

PayPal just told customers to incorrectly update their IPN scripts - GigabyteCoin

So I got a message from paypal@paypal.com today with the subject line: "ACTION REQUIRED: UPDATE YOUR IPN/PDT SCRIPTS"&#60;p&#62;Sounds pretty important, huh?&#60;p&#62;I obviously read through it immediately and was about to update my IPN script when I noticed multiple typos (on one line) of their PHP example code.&#60;p&#62;First off, they failed to embolden the top line of the PHP header script (to indicate you need to change it to http 1.1) and then they told me to add this to my header script:&#60;p&#62;$header .="Host: 'www.paypal.com\r\n';;&#60;p&#62;Anybody who knows PHP can tell that that line will make the page spit out errors galore.&#60;p&#62;I have had it with this company. Can they do absolutely nothing right?&#60;p&#62;Comments welcome...
======
dalke
You have not presented sufficient evidence that that email came from PayPal.
You have only said that the email address claimed to be from
paypal@paypal.com. Forging an email address is not hard.

Searching for "UPDATE YOUR IPN/PDT SCRIPTS" finds a few pages containing the
email, and various parts of that email corroborate the belief that the email
does actually come from PayPal.

The email I found uses this example:

    
    
        // post back to PayPal system to validate
        $header .="POST /cgi-bin/webscr HTTP/1.1\r\n";
        $header .="Content-Type: application/x-www-form-urlencoded\r\n";
        $header .="Host: www.paypal.com\r\n";
    

Please note that this is in the post back request sent to PayPal, and not your
site header. I believe you believe it's the latter, since that's the only way
to cause "errors galore." Note that the Host header has always been required
in HTTP/1.1.

That email also says that you should have received the first notice about this
change almost a year ago, that you have until Feb. 2013 to do this, and that
they have a sandbox server for testing.

It seems that they are doing everything right, and it is you who are unsure of
the technologies involved.

~~~
GigabyteCoin
Well this is the exact script I was sent just 1 hour ago from PayPal
themselves:

    
    
        PHP
        // post back to PayPal system to validate
        $header .="POST /cgi-bin/webscr HTTP/1.1\r\n";
        $header .="Content-Type: application/x-www-form-urlencoded\r\n";
        $header .="Host: 'www.paypal.com\r\n';;
    

That error in the last line is evident in Gmail's "show original" text as
well.

How is it that I could be getting an incorrect script when other people are
getting the correct one?

~~~
dalke
Because it's the correct script, but it doesn't refer to what you think it
does. It's in the HTTP request that your code is supposed to send to PayPal.
You need to make that be HTTP/1.1 compliant. It's not supposed to be in the
user-facing code.

~~~
eurleif
There are two semicolons on the last line, and single-quotes that shouldn't be
there.

~~~
dalke
Indeed. And those are not in the version which I found elsewhere. My apologies
for not seeing it the first time and for implying that the original poster did
not understand things correctly.

The email I was going on was posted to
[http://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID...](http://www.ecommercetemplates.com/support/topic.asp?TOPIC_ID=90677)
. This does not have the quotes nor the double semicolon, and is correct. So
is the one at <http://www.webassist.com/forums/showthread.php?t=27871> .

However, the email posted to [http://www.tipsandtricks-
hq.com/forum/topic/paypal-updates-a...](http://www.tipsandtricks-
hq.com/forum/topic/paypal-updates-affecting-ipn-and-pdt-scripts) does have
that error. In that case, the Java is also malformed, saying
uc.setRequestProperty("Host",;'www.paypal.com';);

If this is a form of email corruption, it is not one I recognize.

------
jeffprom
I also got the email and noticed the same errors that were mentioned here. I
tried to fix it to how it 'should' be, but it still doesn't seem to be
working. Has anyone else gotten theirs to work? Here is what I have:

// post back to PayPal system to validate $header .= "POST /cgi-bin/webscr
HTTP/1.1\r\n"; $header .= "Content-Type: application/x-www-form-
urlencoded\r\n"; $header .= "Host: www.paypal.com\r\n"; $header .= "Content-
Length: " . strlen($req) . "\r\n\r\n"; $fp = fsockopen
('ssl://www.paypal.com', 443, $errno, $errstr, 30);

~~~
ugniss
If you add $header .= "Connection: close\r\n";

it will work.

~~~
jeffprom
Thank you! I added this, as well as checking for VERIFIED\r\n and it worked.
Thanks guys!

------
skyepn
I got that too and noticed the typo in their sample PHP code for the Host:
header.

Even after correcting the typo for the new HTTP 1.1 request, I'm finding my
postback verification is being hung up for a long time before I get a VERIFIED
response, during which time Paypal sends me duplicate IPN notifications. I'm
switching back to HTTP/1.0 requests for now since it worked just fine before
and I don't have time to debug this right now.... thanks Paypal...

~~~
jeffprom
That's EXACTLY what I did as well. I had to double check to make sure this
wasn't posted by me. lol

------
benbilly
I got that email too. What a bunch of garbage. I had to google that crap line
just to see what the real fix was:

$header .="Host: www.paypal.com\r\n";

~~~
fireplayer
Same here, they screwed up bad there. You'd expect better from a professional
company really.

~~~
GigabyteCoin
I mean honestly... You're a multi-billion dollar company... This one email is
pertinent to probably 85% of your income... WTF PayPal?!

~~~
nickelmusic
Agreed as well! Just went to update my client's IPN file, and found the PHP
errors as well. Insane to not make sure that's absolutely right before sending
to all their clients.

