Do I need SSL on my Web Server for use with PayPal IPN?

PayPal upgrades:

1) Changes to PayPal security for HTTP/1.1 and TLS 1.2
2) IPN Verification Postback to HTTPS

PayPal say their target for these is June 2018

 

You may have seen an article from PayPal which talks about HTTP and TLS. This is a server issue
which is the responsibility of your web host. Essentially there is an upgrade by PayPal to ensure that
all their servers meet the latest standards and hence your web server will also require to operate
in that way. You should contact your host about this if you are unsure, although most servers will already
meet these standards.

 

The second update is using HTTPS for IPN verification.

PayPal says:

“If you are using PayPal’s instant Payment Notification (IPN) service, you will need to ensure
that HTTPS is used when posting the message back to PayPal for verification. HTTP PostBacks
will no longer be supported.”

“Merchants and partners use Instant Payment Notification (IPN) to receive notifications of
events related to PayPal transactions. The IPN message service requires that you acknowledge
receipt of these messages and validate them. This process includes posting the messages back
to PayPal for verification. In the past, PayPal has allowed the use of HTTP for these
PostBacks . For increased security going forward, only HTTPS will be allowed for PostBacks to
PayPal. At this time, there is no requirement for HTTPS on the outbound IPN call from PayPal
to the merchant’s IPN listener.”

In practice this means that you need https on your web server to send https to PayPal and
then you need to change the set up of you PHP-KeyCodes, PHP-eSeller or PHP-SecureArea
application to identify the URL of the site as https rather than http.

Note: if a customer tried to make a purchase it would still succeed, but your store would
not be notified of that fact, and your records will not reflect the sale properly. Nor
will the PHP application automatically send the information to the customer by email.

Refer to PayPal documentation:

https://www.paypal.com/au/webapps/mpp/ipn-verification-https

So do I need SSL on my Web Server when using PayPal IPN? Yes, the PostBack from PayPal will not work
and SSL will give better security for your site.

New version of PHP Subscription Manager

The PHP Subscription Manager PHP-SecureArea has been updated to give administration pages that are more responsive and easier to use.

PHP-SecureArea enables you to set up a subscription manager in PHP and a demo version of the new administration pages can be seen at:

https://www.withinweb.com/phpsecureareademos/admin/index.php

The PHP membership script uses the facilities of PayPal to automatically allow customers access to secure areas of your web site after a valid payment has been received.

For full information go to:

https://www.withinweb.com/phpsecurearea/

Setting up email for use with PHP applications

If your web application requires emails to be sent out from your web server for such things as sending download information, login information and so on, then you will need to set up some email accounts on your hosting system. This is particularly true for an application such as PHP-eSeller where it is important for the emails to be sent out correctly and reach their destination without ending up in the spam folder.

Log into your hosting account where you set up your databases and administer your web hosting. Normally this will be using cpanel which will look something like this:

You should see a section identified as “Mail”.

You need to set up an email account, so click on the link for “Email accounts” which will take you to a display where you create an account with a user name and password for your domain.

Enter in an email account name. For my applications I normally create an admin account so this will become admin@myservername.com. You also need to enter in a password which you should should keep a record of.

Now that you have created your account, your hosting will provide you with a link to a web mail client where you can login and then see your emails. You may want to send a test email to your account from hotmail or yahoo just to see how it works.

Now that you have an email account set up, you can use this in your PHP applications.

There is one other step that you may want to do, and that is to redirect this email to one of your other accounts. This will mean that when someone emails admin@yourservername.com, it will appear in your hotmail or yahoo account.

To do this, in cpanel under the “Mail” section, click on the link called “Forwarders”. Click on the button called “Add Forwarders” which will take you a page that will look something like:

Update to PayPal IPN

In Sept 2016 PayPal are changing their requirement for posting IPN messages back to PayPal for verification.

They are making the post url as https. My current versions of scripts already post to https so there should not be any change required, however, they also suggest that https://ipnpb.paypal.com/cgi-bin/webscr should be used in the future rather than https://www.paypal.com/cgi-bin/websc

Change:

https://www.paypal.com/cgi-bin/webscr

to

https://ipnpb.paypal.com/cgi-bin/webscr

PayPal upgrade to Certificate which may affect IPN based programs and scripts

There appears to be quite a bit of chat about the changes that PayPal are making to their system to allow SHA-256 during September 2015. This is to do with improving the SSL (Secure Socket Layer) security and is used over https systems.

A part of their message is:

“PayPal is upgrading the certificate for www.paypal.com to SHA-256. This endpoint is also used by merchants using the Instant Payment Notification (IPN) product.”

PayPal IPN can be used over non SSL, that is using http – that is why many developers like it because it does not need SSL certificates on their web servers which can be expensive especially if you are a small trader. You don’t really want to have to purchase certificates if you are selling a small number of items.

So the kind of systems that are affected are those that use https and which use PayPal API to provide secure connections from your server to the PayPal server.

IPN over plain http will be supported as it currently is, so you will still be able to supply a plain http link to your IPN listener script. However if your IPN listener script is sSL/TLS enabled it will have to be SHA-256 complaint and your listening server will need to be able to accept SHA-256 certificates.

So do the changes affect the scripts on www.Withinweb.com that use IPN? Well the answer to that is NO, it does not affect the scripts at all.

PHP-eSeller, PHP-SecureArea and PHP-KeyCodes use a simple method of handshake between PayPal to verify that the transaction has taken place and hence no modifications are need to the applications.

About htpasswd – The file to store passwords

The htpasswd file is used when password protecting a website or a directory using HTTP Authentication and Apache’s htaccess files.

The htpasswd file contains username in plain text (unencrypted) and a hashed (encrypted) password.

Each line contains a username and a password separated by a colon “:”. You can not see the actual passwords as they are hashed (encrypted) using a complex algorithm. The default algorithm is different from platform to platform. On Windows the passwords are hashed using MD5, and on Linux its based on a system function called “crypt()”.

Normally the htpasswd file is named .htpasswd, but you can name your password file what every you like. You could call it “passwords.txt”, however, Apache is usually configured to prevent access to .ht* files – starting with “.ht”. If you name your password file “passwords.txt”, a user could access it, and retrieve all valid usernames. Since the passwords are hashed he can’t use them directly, but it will help him gain access using brute force.

It is therefore recommended to name a password file .htpasswd.

Hashed passwords can be generated with the command-line tool htpasswd (htpasswd.exe on Windows) which is part of a normal Apache installation. You can also create passwords yourself using PHP.

Using different currencies in PayPal

What currency should you sell your products in ? 

PayPal is able to handle quite a wide range of currencies and you have to descide which currency you should sell your products in. 

I guess the question really is “are you selling to the world or are you expecting payments from customers who are based in your locality ?”  This will depend on the type of products you are selling.  Digital products have the advantage that you have no shipping to worry about so you can choose whatever currency you want. 

The only issue that I have discovered with selling in different currencies is to do with the set up of your associated PayPal account. If your ‘native’ PayPal currency is GPB and you want to sell in Euros, you have to tell PayPal to automatically accept ‘foreign’ currency transactions (the default is to ask).  If you do not do this and you receive a purchase through your shopping cart you will receive an email saying something like “PayPal purchase verified and order is waiting to be processed” with body text of :  “Unknown pending reason was received.”
 
Telling PayPal to accept all currencies and convert them to GPB resolves the issue.

Configuring the fckeditor HTML editor

The fckeditor is described on the web site http://www.fckeditor.net and is a configurable html text editor with many add ons and plugins.

The configuration file in the fckconfig.js file is set to use the english language ‘en’ with a toolbar set called ‘pg_toolbar’. The FCKEditor web site provides full desciption on its options and configuration.

The fckeditor has the ability to upload images and files with a file manager system. This is disabled by default.

To set up the upload facility in fckeditor.

(A)

In the file \fckeditor\editor\filemanager\browser\default\connectors\php\config.php

change ‘false’ to ‘true’ to allow uploads.

The relevant line in config.php file :
// SECURITY: You must explicitly enable this “connector”. (Set it to “true”).
$Config[‘Enabled’] = false ;

(B)

Create a folder on the server where you want the files to be located and identify
the folder in \fckeditor\editor\filemanager\browser\default\connectors\php\config.php

Then change the permissions on that folder to 777.

The relevant line in config.php file :
// Path to user files relative to the document root.
$Config[‘UserFilesPath’] = ‘/UserFiles/’;

the document root being the root of the web server.

Another area of customisation that you may want to implement is defining the toolbar that appears above the text box which is used to enter product descriptions. The toolbar has been trimmed to make it more manageable and to remove tools that are not required all that often. However, you may want to add back in some buttons which is very easy to do.

Open up the file /fckeditor/fckeditor.js with a suitable text editor.

The toolbar that we use is called FCKConfig.ToolbarSets[“pg_toolbar”].

The default toolbar is FCKConfig.ToolbarSets[“Default”].

If you want to add a button from the default toolbar, just copy it and place it into FCKConfig.ToolbarSets[“pg_toolbar”].

Or if you want all the buttons, rename FCKConfig.ToolbarSets[“Default”] to FCKConfig.ToolbarSets[“pg_toolbar”] and remove the old FCKConfig.ToolbarSets[“pg_toolbar”].

Note that the very last button on the toolbar is used to maximise the editor window which can help if you are doing more detailed work with the html.

Restoring Your mySQL Database From Backup using phpMyAdmin

phpMyAdmin is a program used to manipulate databases remotely through a web interface. A good hosting package will have this included.

  1. Login to phpMyAdmin.
  2. Create a new blank database first.
  3. Click databases, and select the database that you will be importing your data into.
  4. Across the top of the screen will be a row of tabs. Click the Import tab.
  5. On the next screen will be a Location of Text File box, and next to that a button named Browse.
  6. Click Browse. Locate the backup file stored on your computer.
  7. Make sure the SQL radio button is checked.
  8. Click the Go button.

Eventually you will see a success screen.

Backing up a database using phpMyAdmin

This desciption is applicable to all the applications PHP-eSeller, PHP-SecureArea and PHP-KeyCodes.

You should backup your database at regular intervals. You will then be able to restore the database if something goes wrong.

phpMyAdmin is the name of the program that you can use to manipulate databases.  It is usually provided as part of you control panel from your hosting company.

1.  Log into your web server control panel to access phpMyAdmin

2. Select ‘Databases’

Backup 1

3. Now click the name of your database.

Backup 2

4. The next screen will show you all the tables inside your database.  Click the ‘Export’ tab on the top set of tabs.

Backup 3

5. Look at the left box at the top of the Export section. All the tables in the database you selected are in that box.

Backup 4

* If you have other programs that use the database, then choose only those tables that correspond to your install. In the case of PHP-eSeller, they will be the ones with that start with “ipn_”, with PHP-SecureArea they are the ones that start with “sec_” and with PHP-KeyCodes, they are the ones that start with “key_”
* If the database is being used only by the one program, then, leave it as is (or click ‘Select All’ if you changed the selection)
* Ensure that SQL is checked.

6. In the SQL section, tick the following boxes:

* ‘Structure’
* ‘Add DROP TABLE’
* ‘Add AUTO_INCREMENT’ and
* ‘Enclose table and field names with backquotes’

7. In the DATA section, leave the boxes inside this section unticked, but make sure to keep the checkbox next to the “DATA” heading checked.

Backup 4

8.  Tick the ‘Save as file’ option, and leave the template name as is.

Backup 5

9. Now click ‘Go’ and you should be prompted for a file to download. Save the file to your computer.  Depending on the database size, this may take a few moments.

10. You have now backed up your database.   If you wanted, you could download a backup in each of the compression formats. Your choice. For example: None and “zipped

Remember : You have not backed up your files or images.  Only the database itself.