Skip to content

Instantly share code, notes, and snippets.

@menny
Last active February 15, 2024 14:45
Show Gist options
  • Save menny/1985010 to your computer and use it in GitHub Desktop.
Save menny/1985010 to your computer and use it in GitHub Desktop.
How to verify in-app purchases from AppStore and Market in PHP code (server-side)
function verify_app_store_in_app($receipt, $is_sandbox)
{
//$sandbox should be TRUE if you want to test against itunes sandbox servers
if ($is_sandbox)
$verify_host = "ssl://sandbox.itunes.apple.com";
else
$verify_host = "ssl://buy.itunes.apple.com";
$json='{"receipt-data" : "'.$receipt.'" }';
//opening socket to itunes
$fp = fsockopen ($verify_host, 443, $errno, $errstr, 30);
if (!$fp)
{
// HTTP ERROR
return false;
}
else
{
//iTune's request url is /verifyReceipt
$header = "POST /verifyReceipt HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($json) . "\r\n\r\n";
fputs ($fp, $header . $json);
$res = '';
while (!feof($fp))
{
$step_res = fgets ($fp, 1024);
$res = $res . $step_res;
}
fclose ($fp);
//taking the JSON response
$json_source = substr($res, stripos($res, "\r\n\r\n{") + 4);
//decoding
$app_store_response_map = json_decode($json_source);
$app_store_response_status = $app_store_response_map->{'status'};
if ($app_store_response_status == 0)//eithr OK or expired and needs to synch
{
//here are some fields from the json, btw.
$json_receipt = $app_store_response_map->{'receipt'};
$transaction_id = $json_receipt->{'transaction_id'};
$original_transaction_id = $json_receipt->{'original_transaction_id'};
$json_latest_receipt = $app_store_response_map->{'latest_receipt_info'};
return true;
}
else
{
return false;
}
}
}
function verify_market_in_app($signed_data, $signature, $public_key_base64)
{
$key = "-----BEGIN PUBLIC KEY-----\n".
chunk_split($public_key_base64, 64,"\n").
'-----END PUBLIC KEY-----';
//using PHP to create an RSA key
$key = openssl_get_publickey($key);
//$signature should be in binary format, but it comes as BASE64.
//So, I'll convert it.
$signature = base64_decode($signature);
//using PHP's native support to verify the signature
$result = openssl_verify(
$signed_data,
$signature,
$key,
OPENSSL_ALGO_SHA1);
if (0 === $result)
{
return false;
}
else if (1 !== $result)
{
return false;
}
else
{
return true;
}
}
@Drjacky
Copy link

Drjacky commented Feb 7, 2015

Hi.
I'm not good at php language. Is it possible to give me a full sample, and a short description about how to get sent parameters in server side?

Thanks.

@pierrocknroll
Copy link

For Google, what exactly is in $signed_data please ? Exemple ?

@amiruldinqureshi
Copy link

please help, what does "$signed_data" mean? Please explain, it would be better if you share a working copy of code with all param values.

@almorak
Copy link

almorak commented Nov 23, 2015

$signed_data = originalJson

@locsim
Copy link

locsim commented Dec 30, 2015

Thank you for the job! This is very likely to be a stupid question, but: what is the script supposed to echo to the app?

@mahamadali
Copy link

Sorry for this basic and might be stupid question , but what is $signature here ? Can anyone give the all 3 paramters dummy value so i can test directly ... ( verify_market_in_app.php
)

@motameni
Copy link

I tried android code. but this is not working... can any body help?

@bikcrum
Copy link

bikcrum commented Mar 19, 2018

@amiruldinqureshi It is original json or receipt you obtain from object "purchase" in android app by purchase.getOriginalJson();

@meetshah15
Copy link

I implemented this code, however, the response is always false. Are there any new changes to the receipt or signature fields from expected values?

@SiddheshShah
Copy link

please help, what does "$signature" mean? Please explain, it would be better if you share a working copy of code with all param values.

@joefaron
Copy link

joefaron commented Mar 3, 2022

signature is the attached signature of the order.. really long base64 string.. and signed_data is the orders 'receipt' field JSON looks like:
{"orderId":"GPA.3340-1993-0359-####","packageName":"com.###.###","productId":"## ....... }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment