doumaji6215 2012-10-11 13:27
浏览 45
已采纳

卷曲功能被嗅到的安全性如何?

Hi instead of using the Paypal API I designed a webpage using php and curl to check whether a certain email is verified on Paypal or not. In order to do so I have to allow the script to login for me on Paypal's website. Now I am using a fake paypal account just to check if an email is verified or not, but my question is how secure is that username and password that is being entered onto paypal's website. If it is unsecure and can be easily sniffed out by someone monitoring the server communications, how can I protect against that?

Please note I am not using Paypal's API because it requires way too much work to incorporate onto your website, and it requires extra fields to return if an email is verified (first name, last name, etc).

Here's the code:

<?php
//email address to check
$verifyEmail = 'randomemail@blah.com';

//paypal login info
$loginEmail = '###';
$password = '###';

if (!isLogin($loginEmail, $password)) {
    echo 'Login failed';
} else if (isVerified($verifyEmail)) {
    echo 'Verified';
} else {
    echo 'Not verified';
}


#########################################
function isVerified($verifyEmail) {
    $url = 'https://www.paypal.com/us/verified/pal='.$verifyEmail;
    $response = curl_get($url);
    if(strpos($response, '<td class="emphasis">Verified</td>')) {
        return true;
    } else {
        return false;
    }
}

function isLogin($email, $password) {
    // Get login page 
    $response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-run');
    $postFields = getHiddenFormInputs($response, 'login_form');
    if (!$postFields) {
        return false;
    }
    // Post login
    $postFields['login_email'] = $email;
    $postFields['login_password'] = $password;
    $postFields = serializePostFields($postFields);
    $response = curl_get('https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-submit', $postFields);
    if(!strpos($response, 'login_cmd=_login-done')) {
        return false;
    } else {
        return true;
    }
}

function curl_get($url, $postfields=false) {
    static $curl;
    if(empty($curl)) {
        $cookiejar = 'curl_cookiejar.txt';
        @unlink($cookiejar);
        $curl = curl_init();
        curl_setopt($curl, CURLOPT_COOKIEJAR,  $cookiejar);
        curl_setopt($curl, CURLOPT_COOKIEFILE, $cookiejar);
        curl_setopt($curl, CURLOPT_USERAGENT, $_SERVER['HTTP_USER_AGENT']);
        curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($curl, CURLOPT_HEADER, 1);
        curl_setopt($curl, CURLOPT_MAXREDIRS, 5);

    }
    curl_setopt($curl, CURLOPT_URL, $url);
    if(stripos($url, 'https')!==false) {
        curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, 0);
        curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0); 
    }
    if ($postfields) {
        curl_setopt($curl, CURLOPT_POST, 1);    
        curl_setopt($curl, CURLOPT_POSTFIELDS, $postfields);
    }
    $response = curl_exec($curl);
    return $response;
}

function getHiddenFormInputs($html) {
    if(!preg_match('|<form[^>]+login_form[^>]+>.*</form>|Usi', $html, $form)) {
        return '';
    }
    if(!preg_match_all('/<input[^>]+hidden[^>]*>/i', $form[0], $inputs)) {
        return '';
    }
    $hiddenInputs = array();
    foreach($inputs[0] as $input){
        if (preg_match('|name\s*=\s*[\'"]([^\'"]+)[\'"]|i', $input, $name)) {
            $hiddenInputs[$name[1]] = '';
            if (preg_match('|value\s*=\s*[\'"]([^\'"]*)[\'"]|i', $input, $value)) {
                $hiddenInputs[$name[1]] = $value[1];
            }
        }
    }
    return $hiddenInputs;
}

function serializePostFields($postFields) {
    foreach($postFields as $key => $value) {
        $value = urlencode($value);
        $postFields[$key] = "$key=$value";
    }
    $postFields = implode($postFields, '&');
    return $postFields;
}


?>
  • 写回答

3条回答 默认 最新

  • douchangmian0305 2012-10-11 13:32
    关注

    Ignoring the method being used (the API is more robust, and current method could break if they change the login), CURL is as secure as any standard request from a browser. From the script I can see you are using https for the request, so you should be fine.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(2条)

报告相同问题?

  • 卷曲功能嗅到安全性如何? php
    2012-10-11 13:27
    回答 3 已采纳 Ignoring the method being used (the API is more robust, and current method could break if they cha
  • PHP卷曲 - 发送证书的正确方法? php
    2018-08-31 14:42
    回答 1 已采纳 I was using "HTTP", and to send the certificate on the request, i need to use "HTTPS". Don't need
  • PHP卷曲的性能相关问题是什么? php
    2013-07-26 02:50
    回答 1 已采纳 I'd use wget instead for a quick and dirty solution (on linux) wget -r Please don't mention pe
  • streams:PHP包装器用于多卷曲
    2021-05-10 14:12
    “ streams”是用于多卷曲PHP包装器 安装 安装 : curl -sS https://getcomposer.org/installer | php 添加流依赖项: php composer.phar require 'pulyavin/streams:0.*' 用法 use pulyavin\streams\ Stream ; ...
  • 卷曲与邮件不工作Php php
    2011-10-09 22:19
    回答 4 已采纳 When a function of cURL is undefined, then it is most likely that cURL is not available. However,
  • 如何卷曲json postfields? json php
    2018-08-12 18:08
    回答 1 已采纳 Since you are sending a POST request, the API believes you are attempting to create a billing plan
  • 卷曲与远程数据库对本地文件? mysql php
    2011-09-08 12:07
    回答 2 已采纳 I had a website using cURL to get the country code text from maxmind as well for about 1.5 years w
  • curl:一个友好PHP卷曲包装器
    2021-05-14 01:22
    适用于PHP的curl包装类一个PHP包装器类,用于简化。如何使用以下代码显示了如何使用此类 $ http = new dcai\curl;// enable cache$ http = new dcai\curl( array ( 'cache' => true ));// enable cookie$ ...
  • 卷曲不起作用没有结果? php
    2015-02-06 16:30
    回答 1 已采纳 https isn't that simple with curl. You need to configure it to accept the certificate. Read more
  • 如何在Google API PHP客户端版本2.2.2中设置卷曲超时 php
    2019-03-05 08:43
    回答 1 已采纳 Try this: $client->setConfig('CURLOPT_CONNECTTIMEOUT', 100); $client->setConfig('CURLOPT_TI
  • 卷曲php没有加载网站样式 php
    2017-08-09 12:58
    回答 1 已采纳 Because curl only gets html (source code) of specified url and i think styles are addressed relati
  • composer-curl-plugin:作曲家卷曲插件
    2021-05-31 01:06
    作曲家卷曲插件安装安装插件 $ composer global require ngyuki/composer-curl-plugin:dev-master 例子安装 symfony $ composer require symfony/symfony: \* 无插件更新$ rm -fr ~ /.composer/cache/repo/$ ...
  • 卷曲PHP代码 php
    2011-12-16 11:33
    回答 1 已采纳 $ch = curl_init(); // echo $url; die; curl_setopt($ch, CURLOPT_URL,$url); curl_set
  • php pem,如何通过PHP发送带有pem证书的卷曲请求?
    2021-04-12 13:27
    MS.TIME的博客 我的Apache服务器中有一个PHP脚本,必须向合作伙伴的服务器发送卷曲请求。合作伙伴给我一个.pem文件,我必须附加到我的api的每一个电话。我的php脚本如下:$ch = curl_init();curl_setopt($ch, CURLOPT_URL, $url);...
  • curlcurl:卷曲cURL
    2021-05-24 16:05
    卷曲cURL 这是一个帮助程序类,它通过将cURL卷曲成一行来使代码更清晰。 使用Curl cUrl,您不必像单独进行连接那样初始化或关闭连接。 只需包装选项和kaboom! 在2.0版中,所有选项都可以链式加载。 ##用法需要...
  • easycurl:易卷曲
    2021-06-24 23:36
    卷曲 EasyCurl 一个非常简单的 cURL 类。 设置 推荐人和用户代理选项。 包括默认值。 require "easycurl.class.php" ; $ curl = new EasyCurl ; $ curl -> referer = "http://google.com" ; $ curl -> user_...
  • swurl:通过AWS IAM身份验证和SOCKS支持提供基本卷曲功能的工具
    2021-03-11 04:11
    注意:还有其他工具已经提供curl的功能,这些功能可能会得到更好的管理和支持。 处理此问题后的一些想法: 如果服务名称和服务端点之间保持一致,那将很酷。 这将使我们能够轻松地从端点本身获取region和service ...
  • quickdl:100%的Rust客户端下载数据。 竞争对手卷曲
    2021-04-02 00:09
    竞争对手卷曲? 目的 qdl的唯一目的是成为一个快速便捷的终端下载客户端。 用法 qdl [URI]将URI的内容打印到终端上。 这对于流水线很有用。 示例: $ qdl https://sh.rustup.rs | sh $ qdl https://sh.rustup.rs |...
  • userinfo:卷曲http
    2021-06-18 06:49
    用户信息 - curl -X GET http://byoung@bigbluehat.com/十多年来,我一直在浏览器地址栏中输入电子邮件地址。 现在,我想要回一些东西。用户 URI 方案mailto和(最近的) acct提供了通过电子邮件地址识别实体(人、...
  • 卷曲
    2021-02-13 00:39
    卷曲
  • 没有解决我的问题, 去提问

悬赏问题

  • ¥15 无线电能传输系统MATLAB仿真问题
  • ¥50 如何用脚本实现输入法的热键设置
  • ¥20 我想使用一些网络协议或者部分协议也行,主要想实现类似于traceroute的一定步长内的路由拓扑功能
  • ¥30 深度学习,前后端连接
  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题