IPN Verification Postback to HTTPS - php

My PHP code currently uses the following to Postback to PayPal. How do I update this to meet the new payment security standards coming into effect?
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value)
{
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);
if (!$fp)
{
//an error occurred...
}
else
{
fputs ($fp, $header . $req);
while (!feof($fp))
{
$res = fgets ($fp, 1024);
if(strcmp ($res, "VERIFIED") == 0)
{
//all is well...
}
}
}

To enable IPN Verification Postback to HTTPS, change your code as follows,
$fp = fsockopen( 'tls://ipnpb.paypal.com', 443, $errno, $errstr, 30);
PayPal recommends to use ipnpb.paypal.com endpoint in production environment.
Also, you need to change HTTP/1.0 to HTTP/1.1 to comply with PayPal upgrades.
The Header you need to submit,
$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Host: www.paypal.com\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen( $req ) . "\r\n";
$header .= "Connection: close\r\n\r\n";
For the sandbox change,
$header .= "Host: www.paypal.com\r\n";
to
$header .= "Host: www.sandbox.paypal.com\r\n";

The new code suggested above has now had a chance to be tested.
This did NOT work:
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value)
{
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen( 'tls://ipnpb.paypal.com', 443, $errno, $errstr, 30);
This is what works:
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value)
{
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);
What to do about using HTTP/1.0 and posting to www.paypal.com rather than using HTTP/1.1 and posting to tls://ipnpb.paypal.com?

There's a couple of things that need to be done:
You're still on HTTP/1.0; you need to switch to HTTP/1.1.
You need to switch to using TLS.
Most PHP setups nowadays should have cURL installed, so the easiest thing to do would be to use cURL. To do this, the last four lines of your code would change to the following:
$curl = curl_init( 'https://ipnpb.paypal.com/cgi-bin/webscr' );
curl_setopt( $curl, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $curl, CURLOPT_POST, true );
curl_setopt( $curl, CURLOPT_POSTFIELDS, $req );
$response = curl_exec( $curl );
if( 'VERIFIED' == trim( $response ) ) {
// IPN verified by PayPal
}

I have a similiar issue with Paypal IPN verification and using this code
// post back to PayPal system to validate
// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);
If I understand the solution correctly, the new code should look like
// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Host: ipnpb.paypal.com\r\n";
$header .= "Connection: close\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen( 'tls://ipnpb.paypal.com', 443, $errno, $errstr, 30);

Related

two HTTP requests in PHP using fsockopen

I have a problem which I couldn't solve almost a week. I searched everything but couldn't find an answer.
I need to do 3 x HTTP requests to the server and then receive answers.
First is GET request to get cookie. Second is POST with cookie and the third is redirect.
$host = "www.xx.com";
$user_agent = "User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0\r\n";
$sock = fsockopen("ssl://$host", 443, $errno, $errstr, 30);
if (!$sock) die("$errstr ($errno)\n");
#########################################
# GET
#########################################
$request .= "GET $path HTTP/1.1\r\n";
$request .= "Accept: */*\r\n";
$request .= "Host: $host\r\n";
$request .= $user_agent;
$request .= "Connection: close\r\n";
$request .= "\r\n";
fwrite($sock, $request);
$http_response = stream_get_contents($sock);
list($headers, $body) = explode("\r\n\r\n", $http_response, 2);
// get cookie
preg_match_all('/Set-Cookie:\s*(.*)\b/', $headers, $cookie_res);
foreach($cookie_res[1] as &$val){
$cookie .= "Cookie: ".$val."\r\n";
}
echo "<pre><p>$headers<br />cookie: $cookie</p></pre>";
$data = preg_replace('/^\s+|\n|\r|\s+$/m', '', $data);
#########################################
# POST with cookie
#########################################
$request2 .= "POST $path"."filter/ HTTP/1.1\r\n";
$request2 .= "Host: $host\r\n";
$request2 .= $user_agent;
$request2 .= "Accept: text/html,application/xhtml+xml,application/xml;\r\n";
$request2 .= "Connection: keep-alive\r\n";
$request2 .= $cookie;
$request2 .= "Referer: $path\r\n";
$request2 .= "Content-type: application/x-www-form-urlencoded; charset=UTF-8\r\n";
$request2 .= "Content-length: " . strlen($data) . "\r\n";
$request2 .= "\r\n";
$request2 .= "$data\r\n";
$request2 .= "\r\n";
fwrite($sock, $request2);
$http_response2 = stream_get_contents($sock);
list($headers2, $body2) = explode("\r\n\r\n", $http_response2, 2);
echo "<pre><p>$headers2</p></pre>";
So I get response after the first GET request, but I don't get response after POST request.
If I close connection after first request and reopen it again before second then it works. But I want to do it in one connection. I don't understand why it doesn't work without reconnecting.
Please help! :)
P.S. don't recommend to use CURL because I don't have it installed on this server.

(PHP) curl_request_async does not work

I grabbed the function curl_request_async from How do I make an asynchronous GET request in PHP?
// $type must equal 'GET' or 'POST'
function curl_request_async($url, $params, $type='POST')
{
foreach ($params as $key => &$val) {
if (is_array($val)) $val = implode(',', $val);
$post_params[] = $key.'='.urlencode($val);
}
$post_string = implode('&', $post_params);
$parts=parse_url($url);
$fp = fsockopen($parts['host'],
isset($parts['port'])?$parts['port']:80,
$errno, $errstr, 30);
// Data goes in the path for a GET request
if('GET' == $type) $parts['path'] .= '?'.$post_string;
$out = "$type ".$parts['path']." HTTP/1.1\r\n";
$out.= "Host: ".$parts['host']."\r\n";
$out.= "Content-Type: application/x-www-form-urlencoded\r\n";
$out.= "Content-Length: ".strlen($post_string)."\r\n";
$out.= "Connection: Close\r\n\r\n";
// Data goes in the request body for a POST request
if ('POST' == $type && isset($post_string)) $out.= $post_string;
fwrite($fp, $out);
fclose($fp);
}
It worked perfectly with my previous host but after I moved to a new host, it just does not work. I already installed php-curl but it's like the function just does not call the url.
There was no error given too. Please help I have been stuck with this for days.
One thing you could verify is if you can call fsockopen on your server, the code you posted does not use curl, but try to directly open a socket

Paypal ipn anything wrong with this section

I got my Paypal ipn to work. But I changed some things and now I can not remember what I changed. I used a series of INSERTS to monitor where the process of the ipn fails. It looks like it does not pass this part of my ipn. Here is the code:
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp($res, "VERIFIED") == 0) {
Why is my Paypal ipn not working?
I had also struggled a lot with paypal ipn last week,below is my working code you can refer
header('HTTP/1.1 200 OK');
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
$fp = fsockopen('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
fputs($fp, "POST /cgi-bin/webscr HTTP/1.1\r\n");
fputs($fp, "Host: www.sandbox.paypal.com\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($req)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $req. "\r\n\r\n");
$ipn_response = '';
while (!feof($fp)) {
$ipn_response .= fgets($fp, 1024);
}
fclose($fp);
if ( eregi("VERIFIED",$ipn_response) ) {}

New HTTP/1.1 php headers do not work?

I have been using a php script as IPN listener for years and it works fine.
A few days ago, Paypal set a message warning that October 7, 2013 code must be using HTTP/1.1. So I copied the sample code provided in lieu of my current headers :
-- new code---
// post back to PayPal system to validate
$header="POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .="Content-Type: application/x-www-form-urlencoded\r\n";
$header .="Host: www.paypal.com\r\n";
$header .="Connection: close\r\n\r\n";
-- Existing code ---
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);
Now the script no longer works. I get a 401 error :(
What's wrong ? I am growing extremely concerned, if new code does not work, that it will no work on time. Looked everywhere and could not find a definitive answer. I would like to get this working.
Help !
Try this code:
$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Host: www.paypal.com\r\n";
$header .= "Connection: close\r\n";
$fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

Changing Remote Addr using PHP

<?php
$host = 'www.yourtargeturl.com';
$service_uri = '/detect_referal.php';
$vars ='additional_option1=yes&additional_option2=un';
$header = "Host: $host\r\n";
$header .= "User-Agent: PHP Script\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Referer: http://www.google.com/search?hl=en&q=jigh&btnG=Google+Search \r\n";
$header .= "Content-Length: ".strlen($vars)."\r\n";
$header .= "Connection: close\r\n\r\n";
$fp = fsockopen("".$host,80, $errno, $errstr);
if (!$fp) {
echo "$errstr ($errno)<br/>\n";
echo $fp;
} else {
fputs($fp, "POST $service_uri HTTP/1.1\r\n");
fputs($fp, $header.$vars);
fwrite($fp, $out);
while (!feof($fp)) {
echo fgets($fp, 128);
}
fclose($fp);
}
?>
This is changing the $_SERVER['HTTP_REFERER']. How can I change $_SERVER['REMOTE_ADDR']. What code should I append in $header?
You can't do that. The IP address is determined at the beginning of the TCP connection, not in the HTTP headers. (It is possible to spoof [though not remotely like that], but then you won't get the response back.)
You can't. The IP address you connect out from isn't some header... it comes from the underlying TCP connection made from your server to the other server.

Categories