Harden plugin against SQL injection
This commit is contained in:
parent
c9b077f225
commit
0dd89a0e7f
1 changed files with 49 additions and 45 deletions
|
@ -238,31 +238,33 @@ function zgopmt_init() {
|
||||||
//
|
//
|
||||||
// Save ZGo Order ID and Cart order
|
// Save ZGo Order ID and Cart order
|
||||||
//
|
//
|
||||||
$sql = "replace into zgo_payments (" .
|
$sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);',
|
||||||
"pmt_orderid," .
|
$zgoOrderid, $order_id, $order-<get_billing_first_name() . ' ' . $order->get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total())
|
||||||
"pmt_wc_order," .
|
//$sql = "replace into zgo_payments (" .
|
||||||
"pmt_wc_custname," .
|
//"pmt_orderid," .
|
||||||
"pmt_accepted," .
|
//"pmt_wc_order," .
|
||||||
"pmt_confirmed," .
|
//"pmt_wc_custname," .
|
||||||
"pmt_amount," .
|
//"pmt_accepted," .
|
||||||
"pmt_rate," .
|
//"pmt_confirmed," .
|
||||||
"pmt_zec," .
|
//"pmt_amount," .
|
||||||
"pmt_wc_paid) values ('" .
|
//"pmt_rate," .
|
||||||
$zgoOrderid . "','" .
|
//"pmt_zec," .
|
||||||
$order_id . "','" .
|
//"pmt_wc_paid) values ('" .
|
||||||
$order->get_billing_first_name() . " " .
|
//$zgoOrderid . "','" .
|
||||||
$order->get_billing_last_name() . "','" .
|
//$order_id . "','" .
|
||||||
date('Y-m-d H:i:s') . "','',".
|
//$order->get_billing_first_name() . " " .
|
||||||
$order->get_total() .
|
//$order->get_billing_last_name() . "','" .
|
||||||
",0,0,0)";
|
//date('Y-m-d H:i:s') . "','',".
|
||||||
$wpdb->query($sql);
|
//$order->get_total() .
|
||||||
|
//",0,0,0)";
|
||||||
|
$wpdb->query($sql3);
|
||||||
|
|
||||||
// Remove cart.
|
// Remove cart.
|
||||||
WC()->cart->empty_cart();
|
WC()->cart->empty_cart();
|
||||||
|
|
||||||
return array(
|
return array(
|
||||||
'result' => 'success',
|
'result' => 'success',
|
||||||
'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
|
'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
|
||||||
);
|
);
|
||||||
break;
|
break;
|
||||||
case 202:
|
case 202:
|
||||||
|
@ -290,40 +292,42 @@ function zgopmt_init() {
|
||||||
$rate = $_GET['rate'];
|
$rate = $_GET['rate'];
|
||||||
$order = wc_get_order( $orderid );
|
$order = wc_get_order( $orderid );
|
||||||
|
|
||||||
$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s;', $orderid);
|
||||||
|
//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
|
||||||
$result = $wpdb->get_row($sql,OBJECT);
|
$result = $wpdb->get_row($sql,OBJECT);
|
||||||
if ( ! is_null($result) ) {
|
if ( ! is_null($result) ) {
|
||||||
|
|
||||||
if ( ( $token == $this->zgotoken )
|
if ( ( hash('sha256', $token) == hash('sha256', $this->zgotoken) )
|
||||||
&& ( $result->pmt_orderid == $zgoOrderid )
|
&& ( $result->pmt_orderid == $zgoOrderid )
|
||||||
&& ( $result->pmt_wc_paid == '0' ) ) {
|
&& ( $result->pmt_wc_paid == '0' ) ) {
|
||||||
switch ( $order->get_status() ) {
|
switch ( $order->get_status() ) {
|
||||||
case 'pending':
|
case 'pending':
|
||||||
case 'failed':
|
case 'failed':
|
||||||
$order->payment_complete();
|
$order->payment_complete();
|
||||||
$order->reduce_order_stock();
|
$order->reduce_order_stock();
|
||||||
//
|
//
|
||||||
// Mark order as completed in ZGo DB
|
// Mark order as completed in ZGo DB
|
||||||
//
|
//
|
||||||
$sql = "update zgo_payments set " .
|
//$sql = "update zgo_payments set " .
|
||||||
"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
//"pmt_confirmed='" . date('Y-m-d H:i:s') .
|
||||||
"', pmt_rate=" . $rate .
|
//"', pmt_rate=" . $rate .
|
||||||
", pmt_zec=" . $totalzec .
|
//", pmt_zec=" . $totalzec .
|
||||||
", pmt_wc_paid=1 " .
|
//", pmt_wc_paid=1 " .
|
||||||
" where pmt_wc_order='" . $orderid . "';";
|
//" where pmt_wc_order='" . $orderid . "';";
|
||||||
$wpdb->query($sql);
|
$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
|
||||||
|
$wpdb->query($sql2);
|
||||||
|
|
||||||
update_option('webhook_debug', $_GET);
|
update_option('webhook_debug', $_GET);
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
// $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
// $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// $this->console_log('Invalid parameters...');
|
// $this->console_log('Invalid parameters...');
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
// $this->console_log('Database error...');
|
// $this->console_log('Database error...');
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue