Find the answer to your question
Advanced Search
Published: January 14 2008, 12:15:00 PMUpdated: August 04 2022, 9:27:36 PM
Product
Notification signatures sent with a notification should be verified. Here's how to do it in PHP.
When eBay sends you a notification, it also sends you a "signature" field in the SOAP header. This signature field is derived from four items :
- Your DevID
- Your AppID
- Your CertID
- Timestamp of the notification
The first three items constitute your keyset (sandbox or production).
You know your keyset (and should be kept confidential), and the timestamp is in the SOAP body. Here's how to verify with PHP code that the notification signature is valid :
CODE
<?php
// Sample keyset values. Use sandbox or production values
$devid = 'YOUR-VALUE-9a66-3f359d933e5d';
$appid = 'YOUR-VALUE-abf3-92bdc3bcd29d';
$certid = 'YOUR-VALUE-43b2-b306-c537a0c83e7f';
// These two values are pulled from the notification SOAP payload
// You need to parse these values from the returned XML
// This comes from SOAP Header NotificationSignature field
$sigNote = 'boVG+scoxB694oFeCgUHGw==';
// This comes from SOAP Body Timestamp field
$ebayTimestamp = '2022-01-14T18:35:50.478Z';
//The code to calculate the signature looks like this:
$md5_Str = $ebayTimestamp . $devid . $appid . $certid;
$sigCalc = base64_encode(pack("H*", md5($md5_Str))); // 'H*' means hex string, to end of data
// These two values should be equal
print "sigNote = $sigNote \n"; // signature from notification (parsed XML)
print "sigCalc = $sigCalc \n\n"; // signature calculated from your keyset & timestamp
if ($sigNote == $sigCalc) {
print "Two signatures are equivalent -- valid notification. \n";
} else {
print "Payload and calculated signatures differ - invalid notification \n";
}
?>