Harden plugin against SQL injection

2023-06-23 09:09:25 -05:00 · 2023-06-23 09:09:25 -05:00 · 0dd89a0e7f
parent c9b077f225
commit 0dd89a0e7f
1 changed files with 49 additions and 45 deletions
--- a/zgopmtgwy.php
+++ b/zgopmtgwy.php
@ -238,31 +238,33 @@ function zgopmt_init() {
 			        // 
 			        // Save ZGo Order ID and Cart order 
 			        //
-					$sql = "replace into zgo_payments (" .
+					$sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);',
-					      "pmt_orderid," .
+						               $zgoOrderid, $order_id, $order-<get_billing_first_name() . ' ' . $order->get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total())
-					      "pmt_wc_order," .
+					//$sql = "replace into zgo_payments (" .
-					      "pmt_wc_custname," .
+					      //"pmt_orderid," .
-					      "pmt_accepted," .
+					      //"pmt_wc_order," .
-					      "pmt_confirmed," .
+					      //"pmt_wc_custname," .
-					      "pmt_amount," .
+					      //"pmt_accepted," .
-					      "pmt_rate," .
+					      //"pmt_confirmed," .
-					      "pmt_zec," .
+					      //"pmt_amount," .
-					      "pmt_wc_paid) values ('" .
+					      //"pmt_rate," .
-                    	  $zgoOrderid . "','" .
+					      //"pmt_zec," .
-                    	  $order_id . "','" .
+					      //"pmt_wc_paid) values ('" .
-                    	  $order->get_billing_first_name() . " " . 
+                              //$zgoOrderid . "','" .
-                    	  $order->get_billing_last_name() . "','" .
+                              //$order_id . "','" .
-                       	  date('Y-m-d H:i:s') . "','',".
+                              //$order->get_billing_first_name() . " " . 
-                     	  $order->get_total() . 
+                              //$order->get_billing_last_name() . "','" .
-                     	  ",0,0,0)";
+                                 //date('Y-m-d H:i:s') . "','',".
-                    $wpdb->query($sql);
+                               //$order->get_total() . 
                               //",0,0,0)";
                                        $wpdb->query($sql3);
 					// Remove cart.
 					WC()->cart->empty_cart();
 					return array(
-					 	'result' => 'success',
+						'result' => 'success',
-					    'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
+						'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid,
 					);
 					break;
 				case 202:
@ -290,40 +292,42 @@ function zgopmt_init() {
 			$rate = $_GET['rate'];
 			$order = wc_get_order( $orderid );
-			$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
+			$sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s;', $orderid);
 			//$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';";
 			$result = $wpdb->get_row($sql,OBJECT);
 			if ( ! is_null($result) ) {
-				if ( ( $token == $this->zgotoken )
+				if ( ( hash('sha256', $token) == hash('sha256', $this->zgotoken) )
-				     && ( $result->pmt_orderid == $zgoOrderid )
+					&& ( $result->pmt_orderid == $zgoOrderid )
-				     && ( $result->pmt_wc_paid == '0' ) ) {      
+					&& ( $result->pmt_wc_paid == '0' ) ) {      
 					switch ( $order->get_status() ) {
-						case 'pending':
+					case 'pending':
-						case 'failed':
+					case 'failed':
-							$order->payment_complete();
+						$order->payment_complete();
-							$order->reduce_order_stock();
+						$order->reduce_order_stock();
-					      	// 
+						// 
-					     	//  Mark order as completed in ZGo DB
+						//  Mark order as completed in ZGo DB
-					      	//
+						//
-							$sql = "update zgo_payments set " .
+						//$sql = "update zgo_payments set " .
-							   	"pmt_confirmed='" . date('Y-m-d H:i:s') . 
+							//"pmt_confirmed='" . date('Y-m-d H:i:s') . 
- 					      		"', pmt_rate=" . $rate . 
+							//"', pmt_rate=" . $rate . 
- 					      		", pmt_zec=" . $totalzec .
+                                                        //", pmt_zec=" . $totalzec .
-							   	", pmt_wc_paid=1 " .
+                                                        //", pmt_wc_paid=1 " .
-							   	" where pmt_wc_order='" . $orderid . "';";
+							//" where pmt_wc_order='" . $orderid . "';";
-		               		$wpdb->query($sql);	
+						$sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid );
 						$wpdb->query($sql2);	
-							update_option('webhook_debug', $_GET);
+						update_option('webhook_debug', $_GET);
-							break;
+						break;
-						default:
+					default:
-//						   $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
+						//						   $this->console_log('Order ' . $orderid . ' already paid or cancelled...');
-						   break;
+						break;
 					} 
 				} else {
-//					$this->console_log('Invalid parameters...');
+					//					$this->console_log('Invalid parameters...');
 				}
 			} else {
-//				$this->console_log('Database error...');
+				//				$this->console_log('Database error...');
 			}	
 		}