InApp Billing Verifying Order on Web Server PHP

Question

I'm using a simple PHP script to verify Android order to parse download for the customer.

$receipt = $_GET['purchaseData'];
$billInfo = json_decode($receipt,true);
$signature = $_GET['dataSignature'];
$public_key_base64 = "xxxxxxxxxxxxxxxx";
$key =  "-----BEGIN PUBLIC KEY-----\n".
        chunk_split($public_key_base64, 64,"\n").
       '-----END PUBLIC KEY-----';   

$key = openssl_get_publickey($key);

$signature = base64_decode($signature);

//$result = openssl_verify($billInfo, $signature, $key);
$result = openssl_verify($receipt, $signature, $key);
if (0 === $result) {
        echo "0";
    } else if (1 !== $result) {
        echo "1";
    } else {
        echo "Hello World!";
    }

//added the var_dump($result); as asked by A-2-A
var_dump($result);

result is 0int(0)

I made a real order through the App after I published it and when trying to validate the order I get "0" as result.

I tried direct HTTP access

https://domain.com/thankyou.php?purchaseData={"packageName":"com.example.app","orderId":"GPA.1234-5678-1234-98608","productId":"product","developerPayload":"mypurchasetoken","purchaseTime":1455346586453,"purchaseState":0,"developerPayload":"mypurchasetoken","purchaseToken":"ggedobflmccnemedgplmodhp...."}&dataSignature=gwmBf...

I'm keeping the first of the question because my result is still a guess. After further investigation I think it's the signature not being read in a nice clean way as sent by google.

The signature=gwmBfgGudpG5iPp3L0OnepNlx while the browser is reading it as ƒ ~®v‘¹ˆúw

How is it possible to let it be read in the right way?

just check what `var_dump($result);` is showing. show us also — Alive to die - Anant, Feb 13 '16 at 08:03
int(0) refers to unknown as far as I know but what part it's considering it as unknown? — WiTon Nope, Feb 13 '16 at 08:40

score 1 · Answer 1 · edited May 23 '17 at 11:59

1

To verify the signature you want to make sure of the following:

INAPP_PURCHASE_DATA is not mutated in any way. Any encoding or escaping changes will result in a invalid verification. The best way to ensure it gets to your server intact is to base64 encoded it.
INAPP_DATA_SIGNATURE also must remain intact, it should already base64 encoded so sending that to your server should not be a problem.
openssl_verify expects both data and signature arguments to be in their raw state, so base64 decode before verifying.
It also takes signature_alg as the last argument, in this case sha1WithRSAEncryption should work as should the default, but if in doubt try a few other sha1 algorithms to see which ones work.

My best guess why it's not working for you right now is that you're not receiving the INAPP_PURCHASE_DATA on your server in the same condition that it was received on the app. This Stackoverflow question had the same problem.

edited May 23 '17 at 11:59

Community

1
1

answered Feb 15 '16 at 09:54

Marc Greenstock

11,278
4
30
54

thanks for the answer and excuse can you please elaborate your answer and provide me with an example as I'm a newbie with Java. Thank you! – WiTon Nope Feb 15 '16 at 19:34
@WiTonNope I'm not great with Java either, but if what you're looking for is examples on how to get the `INAPP_PURCHASE_DATA` and `INAPP_DATA_SIGNATURE` then refer to the official docs: http://developer.android.com/google/play/billing/billing_reference.html. Also http://stackoverflow.com/questions/7360403/base-64-encode-and-decode-example-code#answer-7360440 will help you to base64 encode the `INAPP_PURCHASE_DATA` – Marc Greenstock Feb 15 '16 at 21:16
thanks for the reply I'll check and see what I can do hopefully it will work. Thank you again. – WiTon Nope Feb 15 '16 at 22:22

InApp Billing Verifying Order on Web Server PHP

1 Answers1

Linked