PayPal IPN 问题,但在沙盒中工作正常

Posted

技术标签:

【中文标题】PayPal IPN 问题,但在沙盒中工作正常【英文标题】:PayPal IPN Issue, but works in Sandbox fine 【发布时间】:2013-07-04 03:12:23 【问题描述】:

使用 GitHub 上的代码:https://github.com/Quixotix/php-PayPal-IPN

好的,所以,我有一个这样的 php 页面,我将其用作我的 ipnlistener,用于变量中 url 的 sa=paypal_verify 部分,在按钮创建的第 3 步中,如下所示:

notify_url=http://mydomain.com/index.php?page=paypaltest;sa=paypal_verify
return=http://mydomain.com/index.php?page=paypaltest;sa=thankyou
rm=2

这是链接到http://mydomain.com/index.php?page=paypaltest的代码

if (!empty($_REQUEST['sa']) && $_REQUEST['sa'] != 'thankyou')

        // Require file for loading up global variables, etc.  Might not be needed, but just in here in case.
    require_once('/public_html/Settings.php');

    global $smcFunc, $context, $scripturl, $boarddir, $modSettings, $txt;

    if ($_REQUEST['sa'] == 'paypal_verify')
    
        ini_set('log_errors', true);
        ini_set('error_log', '/ipn_errors.log');

        // Here is where the actual IpnListener Class is defined
        // and uses cURL or fSocket to post back to paypal.
        require_once($boarddir . '/ipn/ipnlistener.php');
        $listener = new IpnListener();

        try 
            $listener->requirePostMethod();
            $verified = $listener->processIpn();
         catch (Exception $e) 
            error_log($e->getMessage());
            exit(0);
        


        /*
        The processIpn() method returned true if the IPN was "VERIFIED" and false if it
        was "INVALID".
        */
        if ($verified) 
            $errmsg = '';   // stores errors from fraud checks

            // 1. Make sure the payment status is "Completed" 
            if ($_POST['payment_status'] != 'Completed')  
                // simply ignore any IPN that is not completed
                exit(0); 
            

            // Database Query in here (excluded) that selects sellers_email, product_name, and price from within the database for the actual purchase, based on the $_POST['item_name'] from paypal.

            // If return results are 0 from database table than do following:
                $errmsg .= "Product Not Found in the database: ";
                $errmsg .= $_POST['item_name']."\n";
                // manually investigate errors from the fraud checking
                $body = "IPN failed fraud checks: \n$errmsg\n\n";
                $body .= $listener->getTextReport();
                mail('myemail@address.com', 'IPN Fraud Warning', $body);
                exit(0);

            // Set $sellers_email, $item_name, and $price variables from the database table.  And than free the mysql result.


            // 2. Make sure seller email matches your primary account email.
            if ($_POST['receiver_email'] != $sellers_email) 
                $errmsg .= "'receiver_email' does not match: ";
                $errmsg .= $_POST['receiver_email']."\n";
            

            // 3. Make sure the amount(s) paid match
            if ($_POST['mc_gross'] != $price) 
                $errmsg .= "'mc_gross' does not match: ";
                $errmsg .= $_POST['mc_gross']."\n";
            

            // 4. Make sure the currency code matches
            if ($_POST['mc_currency'] != 'USD') 
                $errmsg .= "'mc_currency' does not match: ";
                $errmsg .= $_POST['mc_currency']."\n";
            

            // 5. Ensure the transaction is not a duplicate.
            // Attempt to grab a transaction id from the table where it goes.  The column is id_txn, if it exists
                $errmsg .= "'txn_id' has already been processed: ".$_POST['txn_id']."\n";

            // free database result.

            // Set $txn_id from paypal to the $txn_id variable.
            $txn_id = (string) $_POST['txn_id'];

            if (!empty($errmsg)) 

                // manually investigate errors from the fraud checking
                $body = "IPN failed fraud checks: \n$errmsg\n\n";
                $body .= $listener->getTextReport();
                mail('myemail@address.com', 'IPN Fraud Warning', $body);

             else 

                // send email to buyer.
                // and just to be sure, send them to the sa=thankyou page!
            
         else 
            // send email to self with the errors listed
        
    


if (!empty($_REQUEST['sa']) && $_REQUEST['sa'] == 'thankyou')
    echo '
    <div class="information">Thank you for purchasing this product.  We sent you an email with your details and link to download this software.<br />';

echo '
<div class="cat_bar boardframe">
    <h3 class="catbg">
        PayPal Test Sale
    </h3>
</div>
<div class="roundframe blockframe">
This is just a Test Selling Page to be sure that the PayPal electronic downloads actually work!
</div>
<span class="lowerframe"><span><!-- // --></span></span>
<br />
<div class="cat_bar boardframe">
    <h3 class="catbg">
        Purchase at 0.01 USD
    </h3>
</div>
<div class="roundframe blockframe">
    <form action="https://www.paypal.com/cgi-bin/webscr" method="post" target="_top">
        <input type="hidden" name="cmd" value="_s-xclick">
        <input type="hidden" name="hosted_button_id" value="FJAGXAC7GCFSY">
        <input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_paynow_SM.gif" border="0" name="submit"  style="border: none; background: none;">
        <img  border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif"  >
    </form>
</div>
<span class="lowerframe"><span><!-- // --></span></span>
<br class="clear" />';

ipnlistener.php 文件中包含以下代码:

class IpnListener 

    /**
     *  If true, the recommended cURL PHP library is used to send the post back 
     *  to PayPal. If flase then fsockopen() is used. Default true.
     *
     *  @var boolean
     */
    public $use_curl = true;

    /**
     *  If true, explicitly sets cURL to use SSL version 3. Use this if cURL
     *  is compiled with GnuTLS SSL.
     *
     *  @var boolean
     */
    public $force_ssl_v3 = true;     

    /**
     *  If true, cURL will use the CURLOPT_FOLLOWLOCATION to follow any 
     *  "Location: ..." headers in the response.
     *
     *  @var boolean
     */
    public $follow_location = false;     

    /**
     *  If true, an SSL secure connection (port 443) is used for the post back 
     *  as recommended by PayPal. If false, a standard HTTP (port 80) connection
     *  is used. Default true.
     *
     *  @var boolean
     */
    public $use_ssl = true;

    /**
     *  If true, the paypal sandbox URI www.sandbox.paypal.com is used for the
     *  post back. If false, the live URI www.paypal.com is used. Default false.
     *
     *  @var boolean
     */
    public $use_sandbox = false; 

    /**
     *  The amount of time, in seconds, to wait for the PayPal server to respond
     *  before timing out. Default 30 seconds.
     *
     *  @var int
     */
    public $timeout = 30;       

    private $post_data = array();
    private $post_uri = '';     
    private $response_status = '';
    private $response = '';

    const PAYPAL_HOST = 'www.paypal.com';
    const SANDBOX_HOST = 'www.sandbox.paypal.com';

    /**
     *  Post Back Using cURL
     *
     *  Sends the post back to PayPal using the cURL library. Called by
     *  the processIpn() method if the use_curl property is true. Throws an
     *  exception if the post fails. Populates the response, response_status,
     *  and post_uri properties on success.
     *
     *  @param  string  The post data as a URL encoded string
     */
    protected function curlPost($encoded_data) 

        if ($this->use_ssl) 
            $uri = 'https://'.$this->getPaypalHost().'/cgi-bin/webscr';
            $this->post_uri = $uri;
         else 
            $uri = 'http://'.$this->getPaypalHost().'/cgi-bin/webscr';
            $this->post_uri = $uri;
        

        $ch = curl_init();

        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
        curl_setopt($ch, CURLOPT_CAINFO, 
                    dirname(__FILE__)."/cert/api_cert_chain.crt");
        curl_setopt($ch, CURLOPT_URL, $uri);
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $encoded_data);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, $this->follow_location);
        curl_setopt($ch, CURLOPT_TIMEOUT, $this->timeout);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HEADER, true);

        if ($this->force_ssl_v3) 
            curl_setopt($ch, CURLOPT_SSLVERSION, 3);
        

        $this->response = curl_exec($ch);
        $this->response_status = strval(curl_getinfo($ch, CURLINFO_HTTP_CODE));

        if ($this->response === false || $this->response_status == '0') 
            $errno = curl_errno($ch);
            $errstr = curl_error($ch);
            throw new Exception("cURL error: [$errno] $errstr");
        
    

    /**
     *  Post Back Using fsockopen()
     */
    protected function fsockPost($encoded_data) 

        if ($this->use_ssl) 
            $uri = 'ssl://'.$this->getPaypalHost();
            $port = '443';
            $this->post_uri = $uri.'/cgi-bin/webscr';
         else 
            $uri = $this->getPaypalHost(); // no "http://" in call to fsockopen()
            $port = '80';
            $this->post_uri = 'http://'.$uri.'/cgi-bin/webscr';
        

        $fp = fsockopen($uri, $port, $errno, $errstr, $this->timeout);

        if (!$fp)  
            // fsockopen error
            throw new Exception("fsockopen error: [$errno] $errstr");
         

        $header = "POST /cgi-bin/webscr HTTP/1.1\r\n";
        $header .= "Host: ".$this->getPaypalHost()."\r\n";
        $header .= "Content-Type: application/x-www-form-urlencoded\r\n";
        $header .= "Content-Length: ".strlen($encoded_data)."\r\n";
        $header .= "Connection: Close\r\n\r\n";

        fputs($fp, $header.$encoded_data."\r\n\r\n");

        while(!feof($fp))  
            if (empty($this->response)) 
                // extract HTTP status from first line
                $this->response .= $status = fgets($fp, 1024); 
                $this->response_status = trim(substr($status, 9, 4));
             else 
                $this->response .= fgets($fp, 1024); 
            
         

        fclose($fp);
    

    private function getPaypalHost() 
        if ($this->use_sandbox) return self::SANDBOX_HOST;
        else return self::PAYPAL_HOST;
    

    /**
     *  Get POST URI
     */
    public function getPostUri() 
        return $this->post_uri;
    

    /**
     *  Get Response
     *
     *  Returns the entire response from PayPal as a string including all the
     *  HTTP headers.
     *
     *  @return string
     */
    public function getResponse() 
        return $this->response;
    

    /**
     *  Get Response Status 200 if Successful
     */
    public function getResponseStatus() 
        return $this->response_status;
    

    /**
     *  Get Text Report
     */
    public function getTextReport() 

        $r = '';

        // date and POST url
        for ($i=0; $i<80; $i++)  $r .= '-'; 
        $r .= "\n[".date('m/d/Y g:i A').'] - '.$this->getPostUri();
        if ($this->use_curl) $r .= " (curl)\n";
        else $r .= " (fsockopen)\n";

        // HTTP Response
        for ($i=0; $i<80; $i++)  $r .= '-'; 
        $r .= "\n$this->getResponse()\n";

        // POST vars
        for ($i=0; $i<80; $i++)  $r .= '-'; 
        $r .= "\n";

        foreach ($this->post_data as $key => $value) 
            $r .= str_pad($key, 25)."$value\n";
        
        $r .= "\n\n";

        return $r;
    

    /**
     *  Process IPN
     *
     *  Handles the IPN post back to PayPal and parsing the response. Call this
     *  method from your IPN listener script. Returns true if the response came
     *  back as "VERIFIED", false if the response came back "INVALID", and 
     *  throws an exception if there is an error.
     *
     *  @param array
     *
     *  @return boolean
     */    
    public function processIpn($post_data=null) 

        $encoded_data = 'cmd=_notify-validate';

        if ($post_data === null) 
            if (!empty($_POST)) 
                $this->post_data = $_POST;
                $encoded_data .= '&'.file_get_contents('php://input');
             else 
                throw new Exception("No POST data found.");
            
         else 
            $this->post_data = $post_data;

            foreach ($this->post_data as $key => $value) 
                $encoded_data .= "&$key=".urlencode($value);
            
        

        if ($this->use_curl) $this->curlPost($encoded_data); 
        else $this->fsockPost($encoded_data);

        if (strpos($this->response_status, '200') === false) 
            throw new Exception("Invalid response status: ".$this->response_status);
        

        if (strpos($this->response, "VERIFIED") !== false) 
            return true;
         elseif (strpos($this->response, "INVALID") !== false) 
            return false;
         else 
            throw new Exception("Unexpected response from PayPal.");
        
    

    public function requirePostMethod() 
        // require POST requests
        if ($_SERVER['REQUEST_METHOD'] && $_SERVER['REQUEST_METHOD'] != 'POST') 
            header('Allow: POST', true, 405);
            throw new Exception("Invalid HTTP request method.");
        
    

error_log 中没有记录任何错误(这个文件实际上是在发生错误时创建的,所以它甚至不存在)。而且它从不向数据库中添加任何内容。我知道item_name 在 PayPal 服务器上是正确的,并且在数据库表中也应该匹配。

似乎 ipnlistener 或它如何链接到它有问题?或者从中返回什么?

有没有一种方法可以完全从 ipnlistener.php 文件中测试返回值?这样我才能真正看到它?也许我什至可以看到发送到以​​下网址(来自 Paypal)的内容:http://mydomain.com/index.php?page=paypaltest;sa=paypal_verify

我正在努力跟踪这个问题,以便准确找出问题出在哪里......有什么想法吗?

也许和cURL中的这一行有关:

curl_setopt($ch, CURLOPT_CAINFO, 
                    dirname(__FILE__)."/cert/api_cert_chain.crt");

我从未听说过在服务器的实际文件结构中附加 SSL 证书。

另外,也有可能,因为它在notify_url 中有index.php,它正在添加额外的标头。如果是这样,我是否可以在从 PayPal 获取编码数据并将其返回到 paypal 进行验证之前以某种方式将所有内容从文件中清除?这样,它肯定和 PayPal 发送到 notify_url 时完全相同。

我不明白为什么这必须如此复杂!我已经连续 7 天在这上面拔头发了,几乎没有睡觉!

这我知道:我的服务器上启用了 cURL。如果我浏览到实际的notify_url 页面,它是空白的(就像一个完全空白的页面),我认为这是正确的。查看 Notification History 时,它说,Sent, and HTTP Response code is 200.

这我不知道:它在哪里失败了?贝宝通知到底在哪里失败?为什么它没有触及我的数据库?我在任何地方都没有错误...

【问题讨论】:

另外,在我的个人资料中启用了 IPN,自动返回也是如此。但是,我的个人资料中的 IPN 转到了不同的 URL,但这无关紧要,因为我在按钮创建的第 3 步中设置了 notify_url 变量。 当我使用 IPN 模拟器时,它会将值添加到数据库中并很好地发送电子邮件,当然我在使用时将 ipnlistener.php 中$use_sandbox 的变量更改为 false这个! 在沙盒模式下也可以正常工作,但在实时时根本不工作!我的意思是它可以很好地重定向到返回 url,但它不会将用户信息添加到数据库中,并且它永远不会向用户发送电子邮件,这在沙盒模式下做得非常好! 另外,不确定,但我认为这里的 SSL 证书:/cert/api_cert_chain.crt 已过期,不确定这是否重要,但这是软件包下载的一部分,并认为它一定很重要。跨度> 【参考方案1】:

我发现问题了,天哪,它在认​​证文件中:

刚刚更改了以下内容:

curl_setopt($ch, CURLOPT_CAINFO, 
    dirname(__FILE__)."/cert/api_cert_chain.crt");

到我的服务器上从 /home/ 开始的实际文件路径

curl_setopt($ch, CURLOPT_CAINFO, "完整文件路径/cert/api_cert_chain.crt");

天哪,我太傻了!现在完美运行!耶耶!

【讨论】:

恭喜!可能对其他人有帮助。 感谢您的 +1,在设置赏金 5 分钟后回答了我自己的问题,有点希望一旦设置赏金有 10 分钟取消。丢了 200 分,很高兴 +1 能在这件事上有所回报…… 您可以标记您的问题并要求版主退还赏金。【参考方案2】:

你应该使用https://ipnpb.paypal.com/cgi-bin/webscr而不是https://www.paypal.com/cgi-bin/webscr作为直播网址。

【讨论】:

所以我将const PAYPAL_HOST 更改为:const PAYPAL_HOST = 'ipnpb.paypal.com'; 并重新发送IPN,但它不起作用。还有什么建议吗? 不使用ipnpb.paypal.com 也能正常工作。我使用www.paypal.com 作为PAYPAL_HOST 并且工作得非常好!不知道你从哪里得到那个网址。 ipnpb.paypal.com 是 IPN 验证的备用选项,如果您必须将一组特定的 IP 地址列入防火墙白名单; www.paypal.com 没有这样的列表(它是根据地理位置/通过我们的 CDN 负载动态分配的)。 我现在很困惑...为什么要将 IP 列入白名单?不是所有 IP 都与 www.paypal.com 合作吗?那么使用ipnpb.paypal.com会更好吗?还是www.paypal.com?两者都安全吗?它们都适用于所有情况吗?我仍然对确切的区别感到困惑......【参考方案3】:

我为此苦苦挣扎了一段时间,结果发现它是我的防火墙。

在测试期间,我添加了两条规则以允许 HTTPS 出站到 www.paypal.com 和 www.sandbox.paypal.com,它似乎工作正常。事后看来,这只是因为沙盒只有一个 IP 地址!

所以当我在 iptables 中将 www.paypal.com 添加到防火墙时,它解析了 IP,但当然后来我从 DNS 获得的 IP 不同,所以防火墙开始阻塞。

正如@Latha 所说,您应该使用 ipnpb.paypal.com 而不是 www.paypal.com。这是因为它们列出了该域的 IP 地址,因此您可以将它们添加到您的防火墙规范中。他们目前...

173.0.84.8
173.0.84.40
173.0.88.8
173.0.88.40

他们很快(2014 年 3 月 25 日)将添加更多内容,您可以在此处找到完整列表...

https://ppmts.custhelp.com/app/answers/detail/a_id/92

【讨论】:

以上是关于PayPal IPN 问题,但在沙盒中工作正常的主要内容,如果未能解决你的问题,请参考以下文章

Braintree Paypal 在沙盒中工作,但不是生产

Paypal IPN 在沙盒 ipn sinulator 中有效,但在交易中无效

为啥 setLandingPageType("billing") 在沙盒中工作,但在 PAYPAL PHP REST API SDK WebProfile 中的实时版本中不工作

Paypal IPN 未发送定期付款信息

Paypal IPN 未在沙盒上发送/接收

Paypal IPN 在沙盒中有效 直播时无效