开发者

Not validating POST variables before sending to PayPal - when to check?

问答 作者:

We have a PHP system on which we're using Micah Carrick's "PHP Paypal IPN Integration Class" (http://www.micahcarrick.com/php-paypal-ipn-integration-class.html).

In his sample code, he recommends that we verify POST variables before passing them onto PayPal

switch ($_GET['action']) {

   case 'process':      // Process and order...

... 
      // This is where you would have your form validation  and all that jazz.
      // You would take your POST vars and load them into the class like below,
      // only using the POST values instead of constant string expressions.
      // For example, after ensureing all the POST variables from your custom
      // order form are valid, you might have:
      //
      // $p->add_field('first_name', $_POST['first_name']);
      // $p->add_field('last_name', $_POST['last_name'])开发者_Python百科;

... 
    $custom=$_SESSION['sess_user_id']."~".$_POST['promo_code'];
    $p->add_field('user_id', $_SESSION['sess_user_id']);
    $p->add_field('custom', $custom);
    $p->add_field('amount', $_POST['amount']);
...
    $p->submit_paypal_post(); // submit the fields to paypal
      break;

However, we're not doing that for the variables mentioned above.

Should we verify at (a) this stage or at the stage that PayPal (b) returns the data or both?

How should we be verifying the data as well?

You should Validate and Verify your data at both ends - before you send the user off to PayPal, and when you recieve the PayPal IPN Message confirming the payment.

Validation Before ensures that the user is paying the correct amount, that they are being sent to the correct PayPal Account, and you have an identifier against the transation (in the "custom" variable) to allow you to marry the payment against the correct user/purchase when it is confirmed by PayPal.

Validation After ensures that, again, the correct amount has been paid, the transaction identifier is present, valid and correct, and the user/purchase is updated to reflect the transation result.

You should verify them before they are sent to PayPal. You should check for things like empty variables, the type is correct (amount shouldn't contain letters for example), the amount of characters (if applicable) is correct. Basically the fields should reflect what you would expect to find in there.

My guess is in both cases.

Validation before sending the data is mandatory.

On response, I think it is a good thing to do.

继续阅读:paypalpaypal-ipnphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9