Alipay APP's php background signature and signature verification implementation method

Signing and signature verification can also be completed on the APP side. Considering security issues, signing and signature verification are best completed on the server side. This is also the official recommendation of Alipay, so the PHP side needs to pass the signed parameters to the APP. end. See the text for detailed steps:
1. Download php Alipay sdk
https://doc.open.alipay.com/docs/doc.htm?spm=a219a.7629140.0.0.eCtVsf&treeId=54&articleId=103419&docType=1 (old)
https://docs.open.alipay.com/54/103419/ (new)
2. View the Alipay App payment request parameter document, splice the request parameters, and sign
App payment request parameters Description
https://doc.open.alipay.com/docs/doc.htm?spm=a219a.7629140.0.0.wM4mV1&treeId=204&articleId=105465&docType=1 (old)
https://docs.open .alipay.com/204/105465/ (New)
First, the parameters are spliced ​​to generate a signature, and then the previous parameters and signature are assembled. The core code is as follows:

    require_once '/Alipay/aop/AopClient.php';    $private_path =  "/Alipay/key/rsa_private_key.pem";//私钥路径
    //构造业务请求参数的集合(订单信息)
    $content = array();    $content['subject'] = "商品的标题/交易标题/订单标题/订单关键字等";    
    $content['out_trade_no'] = "商户网站唯一订单号";    
    $content['timeout_express'] = "该笔订单允许的最晚付款时间";   
     $content['total_amount'] = "订单总金额(必须定义成浮点型)";    
     $content['product_code'] = "QUICK_MSECURITY_PAY";/销售产品码,固定值   
      $con = json_encode($content);//$content是biz_content的值,将之转化成json字符串

    //公共参数
    $Client = new \AopClient();//实例化支付宝sdk里面的AopClient类,下单时需要的操作,都在这个类里面
    $param['app_id'] = '支付宝分配给开发者的应用ID';    $param['method'] = 'alipay.trade.app.pay';//接口名称，固定值
    $param['charset'] = 'utf-8';//请求使用的编码格式
    $param['sign_type'] = 'RSA2';//商户生成签名字符串所使用的签名算法类型
    $param['timestamp'] = date("Y-m-d Hi:i:s");//发送请求的时间
    $param['version'] = '1.0';//调用的接口版本，固定为：1.0
    $param['notify_url'] = '支付宝服务器异步回调地址';    $param['biz_content'] = $con;//业务请求参数的集合,长度不限,json格式，即前面一步得到的
    $paramStr = $Client->getSignContent($param);//组装请求签名参数
    $sign = $Client->alonersaSign($paramStr, $private_path, 'RSA2', true);//生成签名
    $param['sign'] = $sign;    $str = $Client->getSignContentUrlencode($param);//最终请求参数

As for the requested instructions, Alipay made it very clear. Here is a screenshot again:

3. Signature Verification
App will return a string after the payment is successful, and the customer service side also needs to make a judgment. I won’t be wordy here, as shown below:

The next step is to The PHP server performs signature verification, and Alipay will asynchronously return data to the asynchronous callback address in post mode:

function notify()
    {
        require_once('/alipay/aop/AopClient.php');        $aop = new \AopClient;        //$public_path = "key/rsa_public_key.pem";//公钥路径
        $aop->alipayrsaPublicKey = "支付宝公钥";        //此处验签方式必须与下单时的签名方式一致
        $flag = $aop->rsaCheckV1($_POST, NULL, "RSA2");        //验签通过后再实现业务逻辑，比如修改订单表中的支付状态。
        /**
         *  ①验签通过后核实如下参数out_trade_no、total_amount、seller_id
         *  ②修改订单表
        **/
        //打印success，应答支付宝。必须保证本界面无错误。只打印了success，否则支付宝将重复请求回调地址。
        echo 'success';
    }

Postscript:
The signature verification has always failed before. After looking for it for a long time, it was finally solved. The document says that the Alipay public key is used for signature verification, not the RSA2 public key. Special attention needs to be paid here to avoid using the wrong one.

Please see the screenshot:

Copyright Statement: This article is an original article by the blogger and may not be reproduced without the blogger's permission.

Signature and signature verification can also be completed on the APP side. Considering security issues, it is best to complete signature and signature verification on the server side. This is also the official recommendation of Alipay. Therefore, the PHP side needs to pass the signed parameters to the APP side. See the text for detailed steps:
1. Download php Alipay sdk
https://doc.open.alipay.com/docs/doc.htm?spm=a219a.7629140.0.0.eCtVsf&treeId=54&articleId=103419&docType=1 (old)
https://docs.open.alipay.com/54/103419/ (new)
2. View the Alipay App payment request parameter document, splice the request parameters, and sign
App payment request parameters Description
https://doc.open.alipay.com/docs/doc.htm?spm=a219a.7629140.0.0.wM4mV1&treeId=204&articleId=105465&docType=1 (old)
https://docs.open .alipay.com/204/105465/ (New)
First, the parameters are spliced ​​to generate a signature, and then the previous parameters and signature are assembled. The core code is as follows:

    require_once '/Alipay/aop/AopClient.php';    $private_path =  "/Alipay/key/rsa_private_key.pem";//私钥路径
    //构造业务请求参数的集合(订单信息)
    $content = array();    $content['subject'] = "商品的标题/交易标题/订单标题/订单关键字等";    $content['out_trade_no'] = "商户网站唯一订单号";    $content['timeout_express'] = "该笔订单允许的最晚付款时间";    $content['total_amount'] = "订单总金额(必须定义成浮点型)";    $content['product_code'] = "QUICK_MSECURITY_PAY";/销售产品码,固定值    $con = json_encode($content);//$content是biz_content的值,将之转化成json字符串

• 
  

##

    //公共参数
    $Client = new \AopClient();//实例化支付宝sdk里面的AopClient类,下单时需要的操作,都在这个类里面
    $param['app_id'] = '支付宝分配给开发者的应用ID';    $param['method'] = 'alipay.trade.app.pay';//接口名称，固定值
    $param['charset'] = 'utf-8';//请求使用的编码格式
    $param['sign_type'] = 'RSA2';//商户生成签名字符串所使用的签名算法类型
    $param['timestamp'] = date("Y-m-d Hi:i:s");//发送请求的时间
    $param['version'] = '1.0';//调用的接口版本，固定为：1.0
    $param['notify_url'] = '支付宝服务器异步回调地址';    $param['biz_content'] = $con;//业务请求参数的集合,长度不限,json格式，即前面一步得到的

    $paramStr = $Client->getSignContent($param);//组装请求签名参数
    $sign = $Client->alonersaSign($paramStr, $private_path, 'RSA2', true);//生成签名
    $param['sign'] = $sign;    $str = $Client->getSignContentUrlencode($param);//最终请求参数

Alipay made it very clear for the requested description, and here is a screenshot again:

三、验签
App 支付成功后会有返回字符串，客服端也需要判断，这里不罗嗦，如下图：

下一步就是在php服务端进行验签，支付宝异步会以post方式返回数据到异步回调地址：

function notify()
    {
        require_once('/alipay/aop/AopClient.php');        $aop = new \AopClient;        //$public_path = "key/rsa_public_key.pem";//公钥路径
        $aop->alipayrsaPublicKey = "支付宝公钥";        //此处验签方式必须与下单时的签名方式一致
        $flag = $aop->rsaCheckV1($_POST, NULL, "RSA2");        //验签通过后再实现业务逻辑，比如修改订单表中的支付状态。
        /**
         *  ①验签通过后核实如下参数out_trade_no、total_amount、seller_id
         *  ②修改订单表
        **/
        //打印success，应答支付宝。必须保证本界面无错误。只打印了success，否则支付宝将重复请求回调地址。
        echo 'success';
    }

后记： 
之前一直验签失败，找了好久，终于解决了。文档中说，验签用的是支付宝公钥，并不是RSA2公钥，这里需要特别注意，不要用错了 

请看截图： 

相关推荐：

支付宝支付之php后台签名实现方法

The above is the detailed content of Alipay APP's php background signature and signature verification implementation method. For more information, please follow other related articles on the PHP Chinese website!