Hi instead of using the Paypal API I designed a webpage using php and curl to check whether a certain email is verified on Paypal or not. In order to do so I have to allow the script to login for me on Paypal’s website. Now I am using a fake paypal account just to check if an email is verified or not, but my question is how secure is that username and password that is being entered onto paypal’s website. If it is unsecure and can be easily sniffed out by someone monitoring the server communications, how can I protect against that?
Please note I am not using Paypal’s API because it requires way too much work to incorporate onto your website, and it requires extra fields to return if an email is verified (first name, last name, etc).
Here’s the code:
<?php
//email address to check
$verifyEmail = 'randomemail@blah.com';
//paypal login info
$loginEmail = '###';
$password = '###';
if (!isLogin($loginEmail, $password)) {
echo 'Login failed';
} else if (isVerified($verifyEmail)) {
echo 'Verified';
} else {
echo 'Not verified';
}
#########################################
function isVerified($verifyEmail) {
$url = 'https://www.paypal.com/us/verified/pal='.$verifyEmail;
$response = curl_get($url);
if(strpos($response, '<td class="emphasis">Verified</td>')) {
return true;
} else {
return false;
}
}
function isLogin($email, $password) {
// Get login page
$response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run');
$postFields = getHiddenFormInputs($response, 'login_form');
if (!$postFields) {
return false;
}
// Post login
$postFields['login_email'] = $email;
$postFields['login_password'] = $password;
$postFields = serializePostFields($postFields);
$response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit', $postFields);
if(!strpos($response, 'login_cmd=_login-done')) {
return false;
} else {
return true;
}
}
function curl_get($url, $postfields=false) {
static $curl;
if(empty($curl)) {
$cookiejar = 'curl_cookiejar.txt';
@unlink($cookiejar);
$curl = curl_init();
curl_setopt($curl, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($curl, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HEADER, 1);
curl_setopt($curl, CURLOPT_MAXREDIRS, 5);
}
curl_setopt($curl, CURLOPT_URL, $url);
if(stripos($url, 'https')!==false) {
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
}
if ($postfields) {
curl_setopt($curl, CURLOPT_POST, 1);
curl_setopt($curl, CURLOPT_POSTFIELDS, $postfields);
}
$response = curl_exec($curl);
return $response;
}
function getHiddenFormInputs($html) {
if(!preg_match('|<form[^>]+login_form[^>]+>.*</form>|Usi', $html, $form)) {
return '';
}
if(!preg_match_all('/<input[^>]+hidden[^>]*>/i', $form[0], $inputs)) {
return '';
}
$hiddenInputs = array();
foreach($inputs[0] as $input){
if (preg_match('|name\s*=\s*[\'"]([^\'"]+)[\'"]|i', $input, $name)) {
$hiddenInputs[$name[1]] = '';
if (preg_match('|value\s*=\s*[\'"]([^\'"]*)[\'"]|i', $input, $value)) {
$hiddenInputs[$name[1]] = $value[1];
}
}
}
return $hiddenInputs;
}
function serializePostFields($postFields) {
foreach($postFields as $key => $value) {
$value = urlencode($value);
$postFields[$key] = "$key=$value";
}
$postFields = implode($postFields, '&');
return $postFields;
}
?>
Ignoring the method being used (the API is more robust, and current method could break if they change the login), CURL is as secure as any standard request from a browser. From the script I can see you are using https for the request, so you should be fine.