Last active
February 15, 2024 14:45
-
-
Save menny/1985010 to your computer and use it in GitHub Desktop.
How to verify in-app purchases from AppStore and Market in PHP code (server-side)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function verify_app_store_in_app($receipt, $is_sandbox) | |
| { | |
| //$sandbox should be TRUE if you want to test against itunes sandbox servers | |
| if ($is_sandbox) | |
| $verify_host = "ssl://sandbox.itunes.apple.com"; | |
| else | |
| $verify_host = "ssl://buy.itunes.apple.com"; | |
| $json='{"receipt-data" : "'.$receipt.'" }'; | |
| //opening socket to itunes | |
| $fp = fsockopen ($verify_host, 443, $errno, $errstr, 30); | |
| if (!$fp) | |
| { | |
| // HTTP ERROR | |
| return false; | |
| } | |
| else | |
| { | |
| //iTune's request url is /verifyReceipt | |
| $header = "POST /verifyReceipt HTTP/1.0\r\n"; | |
| $header .= "Content-Type: application/x-www-form-urlencoded\r\n"; | |
| $header .= "Content-Length: " . strlen($json) . "\r\n\r\n"; | |
| fputs ($fp, $header . $json); | |
| $res = ''; | |
| while (!feof($fp)) | |
| { | |
| $step_res = fgets ($fp, 1024); | |
| $res = $res . $step_res; | |
| } | |
| fclose ($fp); | |
| //taking the JSON response | |
| $json_source = substr($res, stripos($res, "\r\n\r\n{") + 4); | |
| //decoding | |
| $app_store_response_map = json_decode($json_source); | |
| $app_store_response_status = $app_store_response_map->{'status'}; | |
| if ($app_store_response_status == 0)//eithr OK or expired and needs to synch | |
| { | |
| //here are some fields from the json, btw. | |
| $json_receipt = $app_store_response_map->{'receipt'}; | |
| $transaction_id = $json_receipt->{'transaction_id'}; | |
| $original_transaction_id = $json_receipt->{'original_transaction_id'}; | |
| $json_latest_receipt = $app_store_response_map->{'latest_receipt_info'}; | |
| return true; | |
| } | |
| else | |
| { | |
| return false; | |
| } | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function verify_market_in_app($signed_data, $signature, $public_key_base64) | |
| { | |
| $key = "-----BEGIN PUBLIC KEY-----\n". | |
| chunk_split($public_key_base64, 64,"\n"). | |
| '-----END PUBLIC KEY-----'; | |
| //using PHP to create an RSA key | |
| $key = openssl_get_publickey($key); | |
| //$signature should be in binary format, but it comes as BASE64. | |
| //So, I'll convert it. | |
| $signature = base64_decode($signature); | |
| //using PHP's native support to verify the signature | |
| $result = openssl_verify( | |
| $signed_data, | |
| $signature, | |
| $key, | |
| OPENSSL_ALGO_SHA1); | |
| if (0 === $result) | |
| { | |
| return false; | |
| } | |
| else if (1 !== $result) | |
| { | |
| return false; | |
| } | |
| else | |
| { | |
| return true; | |
| } | |
| } |
signature is the attached signature of the order.. really long base64 string.. and signed_data is the orders 'receipt' field JSON looks like:
{"orderId":"GPA.3340-1993-0359-####","packageName":"com.###.###","productId":"## ....... }
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
please help, what does "$signature" mean? Please explain, it would be better if you share a working copy of code with all param values.