From 0dd89a0e7ff2e897bb3a97d6da2c05eb9b9abdbf Mon Sep 17 00:00:00 2001
From: Rene Vergara <rene@vergara.network>
Date: Fri, 23 Jun 2023 09:09:25 -0500
Subject: [PATCH] Harden plugin against SQL injection

---
 zgopmtgwy.php | 94 +++++++++++++++++++++++++++------------------------
 1 file changed, 49 insertions(+), 45 deletions(-)

diff --git a/zgopmtgwy.php b/zgopmtgwy.php
index d1d5d75..6a6326e 100644
--- a/zgopmtgwy.php
+++ b/zgopmtgwy.php
@@ -238,31 +238,33 @@ function zgopmt_init() {
 			        // 
 			        // Save ZGo Order ID and Cart order 
 			        //
-					$sql = "replace into zgo_payments (" .
-					      "pmt_orderid," .
-					      "pmt_wc_order," .
-					      "pmt_wc_custname," .
-					      "pmt_accepted," .
-					      "pmt_confirmed," .
-					      "pmt_amount," .
-					      "pmt_rate," .
-					      "pmt_zec," .
-					      "pmt_wc_paid) values ('" .
-                    	  $zgoOrderid . "','" .
-                    	  $order_id . "','" .
-                    	  $order->get_billing_first_name() . " " . 
-                    	  $order->get_billing_last_name() . "','" .
-                       	  date('Y-m-d H:i:s') . "','',".
-                     	  $order->get_total() . 
-                     	  ",0,0,0)";
-                    $wpdb->query($sql);
+					$sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);',
+						               $zgoOrderid, $order_id, $order-<get_billing_first_name() . ' ' . $order->get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total())
+					//$sql = "replace into zgo_payments (" .
+					      //"pmt_orderid," .
+					      //"pmt_wc_order," .
+					      //"pmt_wc_custname," .
+					      //"pmt_accepted," .
+					      //"pmt_confirmed," .
+					      //"pmt_amount," .
+					      //"pmt_rate," .
+					      //"pmt_zec," .
+					      //"pmt_wc_paid) values ('" .
+                              //$zgoOrderid . "','" .
+                              //$order_id . "','" .
+                              //$order->get_billing_first_name() . " " . 
+                              //$order->get_billing_last_name() . "','" .
+                                 //date('Y-m-d H:i:s') . "','',".
+                               //$order->get_total() . 
+                               //",0,0,0)";
+                                        $wpdb->query($sql3);
 
 					// Remove cart.
 					WC()->cart->empty_cart();
 
 					return array(
-					 	'result' => 'success',
-					    'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
+						'result' => 'success',
+						'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
 					);
 					break;
 				case 202:
@@ -290,40 +292,42 @@ function zgopmt_init() {
 			$rate = $_GET['rate'];
 			$order = wc_get_order( $orderid );
 
-			$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
+			$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s;', $orderid);
+			//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
 			$result = $wpdb->get_row($sql,OBJECT);
 			if ( ! is_null($result) ) {
 
-				if ( ( $token == $this->zgotoken )
-				     && ( $result->pmt_orderid == $zgoOrderid )
-				     && ( $result->pmt_wc_paid == '0' ) ) {      
+				if ( ( hash('sha256', $token) == hash('sha256', $this->zgotoken) )
+					&& ( $result->pmt_orderid == $zgoOrderid )
+					&& ( $result->pmt_wc_paid == '0' ) ) {      
 					switch ( $order->get_status() ) {
-						case 'pending':
-						case 'failed':
-							$order->payment_complete();
-							$order->reduce_order_stock();
-					      	// 
-					     	//  Mark order as completed in ZGo DB
-					      	//
-							$sql = "update zgo_payments set " .
-							   	"pmt_confirmed='" . date('Y-m-d H:i:s') . 
- 					      		"', pmt_rate=" . $rate . 
- 					      		", pmt_zec=" . $totalzec .
-							   	", pmt_wc_paid=1 " .
-							   	" where pmt_wc_order='" . $orderid . "';";
-		               		$wpdb->query($sql);	
+					case 'pending':
+					case 'failed':
+						$order->payment_complete();
+						$order->reduce_order_stock();
+						// 
+						//  Mark order as completed in ZGo DB
+						//
+						//$sql = "update zgo_payments set " .
+							//"pmt_confirmed='" . date('Y-m-d H:i:s') . 
+							//"', pmt_rate=" . $rate . 
+                                                        //", pmt_zec=" . $totalzec .
+                                                        //", pmt_wc_paid=1 " .
+							//" where pmt_wc_order='" . $orderid . "';";
+						$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
+						$wpdb->query($sql2);	
 
-							update_option('webhook_debug', $_GET);
-							break;
-						default:
-//						   $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
-						   break;
+						update_option('webhook_debug', $_GET);
+						break;
+					default:
+						//						   $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
+						break;
 					} 
 				} else {
-//					$this->console_log('Invalid parameters...');
+					//					$this->console_log('Invalid parameters...');
 				}
 			} else {
-//				$this->console_log('Database error...');
+				//				$this->console_log('Database error...');
 			}	
 		}