Is anything wrong with this PHP-API code? -
i've been getting internal server error message , don't know what's wrong. can please tell me what's wrong this? wrote code $client_id , $client_secret security purposes.
<?php if (isset($_post['donation']) && isset($_post['owner']) && isset($_post['title'])) { $owner = $_post['owner']; $donation = $_post['donation']; $title = $_post['title']; if ($donation == "") { echo "fail"; } else if ($donation >= 1 && $donation != "" && is_numeric($donation)) { $sql = 'select * users username="$owner" , activated="1" limit 1'; $query = mysqli_query($db_conx, $sql); while ($row = mysqli_fetch_array($query, mysqli_assoc)) { $access_token = $row["access"]; $account_id = $row["account_id"]; } require 'wepay.php'; // application settings $client_id = code; $client_secret = "code"; // change useproduction live environments wepay::usestaging($client_id, $client_secret); $wepay = new wepay($access_token); // create checkout $response = $wepay->request('checkout/create', array( 'account_id' => $account_id, 'amount' => ''.$donation.'', 'short_description' => ''.$title.'', 'type' => 'donation' )); echo "all_good"; // display response print_r($response); } else { echo "unknown"; } } ?>
you wrote security purposes? read on mysqli , parameters: is sensitive sql injection:
$sql = 'select * users username="$owner" , activated="1" limit 1';
should be: $sql = 'select * users username=? , activated="1" limit 1'; $query = mysqli_prepare($sql); $query->bind_param("i",$owner);
(see http://php.net/manual/en/mysqli.quickstart.prepared-statements.php more examples).
if ($donation == "") { echo "fail"; } else if ($donation >= 1 && $donation != "" && is_numeric($donation))
could be:
if (!is_numeric($donation)) { echo "fail"; } else if ($donation >= 1) { etc
Comments
Post a Comment