Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am implementing a PayPal IPN page and would like to check to ensure that requests are truly coming from PayPal and not being spoofed.
I would assume that HTTP_REFERRER would not be a good way of checking?
I’ve tried this approach and the variable just comes up empty.
Is there a way to check where a post is coming from? Maybe in the HTTP request header?
And a related side note. From a security standpoint how reliable would this method be?
That would be completely unreliable, as someone could spoof the Referer field as easily as they could spoof the request.
What you need to do is use PayPal’s documented IPN validation protocol, which involves posting the IPN notification back to PayPal with cmd=_notify-validate. See the PayPal IPN documentation for details.