PayPal IPN sends a POST request with a variable number of fields to the notify URL, in order to confirm that the POST request is legit we need to resubmit the same request along with a additional cmd=_notify-validate
field to PayPal, which then replies VERIFIED
or INVALID
.
My question is, why do we need to resend the request to PayPal? Wouldn't something like this suffice?
if (preg_match('~^(?:.+[.])?paypal[.]com$~i', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
// request came from PayPal, it's legit.
}
Iff we can trust the server to correctly resolve IPs, I assume we can trust all requests from PayPal, no?