1

I have a PHP file that can be directly accessed in Browser and it also recieves notifications from Stripe payment gateway. The file starts with:

<?php

error_reporting(E_ERROR | E_PARSE);

require_once('../stripe/init.php');

\Stripe\Stripe::setApiKey("XXXXXXXXXXXXXXXXXXX");

$body = @file_get_contents('php://input');
$event_json = json_decode($body);

if(empty($event_json))
    exit();

$event_id = $event_json->id;
$event = \Stripe\Event::retrieve($event_id);

//So on......

?>

How do I check if execution is from browser or Stripe?

Like Should I check empty $event_json or $event_id ?

I want to write code as:

if(check_if_executed_from_Stripe)
   do_this
else
   do_that
Computer User
  • 2,839
  • 4
  • 47
  • 69
  • You can try checking user agent: https://stackoverflow.com/questions/10243841/how-to-get-user-agent-in-php probably strip accesses with some user agent identifying it – Elias Soares Aug 11 '19 at 12:33
  • 3 years ago, strip accessed with this user agent: `Stripe/1.0 (+https://stripe.com/docs/webhooks)` probably similar to the current user agent. – Elias Soares Aug 11 '19 at 12:35
  • @EliasSoares thanks, but can I check $body or $event_json or $event_id ? Which is the best variable that will be definitely set by Stripe and definitely not by browser? – Computer User Aug 11 '19 at 12:35
  • @ComputerUser You can't know if the request origin from the browser or from stripe because both components can send the same request the other one is sending. What do you want to do in case it is called from the browser and in case it is called from stripe? What is the problem if the request is coming from the browser or coming from stripe? – Progman Aug 11 '19 at 12:39
  • @EliasSoares note that hackers can easily fake the user-agent, so don't rely on user-agent detection if it's important that hackers should not be able to imitate stripe here....... bet you can give stripe a unique token somewhere – hanshenrik Aug 11 '19 at 12:42
  • 3
    You've to check requests signature: `$sig_header = $_SERVER['HTTP_STRIPE_SIGNATURE'];` manual: https://stripe.com/docs/webhooks/signatures#verify-official-libraries – num8er Aug 11 '19 at 12:45

0 Answers0