Question

我最近刚收到内部服务器错误消息，但我不知道错误是什么。你能告诉我这个有什么问题吗？为安全起见，我为$ client_id和$ client_secret编写了CODE。

<?php   
if (isset($_POST['donation']) && isset($_POST['owner']) && isset($_POST['title'])) {
$owner = $_POST['owner'];
$donation = $_POST['donation'];
$title = $_POST['title'];
if ($donation == "") {
    echo "fail";
} else if ($donation >= 1 && $donation != "" && is_numeric($donation)) {
    $sql = 'SELECT * FROM users WHERE username="$owner" AND activated="1" LIMIT 1';
    $query = mysqli_query($db_conx, $sql);
      while ($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) {
        $access_token = $row["access"];
        $account_id = $row["account_id"];
      }

     require 'wepay.php';
    // application settings
    $client_id = CODE;
    $client_secret = "CODE";    
    // change to useProduction for live environments
    Wepay::useStaging($client_id, $client_secret);

    $wepay = new WePay($access_token);

    // create the checkout
    $response = $wepay->request('checkout/create', array(
        'account_id'        => $account_id,
        'amount'            => ''.$donation.'',
        'short_description' => ''.$title.'',
        'type'              => 'DONATION'
    ));
    echo "all_good";
    // display the response
    print_r($response);
} else {
    echo "unknown";
}
}

?>

Answer 1

你出于安全目的写了吗？然后阅读mysqli和参数：这对sql注入很敏感：

$sql = 'SELECT * FROM users WHERE username="$owner" AND activated="1" LIMIT 1';

应该是： $ sql ='SELECT * FROM users WHERE username =？ AND activated =“1”LIMIT 1'; $ query = mysqli_prepare（$ sql）; $查询 - ＆GT; bind_param（ “I”，$所有者）;

（有关更多示例，请参阅http://php.net/manual/en/mysqli.quickstart.prepared-statements.php。）

if ($donation == "") {
    echo "fail";
} else if ($donation >= 1 && $donation != "" && is_numeric($donation))

可能只是：

if (!is_numeric($donation)) {
    echo "fail";
} else if ($donation >= 1) { etc

这个PHP-API代码有什么问题吗？

1 个答案: