Consider updating IPN validation to support Adaptive Payments

Created on 16 December 2015, almost 10 years ago
Updated 18 August 2025, about 2 months ago

When processing an IPN message for an Adaptive Payments, the IPN validation procedure that is implemented in the module is correct, however, it fails to properly validate an Adaptive Payments IPN due to a strange POST variable encoding issue. PayPal sends data in a very strange way that PHP's POST variable parser fails to handle. For example:

transaction%5B0%5D.is_primary_receiver=true&
transaction%5B0%5D.id_for_sender_txn=3BN58289VJ345364K&
transaction%5B1%5D.paymentType=SERVICE&
transaction%5B0%5D.amount=USD+18.95&
charset=windows-1252&
transaction_type=Adaptive+Payment+PAY&
transaction%5B1%5D.id_for_sender_txn=5XS94988DT196883F&
transaction%5B1%5D.is_primary_receiver=false

Is sent as the post body. I've snipped the data and added some newlines for clarity. But you can see that PayPal is passing in urlencoded() variable names that are strange to PHP transaction[0].is_primary_receiver=true (unencoded) would normally be transaction[0][is_primary_receiver]=true. This causes a problem as PHP parses them like this:

$ipn = array(
    "transaction" => array(
      "0" => 'NONE',
      "1" => 'Completed',
    ),
   // ... snip ...
);

Instead of treating the entire first part of the key-value-pair as a string and coming out like this:

array (
  'transaction%5B0%5D.is_primary_receiver' => 'true',
  'transaction%5B0%5D.id_for_sender_txn' => '3BN58289VJ345364K',
  'transaction%5B0%5D.receiver' => 'omitted@omitted.com',
  'transaction%5B1%5D.paymentType' => 'SERVICE',
  'transaction%5B0%5D.amount' => 'USD 18.95',
  'charset' => 'windows-1252',
  'transaction_type' => 'Adaptive Payment PAY',
  'transaction%5B1%5D.id_for_sender_txn' => '5XS94988DT196883F',
  // ... snip ...
);

Data coming through in this format will pass validation. PayPal's docs make note that PHP has a problem with this although, arguably PayPal's format for sending array data over POST is odd as well.

This issue appears to only impact Adaptive Payments and obviously the IPN for EC, WPS, WPP, etc. are working just fine.

πŸ“Œ Task
Status

Closed: outdated

Version

2.0

Component

PayPal / IPN

Created by

πŸ‡ΊπŸ‡ΈUnited States nvahalik

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024