ansaurus

Question

Protect php script that receive paypal IPN notifications! [Solved]

Answer 1

+3 A:

There are many things you can do:

Give your script an obscure name so that it is not easily guessable.
Disable directory listings in the folder
Check if the calling site is paypal.com (or related IP address etc.)

Alec Smart 2009-07-14 07:27:13

I'ev never do this ... to disable directory listing for all file in a folder I need to place an .htaccess in this folder with ... IndexIgnore * ... it's right?

BitDrink 2009-07-14 07:45:53

I've tryed with this but I receive an error 500 if I try to browse the php script!

BitDrink 2009-07-14 08:08:50

Answer 2

+2 A:

If you know the IP from which PayPal will use the script try:

order deny, allow
deny from all
allow from [Paypal-IP]

gernberg 2009-07-14 07:28:01

there isn't a way to filter the domain instead of the ip address?

BitDrink 2009-07-14 10:39:41

I've found! .. order deny, allow - deny from all - allow from .*paypal\.com.*

BitDrink 2009-07-14 10:52:36

Answer 3

+2 A:

I wouldn't recommend shutting out all IPs, since you can't be sure that Paypal will keep the requests coming from the same IP all the time. If they ever decide to change their IP range, your setup will break, probably without notification to you.

I think the script that processes the Paypal request is the place to handle this - in that script you need to make sure that the request is actually coming from Paypal. You can do this by using some obscure URL that isn't easily guessed as has been suggested.

If at all possible, look into the shared secret setup for IPN - this way you have a better way of checking that the request is actually coming from Paypal, although it is a bit harder to set up.

Hope this helps!

ylebre 2009-07-14 07:37:32

I've not setup the shared secret too ... now I check if the currency, the ammount and the business e-mail are right ... and then I would like check if the transaction ID is unique ... but to do this! I must setup a database where store the infos for all the transacions ... but I've never used database and I don't know how to!

BitDrink 2009-07-14 07:49:03

Please "unknown (google)", don't be cross with me but don't you think that it wouldn't hurt to gain some experience with PHP, web and database programming before releasing things to public where real money is involved???

Stefan Gehrig 2009-07-14 07:57:05

You are right! In fact i've not release and published nothing! My website is off-line!

BitDrink 2009-07-14 08:07:41

Answer 4

A:

Now I've do this:

in the folder where is stored the php script and the 2 configuration files I've created an other folder where I moved the 2 config files and where I've placed a .htaccess with the following code:

order allow,deny
deny from all

Now the 2 config files have a good protection! ... but not the script that receive the notifications! If I try to block the directory listing( for the folder that contains the php script and the config folder) with:

IndexIgnore *

The paypal sandbox gives me an error 500!

So the only thing that I can do to protect the script is to place, on the head of it, a condition that verify the notifications come from paypal.com ?

BitDrink 2009-07-14 08:17:19

Answer 5

+3 A:

You can safely limit access to your IPN script only to the following list of IP addresses:

216.113.188.202
216.113.188.203
216.113.188.204
66.211.170.66

This can be done in the following way:

if (!in_array($_SERVER['REMOTE_ADDR'],array('216.113.188.202','216.113.188.203','216.113.188.204','66.211.170.66')) {
header("HTTP/1.0 404 Not Found");
exit();
}

In this way ONLY Paypal will be able to access the IPN script.

This list of IP address has been rather stable for years. In case if Paypal adds a new address, you can add reporting to email and review such cases manually.

Andriy Bohdan 2009-07-14 12:53:25

Thanks!!!! There is any way to do the same thing but with the domain? In other words ... $_SERVER['REMOTE_ADDR'] return the ip address of the sender server ... and to get the remote domain?

BitDrink 2009-07-14 13:01:57

gethostbyaddr shlould work for youhttp://ua2.php.net/gethostbyaddr

Andriy Bohdan 2009-07-15 21:56:39

Answer 6

A:

why you are trying to do this?

in IPN system, you first just bounce the variables that are passed to your ipn script back to paypal using cURL or fshock or what ever... looking into the response you can tell if it's a valid transaction or not... someone can not fake a transaction variable that does not exists in paypal itself... all they can do is to reuse an older transaction info again to fool your script.. since it exists on paypal your script will be assuming that it's a successfull payment...

so you can prevent this just by comparing txn_id against your database and if already exists in your database this means someone is trying to fool you using an already recorded transaction info...

since you do those checks who cares about the ones that call this ipn script... it wont be working for them since you check the variables against paypal and your database...

in any exceptions print out a nice sentence to tell them "This script is robust! Dont Try to fool us!"

Yasin Ergul 2010-03-25 15:27:18

ansaurus

tags:

views:

answers:

Protect php script that receive paypal IPN notifications! [Solved]

related questions