Verification does not validate receiver_email / business

Question

Verification does not validate receiver_email / business

Closed this issue 14 years ago · 2 comments

There is a slight problem with the isValid() method. There is no check to see that the receiver_email or business field matches the intended receiver.

The reason this is important is I can configure a paypal account with an IPN post back that points to your process method. The IPN will verify but the funds will be deposited into my account.

I guess this logic could be implemented in the method that you put in the app_controller. This may be confusing as the transaction will be recorded in the database although it is an invalid transaction.

Answer 1 · 2010-10-11T20:26:27.000Z

This is by design. isValid() is a postback to paypal to verify the IPN indeed came from paypal and not someone trying to send bogus IPN data to your application. That's all it does.

It is then up to you, as the developer. to do with that data what you want, verify the right amount, the right product_id, the correct emails, etc...

While you may consider it an "invalid" transaction based on various conditions, it is not an invalid transaction according to paypal, and as such shouldn't be ignored by the plugin -- you should instead deal with these transactions in a customer friendly way (ie email a decline notice, or start a support ticket, etc..)

Answer 2 · 2010-10-13T14:38:13.000Z

That makes sense. Thanks for clarifying.