【类型】：fix

【主题】：支付接口检查前端提交数据【描述】： [原因]：支付前从后端取数据检测提高安全性 [过程]： [影响]：【结束】 # 类型包含: # feat：新功能（feature） # fix：修补bug # docs：文档（documentation） # style：格式（不影响代码运行的变动） # refactor：重构（即不是新增功能，也不是修改bug的代码变动） # test：增加测试 # chore：构建过程或辅助工具的变动
2024-06-20 19:23:40 +08:00 · 2024-06-20 19:23:40 +08:00 · e561fae860
commit e561fae860
parent c6e2c03617
1 changed files with 19 additions and 1 deletions
--- a/FlyCube/Api/Controller/PayController.class.php
+++ b/FlyCube/Api/Controller/PayController.class.php
@ -53,8 +53,26 @@ class PayController extends PublicController

        //获取订单信息
        $where['order_sn'] = $_REQUEST['order_sn'];
+        $field = array('order_sn,shop_id,total_price,total_weight,openid');
+        $orderDb = D('order');
+        if ($order = $orderDb->where($where)->field($field)->find()) {
+            echo json_encode(array('status' => 0, 'msg' => '订单不存在'));
+            exit();
+        }
+        //订单检查
+        $whereShop['shop_id'] = $order['shop_id'];
+        $fieldShop = array('price_min', 'weight_max');
+        $shopDb = D('shop');
+        if ($shop = $shopDb->where($whereShop)->field($fieldShop)->find()) {
+            echo json_encode(array('status' => 0, 'msg' => '商铺不存在'));
+            exit();
+        }
+        if ($order['openid'] != $this->openid || (float)$order['total_price'] < (float)$shop['price_min'] || $order['total_weight'] > $shop['weight_max']) {
+            echo json_encode(array('status' => 0, 'msg' => '提交信息异常'));
+            exit();
+        }
+
        $orderDb = D('order');
-        $order = $orderDb->where($where)->find();
        //设置获取签名的订单参数
        $orderParameter = [
            'out_trade_no' => $order['order_sn'],