From e561fae86013cbd6de9db8dfffdbe8b7b03b5a00 Mon Sep 17 00:00:00 2001
From: tk <szdot@live.com>
Date: Thu, 20 Jun 2024 19:23:40 +0800
Subject: [PATCH] =?UTF-8?q?=E3=80=90=E7=B1=BB=09=E5=9E=8B=E3=80=91?=
 =?UTF-8?q?=EF=BC=9Afix=20=E3=80=90=E4=B8=BB=09=E9=A2=98=E3=80=91=EF=BC=9A?=
 =?UTF-8?q?=E6=94=AF=E4=BB=98=E6=8E=A5=E5=8F=A3=20=E6=A3=80=E6=9F=A5?=
 =?UTF-8?q?=E5=89=8D=E7=AB=AF=E6=8F=90=E4=BA=A4=E6=95=B0=E6=8D=AE=20?=
 =?UTF-8?q?=E3=80=90=E6=8F=8F=09=E8=BF=B0=E3=80=91=EF=BC=9A=20=09[?=
 =?UTF-8?q?=E5=8E=9F=E5=9B=A0]=EF=BC=9A=E6=94=AF=E4=BB=98=E5=89=8D=20?=
 =?UTF-8?q?=E4=BB=8E=E5=90=8E=E7=AB=AF=E5=8F=96=E6=95=B0=E6=8D=AE=E6=A3=80?=
 =?UTF-8?q?=E6=B5=8B=20=E6=8F=90=E9=AB=98=E5=AE=89=E5=85=A8=E6=80=A7=20=09?=
 =?UTF-8?q?[=E8=BF=87=E7=A8=8B]=EF=BC=9A=20=09[=E5=BD=B1=E5=93=8D]?=
 =?UTF-8?q?=EF=BC=9A=20=E3=80=90=E7=BB=93=09=E6=9D=9F=E3=80=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# 类型 包含:
# feat：新功能（feature）
# fix：修补bug
# docs：文档（documentation）
# style： 格式（不影响代码运行的变动）
# refactor：重构（即不是新增功能，也不是修改bug的代码变动）
# test：增加测试
# chore：构建过程或辅助工具的变动
---
 .../Api/Controller/PayController.class.php    | 20 ++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/FlyCube/Api/Controller/PayController.class.php b/FlyCube/Api/Controller/PayController.class.php
index f7a7b7d..f44a5a3 100644
--- a/FlyCube/Api/Controller/PayController.class.php
+++ b/FlyCube/Api/Controller/PayController.class.php
@@ -53,8 +53,26 @@ class PayController extends PublicController
 
         //获取订单信息
         $where['order_sn'] = $_REQUEST['order_sn'];
+        $field = array('order_sn,shop_id,total_price,total_weight,openid');
+        $orderDb = D('order');
+        if ($order = $orderDb->where($where)->field($field)->find()) {
+            echo json_encode(array('status' => 0, 'msg' => '订单不存在'));
+            exit();
+        }
+        //订单检查
+        $whereShop['shop_id'] = $order['shop_id'];
+        $fieldShop = array('price_min', 'weight_max');
+        $shopDb = D('shop');
+        if ($shop = $shopDb->where($whereShop)->field($fieldShop)->find()) {
+            echo json_encode(array('status' => 0, 'msg' => '商铺不存在'));
+            exit();
+        }
+        if ($order['openid'] != $this->openid || (float)$order['total_price'] < (float)$shop['price_min'] || $order['total_weight'] > $shop['weight_max']) {
+            echo json_encode(array('status' => 0, 'msg' => '提交信息异常'));
+            exit();
+        }
+
         $orderDb = D('order');
-        $order = $orderDb->where($where)->find();
         //设置获取签名的订单参数
         $orderParameter = [
             'out_trade_no' => $order['order_sn'],