Search code examples
phppaypalpaypal-ipn

Do I need HTTPS on my domain for using PayPal Standard Payment now?

I am really confused about this, and have contacted PayPal but have not got any clear answer at all. Have also searched, but only found old answers (before the last roadmap for PayPal. )

Sorry if this is basic. I still haven't found any clear info to keep me up to date. Might just be some confusion to words and the meanings (English is not my mother tounge.)

Regarding PayPal's update: https://www.paypal-knowledge.com/infocenter/index?page=content&widgetview=true&id=FAQ1916&viewlocale=en_US

1) Do I now need to have HTTPS on my domain, or not? (PayPal Standard Payment)

2) Any changes I need to do elsewhere?

So, I use a hidden form to post buying info to PayPal. Like this:

<form name='form' action='https://www.paypal.com/cgi-bin/webscr' method='post' target='_top'>

        <input type='hidden' name='cmd' value='_xclick'>
        <input type='hidden' name='business' value='$MerchantId'>
        <input type='hidden' name='item_name' value='$Descripton'>
        <input type='hidden' name='return' value='$BackUrl&show=back'>
        <input type='hidden' name='cancel_return' value='$CancelUrl'>
        <input type='hidden' name='no_note' value='1'>
        <input type='hidden' name='currency_code' value='$Currency'>
        <input type='hidden' name='lc' value='US'>
        <input type='hidden' name='bn' value='PP-BuyNowBF'>
        <input type='hidden' name='amount' value='$GrandTotal'>
        <input type='hidden' name='notify_url' value='$BackUrl&payment=ipn&i=1'>


        <div align='center'>
        <div id='payNow1'>
            <div id=payNowLogo><img src='$ImgPath/paypal_logo.gif'></div>
            <div id=payNowContent>$IPNdesc</div>
            <div id=payNowButton><input type='submit' value='$IPNpay' id='payNowSubmit'></div>
    </div>
    </div>
    </form>

This site is HTTP only, thus the notify_url is only HTTP.

Here is the code of my IPN-receiver and handler:

else {

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';

foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
}

// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";

Note: must theabove now be HTTP/1.1 ????

$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
$fp = fsockopen ('www.paypal.com', 80, $errno, $errstr, 30);

// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];

// mc_currency = CAD
// payment_status = Completed

if (!$fp) {
// HTTP ERROR
} else {
fputs ($fp, $header . $req);
while (!feof($fp)) {
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0) {
// check the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your Primary PayPal email
// check that payment_amount/payment_currency are correct
// process payment


if(stristr(urldecode($_POST['item_name']),"#") && ($_POST['payment_status'] == 'Completed' || $_POST['payment_status'] == 'Pending')){
//echo $req.'<hr>'.urldecode($Kcart_order_id);

$idTransakcji = explode("#",urldecode($_POST['item_name']));
$orderId = explode("#",$_REQUEST['item_name']);

            // check if payment's amount is correct.
            if(checkPayment($orderId[1],$_REQUEST['mc_gross'],$_POST['mc_currency'])){
            // if result is TRUE, apply payment and finish.

                // applyPayment function will do everything to finish this order
                // it will send e-mails to admin/customer, if items were downloadable
                // links will be attached to mail and will be shown in customer's status area
                // also, order will be signed as "paid" in database.

                // applyPayment('paid',Order ID,Order Amount,Currency - may be null,Transaction Id - from payment gate,IPN ID to assign how order was paid)
                applyPayment('paid',$orderId[1],$_REQUEST['mc_gross'],$_POST['mc_currency'],$_REQUEST['txn_id'],1);
                //echo "OK"; // only this message is valid for DotPay.

            }

} // endof if stristr #

}
else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
// mail_($adminEmail,"FAILED!","1");
}
}
fclose ($fp);
}

Thank you for clarify this for me. I have tried to my best ability to get the correct answer by searching, but it has only made me more confused.

Solution

  • Subject to correction from official Paypal folk:

    This is in the link you provided:

    For increased security going forward, only HTTPS will be allowed for postbacks to PayPal.

    At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal to the merchant’s IPN listener.

    Note: I separated the sentences to show the different context...

    • The "first" sentence says any/all calls you make to Paypal must use HTTPS (TLS 1.2) - though it seems the TSL 1.2 requirement has moved from June 2016 originally to June 2017.

      So when you POST (back) to Paypal in the validate step, you'll need to connect (POST) to Paypal using HTTPS.

    • The "second sentence" says it's still ok for your notify_url to be HTTP. Your url/s that receive data from Paypal can still be HTTP.

    Hth...