PHP implements asynchronous notification

In Internet business, scenarios involving fund transactions such as payment, recharge, refund, and cash withdrawal are essential. This requires the system to be able to perform asynchronous notifications to inform both parties of the transaction results. In these scenarios, PHP, as a very popular back-end development language, is widely used. In this article we will explain how to use PHP to implement asynchronous notifications.

1. What is asynchronous notification?

After the user conducts a transaction, the paying or receiving party will receive a notification of a successful transaction so that both parties can understand the transaction results in a timely manner. In this scenario, if synchronous notification is used, the transaction time may be longer, the user experience may be poor, the transaction may fail, and the reliability of the transaction may be affected. Therefore, we use asynchronous notification, that is, using callback functions to notify transaction results.

2. Steps to implement asynchronous notification in PHP

We take the payment scenario as an example to introduce how to use PHP to implement asynchronous notification.

1. Initiate a payment request:

When the user initiates a payment request in the application, the backend will send the payment request to the payment platform and receive the response from the payment platform. And get the payment URL from the response.

PHP sample code:

$data = [
    'amount' => '10.00',
    'body' => '测试订单',
    'channel' => 'alipay_wap',
    'currency' => 'cny',
    'return_url' => 'http://example.com/return',
    'notify_url' => 'http://example.com/notify',
];

$result = curl_post('https://api.payment.com/payments', $data);
$payment_url = isset($result['payment_url']) ? $result['payment_url'] : '';

2. Call the payment platform interface:

Send a POST request through cURL, call the payment platform interface, and send the payment platform Send a payment request and obtain the response result returned by the payment platform.

PHP sample code:

function curl_post($url, $data = [], $header = [])
{
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Content-Type: application/json',
        'Accept: application/json',
    ) + $header);
    $response = curl_exec($ch);
    curl_close($ch);
    return json_decode($response, true);
}

3. Set the return URL in the interface:

Set the return URL in the interface for successful or failed payment When , the background payment results are notified to the application, and it can also be used to query the transaction status.

PHP sample code:

$data = [
    'amount' => '10.00',
    'body' => '测试订单',
    'channel' => 'alipay_wap',
    'currency' => 'cny',
    'return_url' => 'http://example.com/return',
    'notify_url' => 'http://example.com/notify',
];

notify_url parameter is used to pass the address for receiving payment results and the address for sending asynchronous notifications by the payment platform.

4. Callback function for receiving asynchronous notification

When the payment platform receives the user's payment request and completes the transaction, it will send an asynchronous notification to the specified notify_url to notify the payment result. Therefore, we need to verify signatures and process business logic in the callback function, and return confirmation information at the end.

PHP sample code:

function notify()
{
    $data = $_POST;
    $time_now = time();

    // 验证签名
    if (!openssl_verify(json_encode($data), base64_decode($data['signature']), $public_key)) {
        return 'false';
    }
    // 更新订单状态
    update_order($data['order_id']);
    return 'success';
}

5. Verify signature

Since the results sent by the payment platform need to ensure their reliability, we need to verify the results returned by the payment platform Data is verified. During the signature verification process, we need to use the public key provided by the payment platform to verify the signature to ensure that it is a legitimate result issued by the payment platform.

PHP sample code:

if (!openssl_verify(json_encode($data), base64_decode($data['signature']), $public_key)) {
    return 'false';
}

6. Update order status

After the payment is successful, the status information of the order needs to be updated so that the application can understand the actual situation of the order . In this step we can call business logic to update.

PHP sample code:

function update_order($order_id)
{
    // 调用业务逻辑处理订单状态更新
}

7. Return confirmation information

After the processing is completed, confirmation information needs to be returned to the payment platform to show that we have done everything we can. Confirm that the payment result has been processed, and the return code (such as 200) indicates that the processing was successful.

PHP sample code:

return 'success';

3. Avoid the vulnerabilities of asynchronous notifications

In the process of using asynchronous notifications, in order to ensure security, we need to avoid the following vulnerabilities:

1. Only process the asynchronous notification once, otherwise it will cause multiple requests and bring unnecessary security risks.
2. Ensure that the results are signed and verified when processing asynchronous notifications to avoid request tampering by a third party.
3. Ensure that the functional logic of asynchronous notification result processing does not fail and cause data inconsistency.
4. Ensure that the asynchronous notification URL is not tampered with when provided to a third party to prevent attackers from maliciously tampering with the address and conducting CSRF attacks.

4. Summary

This article introduces the process of using PHP to implement asynchronous notification, and proposes security precautions. I hope it will be helpful to everyone. Asynchronous notifications are particularly important in financial transaction scenarios, and special attention needs to be paid to security. Issues such as signatures, repeated processing, and security risks need to be carefully considered during design to avoid loopholes and errors.

The above is the detailed content of PHP implements asynchronous notification. For more information, please follow other related articles on the PHP Chinese website!