From ab08d12f2b0acf986173319a39706544512d3dec Mon Sep 17 00:00:00 2001
From: "Rene V. Vergara" <rvergara59@protonmail.com>
Date: Tue, 19 Sep 2023 16:58:49 -0500
Subject: [PATCH] Fix Bugs  C,D,E from auditing report

---
 assets/php/zpmt-stats-page.php | 39 +++++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 15 deletions(-)

diff --git a/assets/php/zpmt-stats-page.php b/assets/php/zpmt-stats-page.php
index da96779..a02f54c 100644
--- a/assets/php/zpmt-stats-page.php
+++ b/assets/php/zpmt-stats-page.php
@@ -46,11 +46,13 @@ class zpmt_stats_page {
 				$this->_npages++;
 			}
 
-			$sql = 'insert into zgo_pmtlst (pg_ix,pg_page,pg_npages,pg_offset,pg_limit) values (1,' . 
-				$this->_page . ',' .
-				$this->_npages . ',' .
-				$this->_offset . ',' .
-				$this->_limit .')';
+//			$sql = 'insert into zgo_pmtlst (pg_ix,pg_page,pg_npages,pg_offset,pg_limit) values (1,' . 
+//				$this->_page . ',' .
+//				$this->_npages . ',' .
+//				$this->_offset . ',' .
+//				$this->_limit .')';
+
+			$sql =  $wpdb->prepare('insert into zgo_pmtlst (pg_ix,pg_page,pg_npages,pg_offset,pg_limit) values (1,%d,%d,%d,%d);',$this->_page,$this->_npages,$this->_offset,$this->_limit);
 			$wpdb->query($sql);
 		} else {
 	      	// Load last state
@@ -67,7 +69,10 @@ class zpmt_stats_page {
 				if ( $this->_nrows > ($this->_npages*$this->_limit) ) {
 						$this->_npages++;
 				}	
-				$sql = 'update zgo_pmtlst set pg_npages=' . $this->_npages . ' where pg_ix=1';
+
+//				$sql = 'update zgo_pmtlst set pg_npages=' . $this->_npages . ' where pg_ix=1';
+
+				$sql = $wpdb->prepare('update zgo_pmtlst set pg_npages=%d where pg_ix=1;',$this->_npages);
 				$wpdb->query($sql);
 			} 
 		}
@@ -149,9 +154,13 @@ class zpmt_stats_page {
 			//
 			// Save new list state
 			//
-			$sql = 'update zgo_pmtlst set pg_page=' . $this->_page .
-			    ', pg_npages=' . $this->_npages .
-			    ', pg_offset=' . $this->_offset . ' where pg_ix=1;';		
+
+//			$sql = 'update zgo_pmtlst set pg_page=' . $this->_page .
+//			    ', pg_npages=' . $this->_npages .
+//			    ', pg_offset=' . $this->_offset . ' where pg_ix=1;';		
+			
+			$sql = $wpdb->prepare('update zgo_pmtlst set pg_page=%d, pg_npages=
+				%d, pg_offset=%d where pg_ix=1;',$this->_page,$this->_npages,$this->_offset);
 			$wpdb->query($sql);
 		}
 
@@ -233,14 +242,14 @@ class zpmt_stats_page {
 				}
 				$line++;             
 				print '<td><a href="https://dev.zgo.cash/invoice/' . htmlentities($row->pmt_orderid, ENT_QUOTES) . '" target="_blank">' . htmlentities($row->pmt_orderid, ENT_QUOTES) . "</a></td>";
-				print "<td>" . $row->pmt_wc_order . "</td>";
+				print "<td>" . htmlwntities($row->pmt_wc_order,ENT_QUOTES) . "</td>";
 				print "<td>" . htmlentities($row->pmt_wc_custname, ENT_QUOTES) . "</td>";
-				print '<td style="text-align:center;">'. $row->pmt_accepted . "</td>";
-				print '<td style="text-align:center;">'.$row->pmt_confirmed ."</td>";
+				print '<td style="text-align:center;">'. htmlentities($row->pmt_accepted,ENT_QUOTES) . "</td>";
+				print '<td style="text-align:center;">'.htmlentities($row->pmt_confirmed,ENT_QUOTES) ."</td>";
 				print '<td style="text-align:right;">'. number_format($row->pmt_amount,2) . "</td>";
 				print '<td style="text-align:right;">'. number_format($row->pmt_rate,2) . "</td>";
 				print '<td style="text-align:right;">'. number_format($row->pmt_zec,8) . "</td>";
-				print '<td  style="text-align:center;">'.$row->pmt_wc_paid ."</td></tr>";
+				print '<td  style="text-align:center;">'. htmlentities($row->pmt_wc_paid,ENT_QUOTES) ."</td></tr>";
 			}
 		?> 
 			</table>
@@ -577,8 +586,8 @@ class zpmt_stats_page {
 		global $wpdb;
 
 		$sql = 'select ifnull(sum(a.pmt_amount),0) as gTotalAmount, ' .
-			   'ifnull(count(*),0) as gTotalPmts, ' .
-			   'ifnull(sum(a.pmt_zec),0) as gTotalZec ' .
+			  'ifnull(count(*),0) as gTotalPmts, ' .
+			  'ifnull(sum(a.pmt_zec),0) as gTotalZec ' .
 		       'from zgo_payments a ' . 
 		       'where a.pmt_wc_paid = 1;' ;
 		$result = $wpdb->get_row($sql,OBJECT);