From da4e020ad43c616814735fbb890c0efb2dc570a0 Mon Sep 17 00:00:00 2001
From: sszdot <szdot@qq.com>
Date: Wed, 8 Jan 2025 16:22:41 +0800
Subject: [PATCH] =?UTF-8?q?=E3=80=90=E7=B1=BB=20=20=E5=9E=8B=E3=80=91?=
 =?UTF-8?q?=EF=BC=9Arefactor=20=E3=80=90=E5=8E=9F=20=20=E5=9B=A0=E3=80=91?=
 =?UTF-8?q?=EF=BC=9A=E5=88=9B=E5=BB=BA=E8=AE=A2=E5=8D=95=E6=8E=A5=E5=8F=A3?=
 =?UTF-8?q?=20=E6=B7=BB=E5=8A=A0=20=E7=94=A8=E6=88=B7=E4=B8=8B=E5=8D=95?=
 =?UTF-8?q?=E5=A4=87=E6=B3=A8=E5=AD=97=E6=AE=B5=20=E7=9A=84=E5=BD=95?=
 =?UTF-8?q?=E5=85=A5=20=E3=80=90=E8=BF=87=20=20=E7=A8=8B=E3=80=91=EF=BC=9A?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E7=94=A8=E6=88=B7=E5=A4=87=E6=B3=A8=E5=AD=97?=
 =?UTF-8?q?=E6=AE=B5=E7=9A=84=E5=BD=95=E5=85=A5=20=E5=B9=B6=E5=9C=A8?=
 =?UTF-8?q?=E6=AD=A4=E4=B9=8B=E5=89=8D=20=E8=BF=9B=E8=A1=8C=E6=8F=90?=
 =?UTF-8?q?=E4=BA=A4=E6=95=B0=E6=8D=AE=E7=9A=84=E6=A0=A1=E9=AA=8C=E5=90=88?=
 =?UTF-8?q?=E6=B3=95=E6=80=A7=E9=98=B2=E6=AD=A2=E6=81=B6=E6=84=8F=E6=94=BB?=
 =?UTF-8?q?=E5=87=BB=20=E3=80=90=E5=BD=B1=20=20=E5=93=8D=E3=80=91=EF=BC=9A?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 FlyCube/Api/Controller/CheckController.class.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/FlyCube/Api/Controller/CheckController.class.php b/FlyCube/Api/Controller/CheckController.class.php
index 3365a8f..1d36954 100644
--- a/FlyCube/Api/Controller/CheckController.class.php
+++ b/FlyCube/Api/Controller/CheckController.class.php
@@ -117,6 +117,14 @@ class CheckController extends PublicController
             exit(); //有问题跳出
         }
 
+        // 校验备注字段 
+        $remark = isset($_REQUEST['remark']) ? $_REQUEST['remark'] : '';
+        if (mb_strlen($remark, 'UTF-8') > 35) { // 限制最多 35 个字
+            echo json_encode(array('status' => 0, 'msg' => '备注内容不能超过35个字'));
+            exit(); // 备注超长，终止执行
+        }
+        $remark = htmlspecialchars($remark, ENT_QUOTES, 'UTF-8'); // 进一步防止注入，处理非法字符（XSS 防护）
+
         // 创建订单
         $data['shop_id'] = $_REQUEST['shop_id'];
         $data['order_sn'] = date('y') . date('mdHi') . str_pad(mt_rand(1, 999), 3, '0', STR_PAD_LEFT);
@@ -124,6 +132,7 @@ class CheckController extends PublicController
         $data['total_price'] = $total_price;
         $data['transport_price'] = $_REQUEST['transport_price'];
         $data['pack_price'] = $_REQUEST['pack_price'];
+        $data['remark'] = $remark;
         $data['total_num'] = $total_num;
         $data['openid'] = $this->openid;