Vergara_Tech/ZGoPmtGwy
2
0
Fork 0
Code Issues Pull requests Projects Releases 6 Packages Wiki Activity

Harden plugin against SQL injection

Browse source
This commit is contained in:
Rene Vergara 2023-06-23 09:09:25 -05:00
parent c9b077f225
commit 0dd89a0e7f
Signed by: pitmutt
GPG key ID: 65122AD495A7F5B2
1 changed files with 49 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
zgopmtgwy.php
View file

@ -238,24 +238,26 @@ function zgopmt_init() {
// //
// Save ZGo Order ID and Cart order // Save ZGo Order ID and Cart order
// //
$sql = "replace into zgo_payments (" . $sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);',
"pmt_orderid," . $zgoOrderid, $order_id, $order-<get_billing_first_name() . ' ' . $order->get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total())
"pmt_wc_order," . //$sql = "replace into zgo_payments (" .
"pmt_wc_custname," . //"pmt_orderid," .
"pmt_accepted," . //"pmt_wc_order," .
"pmt_confirmed," . //"pmt_wc_custname," .
"pmt_amount," . //"pmt_accepted," .
"pmt_rate," . //"pmt_confirmed," .
"pmt_zec," . //"pmt_amount," .
"pmt_wc_paid) values ('" . //"pmt_rate," .
$zgoOrderid . "','" . //"pmt_zec," .
$order_id . "','" . //"pmt_wc_paid) values ('" .
$order->get_billing_first_name() . " " . //$zgoOrderid . "','" .
$order->get_billing_last_name() . "','" . //$order_id . "','" .
date('Y-m-d H:i:s') . "','',". //$order->get_billing_first_name() . " " .
$order->get_total() . //$order->get_billing_last_name() . "','" .
",0,0,0)"; //date('Y-m-d H:i:s') . "','',".
$wpdb->query($sql); //$order->get_total() .
//",0,0,0)";
$wpdb->query($sql3);
// Remove cart. // Remove cart.
WC()->cart->empty_cart(); WC()->cart->empty_cart();
@ -290,11 +292,12 @@ function zgopmt_init() {
$rate = $_GET['rate']; $rate = $_GET['rate'];
$order = wc_get_order( $orderid ); $order = wc_get_order( $orderid );
$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';"; $sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s;', $orderid);
//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
$result = $wpdb->get_row($sql,OBJECT); $result = $wpdb->get_row($sql,OBJECT);
if ( ! is_null($result) ) { if ( ! is_null($result) ) {
if ( ( $token == $this->zgotoken ) if ( ( hash('sha256', $token) == hash('sha256', $this->zgotoken) )
&& ( $result->pmt_orderid == $zgoOrderid ) && ( $result->pmt_orderid == $zgoOrderid )
&& ( $result->pmt_wc_paid == '0' ) ) { && ( $result->pmt_wc_paid == '0' ) ) {
switch ( $order->get_status() ) { switch ( $order->get_status() ) {
@ -305,25 +308,26 @@ function zgopmt_init() {
// //
// Mark order as completed in ZGo DB // Mark order as completed in ZGo DB
// //
$sql = "update zgo_payments set " . //$sql = "update zgo_payments set " .
"pmt_confirmed='" . date('Y-m-d H:i:s') . //"pmt_confirmed='" . date('Y-m-d H:i:s') .
"', pmt_rate=" . $rate . //"', pmt_rate=" . $rate .
", pmt_zec=" . $totalzec . //", pmt_zec=" . $totalzec .
", pmt_wc_paid=1 " . //", pmt_wc_paid=1 " .
" where pmt_wc_order='" . $orderid . "';"; //" where pmt_wc_order='" . $orderid . "';";
$wpdb->query($sql); $sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
$wpdb->query($sql2);
update_option('webhook_debug', $_GET); update_option('webhook_debug', $_GET);
break; break;
default: default:
// $this->console_log('Order ' . $orderid . ' already paid or cancelled...'); // $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
break; break;
} }
} else { } else {
// $this->console_log('Invalid parameters...'); // $this->console_log('Invalid parameters...');
} }
} else { } else {
// $this->console_log('Database error...'); // $this->console_log('Database error...');
} }
} }