PayPal IPN 的处理:有必要吗?我可以使用其他方法吗?
阅读 PayPal 开发人员文档(这是很多文档),我不确定 IPN 是否是强制性的,或者我可以简单地忽略它。
当然,我必须实现一些其他机制才能知道付款是否正确。我想做这样的事情:
在 returnUrl 和 cancelUrl 中使用不同的代码创建一个新的付款(通过网络服务)。该代码是为每次付款随机生成的,并存储在数据库中。
当用户完成付款(OK 或 KO)时,PayPal 会将其页面重定向到我的网站,我将能够知道代码是否正确。
如果出现问题(用户关闭窗口、响应未到达、代码不匹配...),将通过 PayPal 网站上的交易手动处理。
你觉得这样可以吗?
谢谢。
Reading PayPal developer documentation (and this is a lot of documentation) I'm not sure if IPN is mandatory or I can simply ignore it.
Of course, I must implement some other mecanism in order to know if the payment was correct. I thought doing something like this:
Create a new payment (via web service) with a different code in both returnUrl and cancelUrl. This codes are generated randomly for every payment and stored in DB.
When the user finishes the payment (OK or KO), PayPal will redirect its page to my site and I will be able to know if the code is correct.
If there is a problem (user closes window, response doesn't arrive, codes don't match...) will be handled manually looking the transactions on PayPal site.
Do you think is this ok?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
不,我觉得这听起来很糟糕。
用户可以跳过付款步骤,只需编辑所需的 URL,然后将其粘贴到浏览器地址栏中。这将为他们提供免费产品。
收到 URL 后,您可以使用 PayPal SOAP API 来验证交易。您只是不能在收到该 URL 后就盲目相信它。
您需要小心,不要允许用户向您发送其他人付款的 URL,并两次收到该付款的产品。 (一次给真正的收款人,一次给欺诈者......)
请务必确认您收到的付款金额正确。 (假设您关心您收到的金额是否正确。)
一般来说,当您与 PayPal 交互时,无论您使用什么方法,了解软件安全和威胁建模都很重要。否则,您免受欺诈的机会实际上很小。
No, I think that sounds awful.
The user could skip the payment step and simply edit together your required URL, then paste it into the browser address bar. That would give them free product.
You can use the PayPal SOAP APIs to verify the transaction once you receive the URL. You merely can't trust that URL blindly the second you receive it.
You'll need to be careful not to allow users to send you the URL of some other person's payment, and receive the product twice for that payment. (Once to real payee, once to fraudster...)
It's important that you verify that you were paid the correct amount. (Assuming you care that you were paid the correct amount.)
In general, when you interface with PayPal, whatever method you use, it is important that you understand software security and threat modelling. Otherwise, there is really only a small chance you will be secure from fraud.
Paypal 将他们的系统设计得尽可能具有逻辑上的安全性。我不会开始重新设计他们花了很长时间开发和思考的系统。您只是忽略了这么多对您有利的安全功能。
其一,如果这两个密钥在任何时候都可以在客户端以原始格式访问,那么您就拥有了一个易于破解的系统。只需点击到 Paypal 付款页面,然后在浏览器中输入退货地址而无需实际付款,您的系统会将其视为有效交易,除非您在发货前手动检查(对于电子商品来说为时已晚)尽管)。
或者黑客可以猜测返回键。它必须很长,并且高度随机,如果它是一个递增的密钥,那么您将再次拥有一个超级容易破解的系统。
对于验证付款 IPN 至关重要。不要走捷径,涉及到钱的时候就做正确的事。
Paypal have designed their system to be as logically secure as they think it can. I would not start redesigning a system they have spent a long time developing and thinking about. Your just ignoring so many security features that are there for your benefit.
For one if those two keys are ever accessbile in raw format client side at any point, you have an easily hackable system. Simply click through the to Paypal payment page, then type the return address in your browser without actually paying, your system is going to treat it as a valid transaction unless you manually check for yourself before dispatching the goods (for egoods it would be too late though).
Or the hacker can guess the return key. It's going to have to be long, and highly randomised, if it's an incrementing key you again have a super easily hackable system.
For verifying a payment IPN is essential. Don't take shortcuts, do it right when there is money involved.