Is anything wrong with this PHP-API code? -


i've been getting internal server error message , don't know what's wrong. can please tell me what's wrong this? wrote code $client_id , $client_secret security purposes.

<?php    if (isset($_post['donation']) && isset($_post['owner']) && isset($_post['title'])) { $owner = $_post['owner']; $donation = $_post['donation']; $title = $_post['title']; if ($donation == "") {     echo "fail"; } else if ($donation >= 1 && $donation != "" && is_numeric($donation)) {     $sql = 'select * users username="$owner" , activated="1" limit 1';     $query = mysqli_query($db_conx, $sql);       while ($row = mysqli_fetch_array($query, mysqli_assoc)) {         $access_token = $row["access"];         $account_id = $row["account_id"];       }       require 'wepay.php';     // application settings     $client_id = code;     $client_secret = "code";         // change useproduction live environments     wepay::usestaging($client_id, $client_secret);      $wepay = new wepay($access_token);      // create checkout     $response = $wepay->request('checkout/create', array(         'account_id'        => $account_id,         'amount'            => ''.$donation.'',         'short_description' => ''.$title.'',         'type'              => 'donation'     ));     echo "all_good";     // display response     print_r($response); } else {     echo "unknown"; } }  ?> 

you wrote security purposes? read on mysqli , parameters: is sensitive sql injection:

$sql = 'select * users username="$owner" , activated="1" limit 1'; 

should be: $sql = 'select * users username=? , activated="1" limit 1'; $query = mysqli_prepare($sql); $query->bind_param("i",$owner);

(see http://php.net/manual/en/mysqli.quickstart.prepared-statements.php more examples).

if ($donation == "") {     echo "fail"; } else if ($donation >= 1 && $donation != "" && is_numeric($donation)) 

could be:

if (!is_numeric($donation)) {     echo "fail"; } else if ($donation >= 1) { etc 

Comments

Popular posts from this blog

android - Gradle sync Error:Configuration with name 'default' not found -

java - Andrioid studio start fail: Fatal error initializing 'null' -

html - jQuery UI Sortable - Remove placeholder after item is dropped -