使用paypal的IPN通知我尝试传递一个序列化的自定义数组,我不知道为什么,但我收到一个违规错误的SQL,所以这个我的查询:
$test = array('cmd'=>'_xclick',
'business'=>'email@email.com',
'notify_url'=> 'url/to/ipn.php',
'item_name'=>'Pixel',
'amount'=>'1.00',
'currency_code'=>'USD',
'lc'=>'US',
'custom'=>serialize( array( "variable1" => $variable1,"variable2" => $variable2,
"variable3" => $variable3,"variable4" => $variable4,
"variable5" => $variable5)));
$url = "https://www.sandbox.paypal.com/cgi-bin/webscr?".http_build_query($test);
header("Location:".$url);
exit();
//later in ipn.php:
$custom = unserialize($_POST["custom"]);
$variable1 = $_POST['variable1'];
$variable2 = $_POST['variable2'];
$variable3 = $_POST['variable3'];
$variable4 = $_POST['variable4'];
$variable5 = $_POST['variable5'];
try
{
$dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$stmt = $dbh->prepare("INSERT INTO firsttable(variable1, variable2, variable3, variable4, variable5)
VALUES (?,?,?,?,?)");
$stmt->bindParam(1, $value1);
$stmt->bindParam(2, $value2);
$stmt->bindParam(3, $value3);
$stmt->bindParam(4, $value4);
$stmt->bindParam(5, $value5);
$value1 = $variable1;
$value2 = $variable2;
$value3 = $variable3;
$value4 = $variable4;
$value5 = $variable5;
$stmt->execute();
}
catch(PDOException $exception)
{
$variable .= "Failure: " . $exception->getMessage() . "\n";
}
只返回此错误:
Failure: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an
error in your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near 'NULL,'.',NULL)'
是因为“自定义”超过200个字符?或者我错了什么?
问候!!
答案 0 :(得分:0)
您发布的代码段不存储$custom的内容,您应该在准备好的语句中使用单引号而不是双引号来避免注入。您的问题看起来取决于$ value1..n的内容,如果您想保存$ variable1..n的值而不是$ value1..n
无论如何,反序列化的自定义字段的内容都是$ custom中的$ _POST [' variable1']; .. $ _ POST [' variablen'];您可以使用$ custom [n]来获取值。
请注意,paypal自定义字段的长度最多为255个字符
另外请注意,序列化时应该使用urlencode以避免不允许的字符