这是我的 ipn-security-ckeck 的第四部分。我需要你检查它是否安全:
// Check number4 ---------------------------------------------------------
$product_id_string = $_POST['custom'];
$product_id_string = rtrim($product_id_string, ","); // remove last comma
// Explode string, make it an array; check payment !
$id_values = array();
$id_str_array = explode(",", $product_id_string);
$fullAmount = 0;
foreach ($id_str_array as $key => $value) {
$id_quantity_pair = explode("-", $value);
$product_id = $id_quantity_pair[0]; // Get the product ID
$product_quantity = $id_quantity_pair[1]; // Get the quantity
if (1 != intval($product_quantity)) {
// Somebody is manipulating the item´s quantity
$message = "Somebody is manipulating the item´s quantity";
mail("me@myemail.de", "Quantity Hack", $message, "From: me@myemail.de" );
exit()
}
// remember item´s ID
$id_values[$key] = intval($product_id);
}
$sql = 'SELECT price FROM products WHERE id IN ('.implode(',', $id_values).')';
while($row = mysql_fetch_array($sql)) {
$fullAmount += $row["price"];
}
$fullAmount = number_format($fullAmount, 2);
if (isset($_POST['mc_gross'])) {
$grossAmount = $_POST['mc_gross'];
} else
$grossAmount = 0;
$message = "grossAmount wurde = 0 gesetzt";
mail("me@myemail.de", "grossAmout Hack", $message, "From: my@myemail.de" );
exit();
if ( intval($fullAmount * 100) != intval($grossAmount *100) ) {
$message = "Possible Price Jack: " . $_POST['payment_gross'] . " != $fullAmount \n\n\n$req";
mail("me@myemail.de", "Price Jack or Bad Programming", $message, "From: me@myemail.de" );
exit(); // exit script
}
这是击败价格劫持的好剧本吗?我应该改变什么吗?如果是,是什么?问候和感谢