PayPal Sandbox testing continuously provides the following error:
http 400 – Bad Request Your browser sent a request that this server could not understand.
I am using the git provided sample code from PayPal and am unable to get around this error.
Code [PayPalIPN.php]
<?php class PaypalIPN { /** @var bool Indicates if the sandbox endpoint is used. */ private $use_sandbox = false; /** @var bool Indicates if the local certificates are used. */ private $use_local_certs = true; /** Production Postback URL */ const VERIFY_URI = 'https://ipnpb.paypal.com/cgi-bin/webscr'; /** Sandbox Postback URL */ const SANDBOX_VERIFY_URI = 'https://ipnpb.sandbox.paypal.com/cgi-bin/webscr'; /** Response from PayPal indicating validation was successful */ const VALID = 'VERIFIED'; /** Response from PayPal indicating validation failed */ const INVALID = 'INVALID'; /** * Sets the IPN verification to sandbox mode (for use when testing, * should not be enabled in production). * @return void */ public function useSandbox() { $this->use_sandbox = true; } /** * Sets curl to use php curl's built in certs (may be required in some * environments). * @return void */ public function usePHPCerts() { $this->use_local_certs = false; } /** * Determine endpoint to post the verification data to. * * @return string */ public function getPaypalUri() { if ($this->use_sandbox) { return self::SANDBOX_VERIFY_URI; } else { return self::VERIFY_URI; } } /** * Verification Function * Sends the incoming post data back to PayPal using the cURL library. * * @return bool * @throws Exception */ public function verifyIPN() { if ( ! count($_POST)) { throw new Exception("Missing POST Data"); } $raw_post_data = file_get_contents('php://input'); $raw_post_array = explode('&', $raw_post_data); $myPost = array(); foreach ($raw_post_array as $keyval) { $keyval = explode('=', $keyval); if (count($keyval) == 2) { // Since we do not want the plus in the datetime string to be encoded to a space, we manually encode it. if ($keyval[0] === 'payment_date') { if (substr_count($keyval[1], '+') === 1) { $keyval[1] = str_replace('+', '%2B', $keyval[1]); } } $myPost[$keyval[0]] = urldecode($keyval[1]); } } // Build the body of the verification post request, adding the _notify-validate command. $req = 'cmd=_notify-validate'; $get_magic_quotes_exists = false; if (function_exists('get_magic_quotes_gpc')) { $get_magic_quotes_exists = true; } foreach ($myPost as $key => $value) { if ($get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) { $value = urlencode(stripslashes($value)); } else { $value = urlencode($value); } $req .= "&$key=$value"; } // Post the data back to PayPal, using curl. Throw exceptions if errors occur. $ch = curl_init($this->getPaypalUri()); curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $req); curl_setopt($ch, CURLOPT_SSLVERSION, 6); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2); // This is often required if the server is missing a global cert bundle, or is using an outdated one. if ($this->use_local_certs) { curl_setopt($ch, CURLOPT_CAINFO, __DIR__ . "/cert/cacert.pem"); } curl_setopt($ch, CURLOPT_FORBID_REUSE, 1); curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'User-Agent: PHP-IPN-Verification-Script', 'Connection: Close', )); $res = curl_exec($ch); if ( ! ($res)) { $errno = curl_errno($ch); $errstr = curl_error($ch); curl_close($ch); throw new Exception("cURL error: [$errno] $errstr"); } $info = curl_getinfo($ch); $http_code = $info['http_code']; if ($http_code != 200) { throw new Exception("PayPal responded with http code $http_code"); } curl_close($ch); // Check if PayPal verifies the IPN data, and if so, return true. if ($res == self::VALID) { return true; } else { return false; } } } ?>
Code [PaypalListener.php]
<?php namespace Listener; require('PaypalIPN.php'); use PaypalIPN; $ipn = new PaypalIPN(); // Use the sandbox endpoint during testing. $ipn->useSandbox(); $verified = $ipn->verifyIPN(); if ($verified) { /* * Process IPN * A list of variables is available here: * https://developer.paypal.com/webapps/developer/docs/classic/ipn/integration-guide/IPNandPDTVariables/ */ } // Reply with an empty 200 response to indicate to paypal the IPN was received correctly. header("HTTP/1.1 200 OK"); ?>
When using PayPals IPN Simulator, the following data gets posted to the PayPalIPN page:
payment_type=instant&payment_date=14%3A37%3A40%20Aug%2004%2C%202021%20PDT&payment_status=Completed&address_status=confirmed&payer_status=verified&first_name=John&last_name=Smith&payer_email=buyer@paypalsandbox.com&payer_id=TESTBUYERID01&address_name=John%20Smith&address_country=United%20States&address_country_code=US&address_zip=95131&address_state=CA&address_city=San%20Jose&address_street=123%20any%20street&business=seller@paypalsandbox.com&receiver_email=seller@paypalsandbox.com&receiver_id=seller@paypalsandbox.com&residence_country=US&item_name1=something&item_number1=AK-1234&tax=2.02&mc_currency=USD&mc_fee=0.44&mc_gross=12.34&mc_gross_1=12.34&mc_handling=2.06&mc_handling1=1.67&mc_shipping=3.02&mc_shipping1=1.02&txn_type=cart&txn_id=746114854¬ify_version=2.1&custom=xyz123&invoice=abc1234&test_ipn=1&verify_sign=AqXxBxXlRxzzzTc3OqYNzyZnI8SaAdBMjOvZCSXfOj1cWp11HHkIrMRX
And the $req returned data (that should be being sent back to PayPal) turns out as:
cmd=_notify-validate&payment_type=instant&payment_date=14%3A37%3A40+Aug+04%2C+2021+PDT&payment_status=Completed&address_status=confirmed&payer_status=verified&first_name=John&last_name=Smith&payer_email=buyer%40paypalsandbox.com&payer_id=TESTBUYERID01&address_name=John+Smith&address_country=United+States&address_country_code=US&address_zip=95131&address_state=CA&address_city=San+Jose&address_street=123+any+street&business=seller%40paypalsandbox.com&receiver_email=seller%40paypalsandbox.com&receiver_id=seller%40paypalsandbox.com&residence_country=US&item_name1=something&item_number1=AK-1234&tax=2.02&mc_currency=USD&mc_fee=0.44&mc_gross=12.34&mc_gross_1=12.34&mc_handling=2.06&mc_handling1=1.67&mc_shipping=3.02&mc_shipping1=1.02&txn_type=cart&txn_id=746114854¬ify_version=2.1&custom=xyz123&invoice=abc1234&test_ipn=1&verify_sign=AqXxBxXlRxzzzTc3OqYNzyZnI8SaAdBMjOvZCSXfOj1cWp11HHkIrMRX
I noticed in the return encode, the “+” symbols were originally %20 and the “@” symbols have been replaced with %40, I have replaced these to match the original code received but with no luck in any change of error.
I am unable to find a solution to this problem on PayPal forums nor otherwise. What am I missing? Please help!
Advertisement
Answer
This issue is related to PayPal’s recent sandbox migration to the cloud. For now, change the verification postback hostname from ipnpb
to www
:
const SANDBOX_VERIFY_URI = 'https://www.sandbox.paypal.com/cgi-bin/webscr';