Вопрос
I'm trying to set up Paypal so that when a customer buys a subscription to our site, their account gets approved. Unfortunately when testing my IPN listener I believe I accidentally managed to make Paypal launch a Denial of Service attack on our website. Does anyone know what might have caused this? Here's the IPN listener:
https://stackoverflow.com/questions/16653313
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}
// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);
// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];
if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that receiver_email is your Primary PayPal email
if (($payment_status == 'Completed') && ($receiver_email == $paypalemail))
{
// check that txn_id has not been previously processed
// check that payment_amount/payment_currency are correct
// process payment
if ($clientstatus == PENDING){
$query = "UPDATE clients SET clientStatus = 'APPROVED', substatus = '1'
WHERE clientID=$item_number";
$db2->query( $query );
}
}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
}
}
fclose ($fp);
}
}
?>
Also, I got an email from my host with the last 100 lines of our error log - it was basically this 10 times, all within 1 second.
[Fri May 17 13:07:16 2013] [error] [client 173.0.82.126] PHP Warning:
fgets(): 2 is not a valid stream resource in /var/www/vhosts/
site.com/subdomains/development.site.com/httpdocs/hiddenadmin/ipn/index.phpon
line 33
[Fri May 17 13:07:16 2013] [error] [client 173.0.82.126] PHP Warning:
fclose(): 2 is not a valid stream resource in /var/www/vhosts/
site.com/subdomains/development.site.com/httpdocs/hiddenadmin/ipn/index.phpon
line 53
[Fri May 17 13:07:16 2013] [error] [client 173.0.82.126] PHP Warning:
feof(): 2 is not a valid stream resource in /var/www/vhosts/
site.com/subdomains/development.site.com/httpdocs/hiddenadmin/ipn/index.phpon
line 32
Решение
PayPal uses HTTP 1.1 for IPN now. The sample scripts on X.com have been updated to reflect the changes. I would recommend trying to use one of the updated scripts.
The code you provided also responds to the Sandbox environment. If you aren't using the Sandbox that would cause the validation of the posts to fail.
