diff --git a/FlyCube/MpApi/Controller/PlaneController.class.php b/FlyCube/MpApi/Controller/PlaneController.class.php
index 2f47aeb..91c1a3f 100644
--- a/FlyCube/MpApi/Controller/PlaneController.class.php
+++ b/FlyCube/MpApi/Controller/PlaneController.class.php
@@ -523,30 +523,43 @@ class PlaneController extends PublicController
 	 */
 	public function setNoflyData()
 	{
-		if ($this->tokenShop_id != C('powerId')) { // 非总管理员
-			$where['shop_id'] = $this->tokenShop_id;
+		// 判断 shop_id 参数是否存在且合法
+		if ($this->tokenShop_id != C('powerId')) { // 非总管理员，shop_id只能用token的
+			$shopId = $this->tokenShop_id;
 		} else {
-			$where['shop_id'] = I('post.shop_id'); // 总管理员可指定 shop_id，使用I函数更安全
+			$shopId = I('post.shop_id');
+			if (empty($shopId) || !is_numeric($shopId)) {
+				$this->ajaxReturn(['status' => 0, 'msg' => '缺少或非法的shop_id参数']);
+				exit;
+			}
 		}
 
-		// 接收前端传来的禁飞区数据和限制飞区数据，预期是json字符串
-		$noflyData = I('post.nofly_data', '[]');        // 默认空数组json字符串
+		// 接收禁飞区和限制飞区数据，默认空数组json字符串
+		$noflyData = I('post.nofly_data', '[]');
 		$restrictFlyData = I('post.restrictfly_data', '[]');
 
-		// 验证数据是否是合法JSON字符串，这里简单判断，也可以更严谨
-		if (!is_string($noflyData) || !is_string($restrictFlyData)) {
-			$this->ajaxReturn(['status' => 0, 'msg' => '传入数据格式错误']);
-			return;
+		// 校验传入数据是否为合法的JSON字符串
+		if (!is_string($noflyData) || json_decode($noflyData) === null) {
+			$this->ajaxReturn(['status' => 0, 'msg' => 'nofly_data参数不是合法的JSON字符串']);
+			exit;
+		}
+		if (!is_string($restrictFlyData) || json_decode($restrictFlyData) === null) {
+			$this->ajaxReturn(['status' => 0, 'msg' => 'restrictfly_data参数不是合法的JSON字符串']);
+			exit;
 		}
 
 		$noflyDb = D('nofly');
 
+		$where = ['shop_id' => $shopId];
+
+		$data = [
+			'nofly_data' => $noflyData,
+			'restrictfly_data' => $restrictFlyData,
+		];
+
 		// 查询是否已有禁飞区数据
 		$exist = $noflyDb->where($where)->find();
 
-		$data['nofly_data'] = $noflyData;
-		$data['restrictfly_data'] = $restrictFlyData;
-
 		if ($exist) {
 			// 更新
 			$result = $noflyDb->where($where)->save($data);
@@ -557,7 +570,7 @@ class PlaneController extends PublicController
 			}
 		} else {
 			// 插入
-			$data['shop_id'] = $where['shop_id'];
+			$data['shop_id'] = $shopId;
 			$insertId = $noflyDb->add($data);
 			if ($insertId) {
 				$this->ajaxReturn(['status' => 1, 'msg' => '禁飞区数据保存成功']);