Ref. https://phppot.com/php/one-page-checkout-script-free-with-example-template-in-php/#about-this-example

Review
โค๊ดซับซ้อนเกินไป
มีหลายไฟล์เกินไป
มีช่องโหว่มาก

ช่องโหว่

John
March 27, 2020 at 6:04 am
You really need to sanitize the incoming POST variables.
Youre code is too vulnervulable now , one could easily add a ‘ and get out of the variable.
Use filter_var to sanitize them.
https://www.php.net/manual/en/function.filter-var.php

เจ้าของโค๊ดตอบ

Vincy
March 28, 2020 at 11:05 pm
Yes John, I agree with you. All the POST input variables should be sanitized. These were written in a hurry to showcase checkout flow alone. I have not invested time on the security side as it is not meant for production directly. But I agree with you that the input should be sanitized. I may have to add CSRF tokens and then XSS sanitization and lot more. But it will amount to building a full-fledged application. Hope you get the point.

โค๊ดที่น่าสนใจ

<?php
session_start();
if (isset($_POST["checkout-btn"])) {
    $order_number = rand(100, 999);
}
?>

<form name="one-page-checkout-form" id="one-page-checkout-form" action="" method="post" onsubmit="return checkout()">
			
<?php if(!empty($order_number)){?>
You order number is <?php echo $order_number;?>.
<span class="btn-message-close"	onclick="this.parentElement.style.display='none';" title="Close">&times;</span>


<?php }?>