PayPal just told customers to incorrectly update their IPN scripts

2 points by GigabyteCoin ↗ HN
So I got a message from paypal@paypal.com today with the subject line: "ACTION REQUIRED: UPDATE YOUR IPN/PDT SCRIPTS"<p>Sounds pretty important, huh?<p>I obviously read through it immediately and was about to update my IPN script when I noticed multiple typos (on one line) of their PHP example code.<p>First off, they failed to embolden the top line of the PHP header script (to indicate you need to change it to http 1.1) and then they told me to add this to my header script:<p>$header .="Host: 'www.paypal.com\r\n';;<p>Anybody who knows PHP can tell that that line will make the page spit out errors galore.<p>I have had it with this company. Can they do absolutely nothing right?<p>Comments welcome...

15 comments

[ 0.23 ms ] story [ 42.8 ms ] thread
You have not presented sufficient evidence that that email came from PayPal. You have only said that the email address claimed to be from paypal@paypal.com. Forging an email address is not hard.

Searching for "UPDATE YOUR IPN/PDT SCRIPTS" finds a few pages containing the email, and various parts of that email corroborate the belief that the email does actually come from PayPal.

The email I found uses this example:

    // post back to PayPal system to validate
    $header .="POST /cgi-bin/webscr HTTP/1.1\r\n";
    $header .="Content-Type: application/x-www-form-urlencoded\r\n";
    $header .="Host: www.paypal.com\r\n";
Please note that this is in the post back request sent to PayPal, and not your site header. I believe you believe it's the latter, since that's the only way to cause "errors galore." Note that the Host header has always been required in HTTP/1.1.

That email also says that you should have received the first notice about this change almost a year ago, that you have until Feb. 2013 to do this, and that they have a sandbox server for testing.

It seems that they are doing everything right, and it is you who are unsure of the technologies involved.

Well this is the exact script I was sent just 1 hour ago from PayPal themselves:

    PHP
    // post back to PayPal system to validate
    $header .="POST /cgi-bin/webscr HTTP/1.1\r\n";
    $header .="Content-Type: application/x-www-form-urlencoded\r\n";
    $header .="Host: 'www.paypal.com\r\n';;
That error in the last line is evident in Gmail's "show original" text as well.

How is it that I could be getting an incorrect script when other people are getting the correct one?

Because it's the correct script, but it doesn't refer to what you think it does. It's in the HTTP request that your code is supposed to send to PayPal. You need to make that be HTTP/1.1 compliant. It's not supposed to be in the user-facing code.
There are two semicolons on the last line, and single-quotes that shouldn't be there.
Indeed. And those are not in the version which I found elsewhere. My apologies for not seeing it the first time and for implying that the original poster did not understand things correctly.

The email I was going on was posted to http://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID... . This does not have the quotes nor the double semicolon, and is correct. So is the one at http://www.webassist.com/forums/showthread.php?t=27871 .

However, the email posted to http://www.tipsandtricks-hq.com/forum/topic/paypal-updates-a... does have that error. In that case, the Java is also malformed, saying uc.setRequestProperty("Host",;'www.paypal.com';);

If this is a form of email corruption, it is not one I recognize.

I got that email too. What a bunch of garbage. I had to google that crap line just to see what the real fix was:

$header .="Host: www.paypal.com\r\n";

Same here, they screwed up bad there. You'd expect better from a professional company really.
I mean honestly... You're a multi-billion dollar company... This one email is pertinent to probably 85% of your income... WTF PayPal?!
Agreed as well! Just went to update my client's IPN file, and found the PHP errors as well. Insane to not make sure that's absolutely right before sending to all their clients.
I also got the email and noticed the same errors that were mentioned here. I tried to fix it to how it 'should' be, but it still doesn't seem to be working. Has anyone else gotten theirs to work? Here is what I have:

// post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.1\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Host: www.paypal.com\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);

If you add $header .= "Connection: close\r\n";

it will work.

Thank you! I added this, as well as checking for VERIFIED\r\n and it worked. Thanks guys!
I got that too and noticed the typo in their sample PHP code for the Host: header.

Even after correcting the typo for the new HTTP 1.1 request, I'm finding my postback verification is being hung up for a long time before I get a VERIFIED response, during which time Paypal sends me duplicate IPN notifications. I'm switching back to HTTP/1.0 requests for now since it worked just fine before and I don't have time to debug this right now.... thanks Paypal...

That's EXACTLY what I did as well. I had to double check to make sure this wasn't posted by me. lol