developer Home > How to > API > Go Live Checklist)

(开发人员主页>如何> API>上线检查表)

for a list of ip address to allow

获取允许的IP地址列表

#7


Now I've do this:

现在我这样做:

in the folder where is stored the php script and the 2 configuration files I've created an other folder where I moved the 2 config files and where I've placed a .htaccess with the following code:

在存储php脚本和2个配置文件的文件夹中我创建了另一个文件夹,我在其中移动了2个配置文件,并在那里放置了一个带有以下代码的.htaccess:

order allow,deny
deny from all

Now the 2 config files have a good protection! ... but not the script that receive the notifications! If I try to block the directory listing( for the folder that contains the php script and the config folder) with:

现在2个配置文件有很好的保护! ...但不是接收通知的脚本!如果我尝试阻止目录列表(对于包含php脚本和config文件夹的文件夹):

IndexIgnore *

The paypal sandbox gives me an error 500!

paypal沙盒给我一个错误500!

So the only thing that I can do to protect the script is to place, on the head of it, a condition that verify the notifications come from paypal.com ?

所以,我唯一可以做的就是保护脚本,在它的头上放置一个验证来自paypal.com的通知的条件?

Finally I've added on head of the php script an if statement based on the remote host name:

最后,我在php脚本的头部添加了一个基于远程主机名的if语句:

 $remote_host = gethostbyaddr($_SERVER['REMOTE_ADDR']);

if someone is interested, it's also possible to query $_SERVER['REMOTE_HOST'] but must be configured the httpd.conf file on the server.

如果有人感兴趣,也可以查询$ _SERVER ['REMOTE_HOST'],但必须在服务器上配置httpd.conf文件。

#1


You can safely limit access to your IPN script only to the following list of IP addresses:

您可以安全地将对IPN脚本的访问权限限制为以下IP地址列表:

216.113.188.202
216.113.188.203
216.113.188.204
66.211.170.66

This can be done in the following way:

这可以通过以下方式完成:

if (!in_array($_SERVER['REMOTE_ADDR'],array('216.113.188.202','216.113.188.203','216.113.188.204','66.211.170.66')) {
header("HTTP/1.0 404 Not Found");
exit();
}

In this way ONLY Paypal will be able to access the IPN script.

这样,只有Paypal才能访问IPN脚本。

This list of IP address has been rather stable for years. In case if Paypal adds a new address, you can add reporting to email and review such cases manually.

这个IP地址列表多年来一直相当稳定。如果Paypal添加了新地址,您可以向电子邮件添加报告并手动查看此类案例。

#2


There are many things you can do:

你可以做很多事情:

  1. Give your script an obscure name so that it is not easily guessable.
  2. 给你的脚本一个不起眼的名字,这样就不容易猜到了。

  3. Disable directory listings in the folder
  4. 禁用文件夹中的目录列表

  5. Check if the calling site is paypal.com (or related IP address etc.)
  6. 检查呼叫站点是否为paypal.com(或相关的IP地址等)

#3


why you are trying to do this?

你为什么要这样做?

in IPN system, you first just bounce the variables that are passed to your ipn script back to paypal using cURL or fshock or what ever... looking into the response you can tell if it's a valid transaction or not... someone can not fake a transaction variable that does not exists in paypal itself... all they can do is to reuse an older transaction info again to fool your script.. since it exists on paypal your script will be assuming that it's a successfull payment...

在IPN系统中,你首先只是将使用cURL或fshock传递给你的ipn脚本的变量反弹回paypal或者是什么......如果它是一个有效的交易,你可以判断你的反应...有人不能伪造一个在paypal本身不存在的交易变量......他们所能做的只是重复使用旧的交易信息来欺骗你的脚本..因为它存在于paypal上,你的脚本将假设它是一个成功的付款......

so you can prevent this just by comparing txn_id against your database and if already exists in your database this means someone is trying to fool you using an already recorded transaction info...

所以你可以通过将txn_id与你的数据库进行比较来防止这种情况,如果数据库中已经存在,这意味着有人试图用已经记录的交易信息欺骗你...

since you do those checks who cares about the ones that call this ipn script... it wont be working for them since you check the variables against paypal and your database...

因为你做那些关心那些调用这个ipn脚本的检查...它不会为他们工作,因为你检查变量对paypal和你的数据库...

in any exceptions print out a nice sentence to tell them "This script is robust! Dont Try to fool us!"

在任何例外中打印出一个好句子告诉他们“这个剧本很健壮!不要试图欺骗我们!”

#4


If you know the IP from which PayPal will use the script try:

如果您知道PayPal将使用该脚本的IP,请尝试:

order deny, allow
deny from all
allow from [Paypal-IP]

#5


I wouldn't recommend shutting out all IPs, since you can't be sure that Paypal will keep the requests coming from the same IP all the time. If they ever decide to change their IP range, your setup will break, probably without notification to you.

我不建议关闭所有IP,因为您无法确定Paypal是否会始终保持来自同一IP的请求。如果他们决定更改他们的IP范围,您的设置将会中断,可能没有通知您。

I think the script that processes the Paypal request is the place to handle this - in that script you need to make sure that the request is actually coming from Paypal. You can do this by using some obscure URL that isn't easily guessed as has been suggested.

我认为处理Paypal请求的脚本是处理此问题的地方 - 在该脚本中,您需要确保请求实际来自Paypal。你可以使用一些不容易猜到的模糊URL来做到这一点。

If at all possible, look into the shared secret setup for IPN - this way you have a better way of checking that the request is actually coming from Paypal, although it is a bit harder to set up.

如果可能,请查看IPN的共享密钥设置 - 这样您就可以更好地检查请求是否实际来自Paypal,尽管设置起来有点困难。

Hope this helps!

希望这可以帮助!

#6


Check out the go live checklist:

查看现场检查清单:

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_golivechecklist

(Developer Home > How to > API > Go Live Checklist)

(开发人员主页>如何> API>上线检查表)

for a list of ip address to allow

获取允许的IP地址列表

#7


Now I've do this:

现在我这样做:

in the folder where is stored the php script and the 2 configuration files I've created an other folder where I moved the 2 config files and where I've placed a .htaccess with the following code:

在存储php脚本和2个配置文件的文件夹中我创建了另一个文件夹,我在其中移动了2个配置文件,并在那里放置了一个带有以下代码的.htaccess:

order allow,deny
deny from all

Now the 2 config files have a good protection! ... but not the script that receive the notifications! If I try to block the directory listing( for the folder that contains the php script and the config folder) with:

现在2个配置文件有很好的保护! ...但不是接收通知的脚本!如果我尝试阻止目录列表(对于包含php脚本和config文件夹的文件夹):

IndexIgnore *

The paypal sandbox gives me an error 500!

paypal沙盒给我一个错误500!

So the only thing that I can do to protect the script is to place, on the head of it, a condition that verify the notifications come from paypal.com ?

所以,我唯一可以做的就是保护脚本,在它的头上放置一个验证来自paypal.com的通知的条件?

Finally I've added on head of the php script an if statement based on the remote host name:

最后,我在php脚本的头部添加了一个基于远程主机名的if语句:

 $remote_host = gethostbyaddr($_SERVER['REMOTE_ADDR']);

if someone is interested, it's also possible to query $_SERVER['REMOTE_HOST'] but must be configured the httpd.conf file on the server.

如果有人感兴趣,也可以查询$ _SERVER ['REMOTE_HOST'],但必须在服务器上配置httpd.conf文件。