PayPal 的支付数据传输 (PDT) 不需要身份令牌吗?
我已经设置了一个使用 IPN 的 PayPal 网站,但我无法让 PayPal 将 GET 变量发送到我指定的返回 URL。它正在将用户的浏览器发送到返回 URL,但没有通过 GET 或 POST 传递任何内容。
我将 PayPal 企业帐户中的一项设置更改为“付款数据传输(可选)”,从而在 PayPal 网站上生成“身份令牌”。
我还收到了一封来自 PayPal 的自动电子邮件,内容如下:
---------- Forwarded message ----------
From: [email protected] <[email protected]>
Subject: Payment Data Transfer (PDT) Has Been Enabled
This email is to inform you that you have successfully enabled Payment Data Transfer.
PDT's primary function is to display payment transaction details to buyers when they are redirected back to your site upon payment completion. However, there are cases, such as with pending transactions, where you won't receive notification of all transactions. For this reason, PayPal strongly recommends that you also enable Instant Payment Notification (IPN).
To learn more about enabling and setting up IPN:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/ipn-intro-outside
To learn more about Payment Data Transfer, including setup instructions and a complete list of variables:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/pdt-intro-outside
Sincerely,
PayPal
单击第二个链接,然后单击“技术概述”(https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/pdt -techview-outside)显示:
您的帖子应发送至 https://www.paypal.com/cgi-bin/webscr。 您必须发布交易令牌 使用变量“tx”和值 之前的交易代币 收到(例如 “tx=transaction_token”),以及 使用特殊身份令牌 变量 at 和 PDT 的值 身份令牌(例如 “at=identity_token”)。你也会 需要附加一个名为“cmd”的变量 值为“_notify-synch”,对于 例如“cmd=_notify-synch”,到 POST 字符串。
但是,我根本没有传递身份令牌,但一切都工作正常!
(a) Is this a problem?
(b) Why is it working if the documentation implies that it shouldn't?
(c) Is this a consequence of specifying an outdated API version (58.0)? What is the value I should be using?
I've setup a PayPal site which uses IPN and I was having trouble getting PayPal to send the GET variables to the return URL that I had specified. It was sending the user's browser to the return URL, but nothing was being passed via GET or POST.
I changed one setting in the PayPal business account: "Payment Data Transfer (optional)" to On which generated an "Identity Token" on the PayPal website.
I also got an automated email from PayPal saying:
---------- Forwarded message ----------
From: [email protected] <[email protected]>
Subject: Payment Data Transfer (PDT) Has Been Enabled
This email is to inform you that you have successfully enabled Payment Data Transfer.
PDT's primary function is to display payment transaction details to buyers when they are redirected back to your site upon payment completion. However, there are cases, such as with pending transactions, where you won't receive notification of all transactions. For this reason, PayPal strongly recommends that you also enable Instant Payment Notification (IPN).
To learn more about enabling and setting up IPN:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/ipn-intro-outside
To learn more about Payment Data Transfer, including setup instructions and a complete list of variables:
https://www.paypal.com/us/cgi-bin/?cmd=p/xcl/rec/pdt-intro-outside
Sincerely,
PayPal
Clicking on the second link and clicking on "Technical Overview" (https://www.paypal.com/us/cgi-bin/webscr?cmd=p/xcl/rec/pdt-techview-outside) shows:
Your POST should be sent to
https://www.paypal.com/cgi-bin/webscr.
You must post the transaction token
using the variable "tx" and the value
of the transaction token previously
received (e.g.
"tx=transaction_token"), and the
special identity token using the
variable at and the value of your PDT
identity token (e.g.
"at=identity_token"). You will also
need to append a variable named "cmd"
with the value "_notify-synch", for
example "cmd=_notify-synch", to the
POST string.
However, I am NOT passing the Identity Token at all, yet everything is working fine!
(a) Is this a problem?
(b) Why is it working if the documentation implies that it shouldn't?
(c) Is this a consequence of specifying an outdated API version (58.0)? What is the value I should be using?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在我看来,身份令牌应该是必需的参数,因为这是 Paypal 可以验证您发出的请求是否有效的唯一方法。否则,其他人可以简单地猜测交易 ID(即使它不是为他们的账户设计的)并从 Paypal 获取该交易的详细信息。
我猜这是您遇到的错误。您是在 Paypal 沙箱中还是在实际环境中进行测试?
In my opinion the identity token should be a required param since it is the only way Paypal can verify that the request you're making is valid. Otherwise, other people can simply guess a transaction id (even though it is not intended for their accounts) and get details for that transaction from Paypal.
I'm guessing this is a bug you're experiencing. Are you testing in the Paypal sandbox or in a live environment?
意识到 OP 可能在 9 年后不再需要答案,但其他人仍然可能:
交易 ID 和身份令牌的 POST 纯粹是为了验证原始交易通知(通过 GET 方法转发到商家的 Return) URL)实际上来自 PayPal。
这就好像对 PayPal 说:“我的网站刚刚收到了客户付款的确认信息。这是交易 ID 和我的卖家 ID。这是合法的匹配吗?”
事实上,在 https://developer.paypal.com /docs/api-basics/notifications/ payment-data-transfer/,在谈论设置测试时,它只谈论让脚本准备好接收、解析和显示 GET 数据。它没有提到邮寄回 PayPal(尽管在其他地方提到过)。所以,是的,PDT 功能应该可以工作,而无需事后将 POST 返回到 PayPal 并等待成功或失败的响应,但是...
任何知道自己在做什么的人都可以访问卖家的 URL 并附加一个查询字符串正确的变量组合可以伪造 PayPal PDT 系统最初发送的同类 GET 请求,无论交易 ID 是否真实。
Realizing that the OP probably no longer needs an answer after 9 years, but others still might:
The POST of the transaction ID and identity token is purely for the purpose of verifying that the original transaction notification (relayed via the GET method to the merchant's Return URL) actually came from PayPal.
It is as if to say to PayPal, "My website just got this supposed confirmation that a customer paid. Here is the transaction ID and my seller ID again. Is this a legitimate match?"
In fact, at https://developer.paypal.com/docs/api-basics/notifications/payment-data-transfer/, when talking about setting up for testing, it only talks about getting your script ready to receive, parse and display the GET data. It doesn't mention the POSTing back to PayPal (though that is mentioned elsewhere). So, yes, the PDT function should work without doing the POST back to PayPal afterward and waiting for that response of SUCCESS or FAIL, but...
Anyone who knew what they were doing could go to a seller's URL and append a query string with the right combination of variables to fake the same kind of GET request that the PayPal PDT system would initially send, whether or not the transaction ID were a real one.