Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Validate that IPN call is from PayPal?

How can I validate that a PayPal IPN POST request to my specified notifyURL is indeed coming from PayPal?

I don't mean comparing the data to what I sent earlier, but how can I verify that the server / IP address this PayPal request is coming from is indeed a valid one?

like image 548
siliconpi Avatar asked Jan 31 '11 06:01

siliconpi


2 Answers

The IPN protocol consists of three steps:

  1. PayPal sends your IPN listener a message that notifies you of the event
  2. Your listener sends the complete unaltered message back to PayPal; the message must contain the same fields in the same order and be encoded in the same way as the original message
  3. PayPal sends a single word back, which is either VERIFIED if the message originated with PayPal or INVALID if there is any discrepancy with what was originally sent

https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/e_howto_admin_IPNIntro

like image 138
Amber Avatar answered Oct 01 '22 09:10

Amber


This is the easiest way I have found to do it, also as per PayPal suggests. I uses http_build_query() to construct the url from the post that was sent to the site from paypal. Paypal docs states that you should send this back for verification and that is what we do with file_get_contents. you will note that I use strstr to check if the word 'VERIFIED' is present and so we continue in the function, if not we return false...

$verify_url = 'https://www.sandbox.paypal.com/cgi-bin/webscr?cmd=_notify-validate&' . http_build_query( $_POST );   

if( !strstr( file_get_contents( $verify_url ), 'VERIFIED' ) ) return false;
like image 20
Lobos Avatar answered Oct 01 '22 07:10

Lobos