Paypal IPN 安全
我正在开发一个网站,允许用户通过 Paypal 付款。
Paypal IPN 似乎很容易集成,并且可以在我的本地主机上运行。
现在的问题是,金额和公司名称使用 POST 数据传递到 paypal。
我知道这样说是非常危险的,但我不确定还有什么选择。
如何确保 Paypal IPN 安全?
I am developing a website which will allow users to pay via Paypal.
Paypal IPN seems to be easy to integrate and it works on my localhost.
Now the problem is that, the amount and the business name are passed to paypal using POST Data.
I know it's very dangerous to put it that way, but I am not sure what are the alternatives.
How can I make Paypal IPN secure?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
POST 数据通过安全的 HTTPS 连接发送,该连接对发送者和接收者之间的数据进行加密。这就是所有敏感数据通过互联网发送的方式。如果它真的很危险,那么 Paypal 以及每个处理敏感信息的信誉良好的网站都不会使用它。
The POST data is sent over a secure HTTPS connection which encrypts the data between sender and receiver. It's how all sensitive data is sent over the Internet. If it really was dangerous then Paypal, and every reputable website handling sensitive information, wouldn't be using it.
Paypal 在其网站上有示例 IPN 代码。基本上,你应该做的是检查 Paypal 是否向你发送了通知(通过发回你得到的信息,使用 cmd=notify_validate 或类似的东西......自从我使用 IPN 以来已经有一段时间了),然后检查您的数据库,以确保他们发回给您的信息与您最初打算传递给它的信息相同。特别是收款人姓名和付款金额。
如果您进行了这些检查,那么无论您是否使用 HTTPS,都应该没问题。但是,如果您担心某些邪恶的网络管理员知道有人为某个项目付款,您应该能够将 IPN 设置为使用 HTTPS。
Paypal has sample IPN code on their web site. Basically, what you're supposed to do is check that Paypal sent you the notification (by sending back the info you get, with a cmd=notify_validate or something like that...it's been a while since i used IPN), and check your database to make sure the info they sent you back is the same info you intended to have passed to it in the first place. Especially the payee name and payment amount.
If you do those checks, you should be fine whether you use HTTPS or not. But if you're worried about some evil network admin knowing someone paid for an item, you should be able to set IPN up to use HTTPS.