问题
I'm using PayPal Payments Advanced with TEMPLATE=TEMPLATEC. I already figured out how to create an IFRAME and receive confirm/cancel/silent_post responses from PayPal. But I've found no way to validate parameters my confirm/cancel/silent_post pages receive. Is there a way to ensure that these parameters are from PayPal and not just sent by arbitrary user?
回答1:
About the best option you have is to run an inquiry transaction (TRXTYPE=I) against the secure token and secure token ID you received from PayPal before displaying the iframe. If a transaction was run, that call will give you the transaction ID (PNREF) from the transaction. (And depending on your situation, the PNREF may be all you need.) If that matches the PNREF sent back to you by the buyer, then there's a good chance that the rest of the data is genuine.
For example:
Request:
USER=****&VENDOR=****&PARTNER=****&PWD=****&TRXTYPE=I&SECURETOKEN=7tGDq6ILZeEmATCwTXrSRkwjz&SECURETOKENID=76ac5819ee01475daf15b2af038da977&VERBOSITY=HIGH
Response:
RESULT=0&PNREF=E79P4ABEC9DE&TRANSSTATE=8&ORIGRESULT=0&ORIGPNREF=E19P4BFB14B2&RESPMSG=Approved&AUTHCODE=111111&AVSADDR=Y&AVSZIP=Y&CVV2MATCH=Y&ORIGPPREF=1XR06058R58346646&CORRELATIONID=bdd79cb3c7fb6&PROCAVS=X&PROCCVV2=M&SETTLE_DATE=2013-04-23 07:22:06&TRANSTIME=2013-04-23 07:22:06&LASTNAME=NotProvided&AMT=24.99&ACCT=3698&EXPDATE=1214&CARDTYPE=0&IAVS=N
ORIGRESULT is the result of the original transaction (0 is a success; anything else is a failure.)
ORIGPNREF is the PNREF from the original transaction.
回答2:
You can also put a long, unique "token" parameter in your silent post URL. Something like
"http:// www.my-web-site.com/confirm-payment?token=2348349u21034ms39n899"
and match it up with the same token a server side script is expecting. Since the silent post URL is stored in your PayPal manager account, the token is confidential, and even the URL as a whole is confidential. Plus the transaction info is also passed to this silent post URL allowing you to match up info with your transaction you saved in your database at checkout. This is a good secure method to confirm payment was correctly made. The silent post will work for both "pay with paypal" and "direct credit card payment" methods on the payments advanced iframe (a.k.a. hosted checkout page). Additionally, you can also throw in one more check, to see if PayPal is the $_SERVER['HTTP_REFERER']; (which of course can't be trusted purely on its own).
来源:https://stackoverflow.com/questions/16122293/paypal-payments-advanced-validate-parameters-sent-to-confirm-and-cancel-pages