WordPress.org
Get WordPress

Plugin Directory

Changeset 2367528


Ignore:
Timestamp:
08/24/2020 02:38:33 AM (6 years ago)
Author:
fitweb
Message:

sanitization in place

File:
1 edited

Legend:

Unmodified
Added
Removed

  • fitweb-bizappay-for-woocommerce/trunk/src/bizappay.php

    r2366673 r2367528  
    149149        $status_id =  filter_input(INPUT_GET, "status_id", FILTER_SANITIZE_NUMBER_INT);
    150150        $transaction_id = !filter_input(INPUT_GET, "transaction_id", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    151         $hash = !filter_input(INPUT_GET, "hash", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
    152 
    153         // if ( isset( $_REQUEST['status_id'] ) && isset( $_REQUEST['order_id'] ) && isset( $_REQUEST['msg'] ) && isset( $_REQUEST['transaction_id'] ) && isset( $_REQUEST['hash'] ) ) {
     151        $hash = filter_input(INPUT_GET, "hash", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
     152        $porder_id = filter_input(INPUT_POST, "order_id", FILTER_SANITIZE_FULL_SPECIAL_CHARS);
     153        # Check if the data sent is valid based on the hash value
     154        $hash_value = filter_var(md5( $this->secretkey . $_REQUEST['status_id'] . $_REQUEST['order_id'] . $_REQUEST['transaction_id'] . $_REQUEST['msg'] ),FILTER_SANITIZE_SPECIAL_CHARS);
     155
    154156        if ( isset($status_id) && isset($order_id) && $msg==true && isset($transaction_id) && isset($hash) ) {
    155157
    156158            global $woocommerce;
    157159
    158             $is_callback = isset( $_POST['order_id'] ) ? true : false;
    159 
    160             $order = wc_get_order( $_REQUEST['order_id'] );
     160            $is_callback = isset( $porder_id ) ? true : false;
     161
     162            $order = wc_get_order( $order_id );
    161163
    162164            $old_wc = version_compare( WC_VERSION, '3.0', '<' );
     
    165167
    166168            if ( $order && $order_id != 0 ) {
    167 
    168                 # Check if the data sent is valid based on the hash value
    169                 $hash_value = md5( $this->secretkey . $_REQUEST['status_id'] . $_REQUEST['order_id'] . $_REQUEST['transaction_id'] . $_REQUEST['msg'] );
    170                
    171 
    172                 if ( $hash_value == $_REQUEST['hash'] ) {
    173                     if ( $_REQUEST['status_id'] == 1 || $_REQUEST['status_id'] == '1' ) {
     169   
     170                if ( $hash_value == $hash ) {
     171                    if ( $status_id == 1 || $status_id == '1' ) {
    174172                        if ( strtolower( $order->get_status() ) == 'pending' || strtolower( $order->get_status() ) == 'processing' ) {
    175173                            # only update if order is pending
     
    177175                                $order->payment_complete();
    178176
    179                                 $order->add_order_note( 'Payment successfully made through Bizappay. Transaction reference is ' . $_REQUEST['transaction_id'] );
     177                                $order->add_order_note( 'Payment successfully made through Bizappay. Transaction reference is ' . $transaction_id );
    180178                            }
    181179
Note: See TracChangeset for help on using the changeset viewer.