PayPal just told customers to incorrectly update their IPN scripts
So I got a message from paypal@paypal.com today with the subject line: "ACTION REQUIRED: UPDATE YOUR IPN/PDT SCRIPTS"<p>Sounds pretty important, huh?<p>I obviously read through it immediately and was about to update my IPN script when I noticed multiple typos (on one line) of their PHP example code.<p>First off, they failed to embolden the top line of the PHP header script (to indicate you need to change it to http 1.1) and then they told me to add this to my header script:<p>$header .="Host: 'www.paypal.com\r\n';;<p>Anybody who knows PHP can tell that that line will make the page spit out errors galore.<p>I have had it with this company. Can they do absolutely nothing right?<p>Comments welcome...
15 comments
[ 0.23 ms ] story [ 42.8 ms ] threadSearching for "UPDATE YOUR IPN/PDT SCRIPTS" finds a few pages containing the email, and various parts of that email corroborate the belief that the email does actually come from PayPal.
The email I found uses this example:
Please note that this is in the post back request sent to PayPal, and not your site header. I believe you believe it's the latter, since that's the only way to cause "errors galore." Note that the Host header has always been required in HTTP/1.1.That email also says that you should have received the first notice about this change almost a year ago, that you have until Feb. 2013 to do this, and that they have a sandbox server for testing.
It seems that they are doing everything right, and it is you who are unsure of the technologies involved.
How is it that I could be getting an incorrect script when other people are getting the correct one?
The email I was going on was posted to http://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID... . This does not have the quotes nor the double semicolon, and is correct. So is the one at http://www.webassist.com/forums/showthread.php?t=27871 .
However, the email posted to http://www.tipsandtricks-hq.com/forum/topic/paypal-updates-a... does have that error. In that case, the Java is also malformed, saying uc.setRequestProperty("Host",;'www.paypal.com';);
If this is a form of email corruption, it is not one I recognize.
$header .="Host: www.paypal.com\r\n";
// post back to PayPal system to validate $header .= "POST /cgi-bin/webscr HTTP/1.1\r\n"; $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; $header .= "Host: www.paypal.com\r\n"; $header .= "Content-Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen ('ssl://www.paypal.com', 443, $errno, $errstr, 30);
it will work.
A longer explanation, http://jimlowrey.blogspot.com/2012/09/subject-action-require...
Even after correcting the typo for the new HTTP 1.1 request, I'm finding my postback verification is being hung up for a long time before I get a VERIFIED response, during which time Paypal sends me duplicate IPN notifications. I'm switching back to HTTP/1.0 requests for now since it worked just fine before and I don't have time to debug this right now.... thanks Paypal...