在发送到 PayPal 之前不验证 POST 变量 - 何时检查?
我们有一个 PHP 系统,在该系统上使用 Micah Carrick 的“PHP Paypal IPN 集成类”(http://www.micahcarrick.com/php-paypal-ipn-integration-class.html)。
在他的示例代码中,他建议我们在将 POST 变量传递到 PayPal 之前验证它们。
switch ($_GET['action']) {
case 'process': // Process and order...
...
// This is where you would have your form validation and all that jazz.
// You would take your POST vars and load them into the class like below,
// only using the POST values instead of constant string expressions.
// For example, after ensureing all the POST variables from your custom
// order form are valid, you might have:
//
// $p->add_field('first_name', $_POST['first_name']);
// $p->add_field('last_name', $_POST['last_name']);
...
$custom=$_SESSION['sess_user_id']."~".$_POST['promo_code'];
$p->add_field('user_id', $_SESSION['sess_user_id']);
$p->add_field('custom', $custom);
$p->add_field('amount', $_POST['amount']);
...
$p->submit_paypal_post(); // submit the fields to paypal
break;
但是,我们不会对上述变量执行此操作。
我们应该在 (a) 这个阶段验证还是在 PayPal (b) 返回数据的阶段验证,还是两者都验证?
我们还应该如何验证数据?
We have a PHP system on which we're using Micah Carrick's "PHP Paypal IPN Integration Class" (http://www.micahcarrick.com/php-paypal-ipn-integration-class.html).
In his sample code, he recommends that we verify POST variables before passing them onto PayPal
switch ($_GET['action']) {
case 'process': // Process and order...
...
// This is where you would have your form validation and all that jazz.
// You would take your POST vars and load them into the class like below,
// only using the POST values instead of constant string expressions.
// For example, after ensureing all the POST variables from your custom
// order form are valid, you might have:
//
// $p->add_field('first_name', $_POST['first_name']);
// $p->add_field('last_name', $_POST['last_name']);
...
$custom=$_SESSION['sess_user_id']."~".$_POST['promo_code'];
$p->add_field('user_id', $_SESSION['sess_user_id']);
$p->add_field('custom', $custom);
$p->add_field('amount', $_POST['amount']);
...
$p->submit_paypal_post(); // submit the fields to paypal
break;
However, we're not doing that for the variables mentioned above.
Should we verify at (a) this stage or at the stage that PayPal (b) returns the data or both?
How should we be verifying the data as well?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您应该在两端验证您的数据 - 在您将用户发送到 PayPal 之前,以及当您收到确认付款的 PayPal IPN 消息时。
验证之前确保用户支付正确的金额,他们被发送到正确的 PayPal 帐户,并且您有一个针对交易的标识符(在“自定义”变量中),以允许您将付款与正确的用户结合起来/ PayPal 确认后购买。
验证后再次确保已支付正确的金额,交易标识符存在、有效且正确,并且更新用户/购买以反映交易结果。
You should Validate and Verify your data at both ends - before you send the user off to PayPal, and when you recieve the PayPal IPN Message confirming the payment.
Validation Before ensures that the user is paying the correct amount, that they are being sent to the correct PayPal Account, and you have an identifier against the transation (in the "custom" variable) to allow you to marry the payment against the correct user/purchase when it is confirmed by PayPal.
Validation After ensures that, again, the correct amount has been paid, the transaction identifier is present, valid and correct, and the user/purchase is updated to reflect the transation result.
您应该在将它们发送到 PayPal 之前对其进行验证。您应该检查诸如空变量之类的内容、类型是否正确(例如,数量不应包含字母)、字符数量(如果适用)是否正确。基本上这些字段应该反映您期望在那里找到的内容。
You should verify them before they are sent to PayPal. You should check for things like empty variables, the type is correct (amount shouldn't contain letters for example), the amount of characters (if applicable) is correct. Basically the fields should reflect what you would expect to find in there.
我的猜测是两种情况都是如此。
发送数据之前必须进行验证。
就回应而言,我认为这是一件好事。
My guess is in both cases.
Validation before sending the data is mandatory.
On response, I think it is a good thing to do.