PayPal IPN Bad Request 400 Error

Question

Using the PayPal IPN, I keep getting an error 400.

I have been making the script send me emails of $res to see what the response is, inside of the while (!feof($fp)) {} loop. I always end up getting the error: HTTP/1.0 400 Bad Request

In total I get back:

HTTP/1.0 400 Bad Request
​Connection: close
Server: BigIP
Content-Length: 19
​Invalid Host Header

​The last line after this is just blank. Here is my code, I have tried changing loads of things but nothing works.

$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$value = preg_replace('/(.*[^%^0^D])(%0A)(.*)/i','${1}%0D%0A${3}', $value);// IPN fix
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header = "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";

$fp = fsockopen('ssl://www.sandbox.paypal.com', 443, $errno, $errstr, 30);

if (!$fp) {
// HTTP ERROR
} else {
   fputs($fp, $header . $req);
   while (!feof($fp)) {
       $res = fgets ($fp, 1024);
       if (strcmp ($res, "VERIFIED") == 0) {
           //ADD TO DB
       } else if (strcmp ($res, "INVALID") == 0) {
           // PAYMENT INVALID & INVESTIGATE MANUALY!
           // E-mail admin or alert user
       }
   }
   fclose ($fp);
}

I have added a line, this is the header before it is sent:

 Host: www.sandbox.paypal.com
 POST /cgi-bin/webscr HTTP/1.0
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 1096

Answer 1

Since you're opening the socket yourself, rather than using an HTTP library such as curl, you need to set the proper HTTP Protocol version and add the HTTP Host header yourself just below the POST line.

$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Host: www.sandbox.paypal.com\r\n";

Answer 2

I was having the same issues and these are the required changes. Some of the answers above dont fix all the problems.

New format for header:

$header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Host: www.sandbox.paypal.com\r\n";  // www.paypal.com for a live site
$header .= "Content-Length: " . strlen($req) . "\r\n";
$header .= "Connection: close\r\n\r\n";

Note the extra set of \r\n on the last line only. Also, the string compare no longer works because a newline is being inserted in the response from the server so change this:

if (strcmp ($res, "VERIFIED") == 0) 

to this:

if (stripos($res, "VERIFIED") !== false)  // do the same for the check for INVALID