Ensure paypal return page coming from Paypal

Question

Further to my question and awesome answers from the previous thread, Redirection / Return Check in PHP

I would also love to know, if a payment confirmation page is returned to my website from PayPal, how can I 100% sure that it is coming from paypal and the payment is made?

Regards, Andy

score 1 · Accepted Answer · edited May 23 '17 at 10:00

1

To make sure the request is coming from PayPal you can try resolving the IP address:

if (preg_match('~^(?:.+[.])?paypal[.]com$~', gethostbyaddr($_SERVER['REMOTE_ADDR'])) > 0)
{
    // came from PayPal
}

You can (and should) also request https://www[.sandbox].paypal.com/cgi-bin/webscr/ with the same data your received in POST and append the cmd => _notify-validate key-value pair to the request, if the response is VERIFIED the data is valid.

See also this question: PayPal IPN Security

edited May 23 '17 at 10:00

Community

1
1

answered Jun 07 '11 at 14:31

Alix Axel

151,645
95
393
500

This doesn't work for me, the remote_addr show the machine IP address instead, any help? – drhanlau Jun 08 '11 at 04:04
@cherhan: Which machine? Yours? If so, that's because you're the one requesting the page, and not PayPal. – Alix Axel Jun 08 '11 at 05:52
@Dugi: Yeah, it does. Cheers! – Alix Axel Sep 07 '12 at 09:00

Ensure paypal return page coming from Paypal

1 Answers1

Linked