All geek questions in one place

Is recipient email comparison an important part of the Paypal script IP address?

In the standard Paypal PHP script IP server, this line evaluates the success of the payment:

if ($_POST["payment_status"] == "Completed" && $_POST["receiver_email"] == $email)

The purpose of assessing the status of the payment is obvious. But the second part of the comparison does not seem to add much importance, as far as I can tell.

The value of $email , as I understand it, is simply the place where you want to receive errors and successful emails with confirmation of payment. receiver_email is just the email address attached to your Paypal trading account.

It seems to me that this is not the same thing. This was especially true for me during testing using the Paypal sandbox, because the sellerโ€™s email address was partially generated automatically when I set up my account, and therefore this is not a place where I can receive emails anyway.

So, since both email addresses may be different, my initial thought is that this comparison is not so important. But perhaps there is an important security consideration that I am missing.

Is this comparison critical?

+4
source share
1 answer

Yes, this is a critical check in most situations, because an attacker can make a payment to his own PayPal address if you send an IPN in a mail request (button).

Since you have 2 PayPal accounts, itโ€™s easier to replace

 $_POST["receiver_email"] == $email

from

 in_array($_POST["receiver_email"], array("myemail1", "myemail2"))

Personally, I would not skip checking the receiver, even if your IPN URL is well hidden and configured in your account. My simple approach will protect you from malicious requests.

+2
source

Source: https://habr.com/ru/post/1412322/

More articles:


All Articles