News:

Support the VirtueMart project and become a member

Main Menu

How do I edit notify.php to update the Paypal valid IP addresses?

Started by shoconnor, March 11, 2010, 09:12:57 AM

Previous topic - Next topic

amorino

Hello gripped
I do confirm it works now After the modifications given by gripped!
I just received 2 orders now and all is ok ;)
Thank's a lot

Amorino
www.modules.idealconception.com
Création sites web Tunisie
http://www.idealconception.com

stinga

G'day,

I am working an a change to notify.php.
It would be better to take the ip address and turn it into host name using gethostnamebyaddr, then compare the output with notify and www, this will then always work, since PP don't seem to know what is wrong or are not going to fix it.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

matteo

Please verify: for me, without making changes, the orders of today restarted to work fine with auto change of status.

stinga

G'day all,

I just my code to...

   if( PAYPAL_DEBUG != "1" ) {
/*stinga*/
       $paypal_sandbox_hostname = 'ipn.sandbox.paypal.com';
       $remote_hostname = gethostbyaddr( $_SERVER['REMOTE_ADDR'] );

       $valid_ip = false;

       if( $paypal_sandbox_hostname == $remote_hostname )
       {
           $valid_ip = true;
           $hostname = 'www.sandbox.paypal.com';
       }
       else
       {
               if ($remote_hostname == 'www.paypal.com' or $remote_hostname == 'notify.paypal.com')
               {
                   $valid_ip = true;
               }
               $hostname = 'www.paypal.com';
       }

       if( !$valid_ip ) {

In other words turn the client ip address (paypal) into FQDN and compare it against notify.paypal.com and www.paypal.com, if it matches then set valid_ip to true.
This saves having to maintain the list of ip addresses.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

amorino

Hello,
Could you tell me please, where to put this code exactly Stinga?
Best regards
Création sites web Tunisie
http://www.idealconception.com

stinga

notify.php

Look for line
if( PAYPAL_DEBUG != "1" ) {
and replace everything upto
if( !$valid_ip ) {

And you should be OK, test well, if you make an error your order will not change status, but everything else will be OK.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

amorino

Thanks a lot
I'll test it today :)

Best regards
amorino
www.modules.idealconception.com
Création sites web Tunisie
http://www.idealconception.com

stinga

G'day all,

Got an email today from PP saying they had fixed their DNS, so things should work again...

; <<>> DiG 9.3.1 <<>> notify.paypal.com A
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51117
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;notify.paypal.com. IN A

;; ANSWER SECTION:
notify.paypal.com. 600 IN A 66.211.170.66

;; AUTHORITY SECTION:
paypal.com. 40 IN NS ppns1.phx.paypal.com.
paypal.com. 40 IN NS ppns2.den.paypal.com.
paypal.com. 40 IN NS ppns2.phx.paypal.com.
paypal.com. 40 IN NS ppns1.den.paypal.com.

;; ADDITIONAL SECTION:
ppns1.phx.paypal.com. 1311 IN A 66.211.168.226
ppns1.den.paypal.com. 1311 IN A 216.113.188.121
ppns2.phx.paypal.com. 1311 IN A 66.211.168.227
ppns2.den.paypal.com. 114 IN A 216.113.188.122

;; Query time: 143 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Mar 17 22:23:29 2010
;; MSG SIZE  rcvd: 203


Other than they don't have the .202 address in there, but maybe they are not going to use that one now!
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4

mwf

Stinga / all,

PayPal lists their IP addresses here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/howto_api_golivechecklist

Using gethostbyaddr() is not safe because a DNS server can be set to reply with an incorrect hostname.

Here is the code I use to valid Paypal IP:

if( PAYPAL_DEBUG != "1" ) {
        // List of valid PayPal IP addresses
        $paypal_iplist = array('64.4.241.16', '64.4.241.32','64.4.241.33','64.4.241.34','64.4.241.35','64.4.241.36',
        '64.4.241.37','64.4.241.38','64.4.241.39','216.113.188.32','216.113.188.33','216.113.188.34','216.113.188.35',
        '216.113.188.64','216.113.188.65','216.113.188.66','216.113.188.67','66.211.169.2','66.211.169.65' );
       
        $notify_iplist = array('216.113.188.202','216.113.188.203', '216.113.188.204', '66.211.170.66');
       
        $paypal_iplist = array_merge( $paypal_iplist, $notify_iplist );

        $paypal_sandbox_hostname = 'ipn.sandbox.paypal.com';
        $remote_hostname = gethostbyaddr( $_SERVER['REMOTE_ADDR'] );
       
        $valid_ip = false;
       
        if( $paypal_sandbox_hostname == $remote_hostname ) {
            $valid_ip = true;
            $hostname = 'www.sandbox.paypal.com';
        }elseif(in_array($_SERVER['REMOTE_ADDR'], $paypal_iplist)) {
                $valid_ip = true;
                $hostname = 'www.paypal.com';
        }else{
            debug_msg( "Error code 506. Possible fraud. Error with REMOTE IP ADDRESS = ".$_SERVER['REMOTE_ADDR'].".
                        The remote address of the script posting to this notify script does not match a valid PayPal ip address\n" );
           
            $mailsubject = "PayPal IPN Transaction on your site: Possible fraud";
            $mailbody = "Error code 506. Possible fraud. Error with REMOTE IP ADDRESS = ".$_SERVER['REMOTE_ADDR'].".
                        The remote address of the script posting to this notify script does not match a valid PayPal ip address\n
            These are the valid IP Addresses: $ips
           
            The Order ID received was: $invoice";
            vmMail( $mosConfig_mailfrom, $mosConfig_fromname, $debug_email_address, $mailsubject, $mailbody );
           
            exit();
        }
    }



Micah
Professional Joomla Development and Support
http://www.exps.ca

stinga

If someone has managed to poison your dns, then you have bigger problems. If someone can circumvent the DNS then they can spoof the IP address well.

They list the IP address and they also said, don't use IP address's since they might change.
Stinga.
614869 products in 747 categories with 15749 products in 1 category.
                                             Document Complete   Fully Loaded
                Load Time First Byte Start Render   Time      Requests      Time      Requests
First View     2.470s     0.635s     1.276s          2.470s       31            2.470s      31
Repeat View  1.064s     0.561s     1.100s          1.064s       4             1.221s       4