From 0dd89a0e7ff2e897bb3a97d6da2c05eb9b9abdbf Mon Sep 17 00:00:00 2001 From: Rene Vergara Date: Fri, 23 Jun 2023 09:09:25 -0500 Subject: [PATCH] Harden plugin against SQL injection --- zgopmtgwy.php | 94 +++++++++++++++++++++++++++------------------------ 1 file changed, 49 insertions(+), 45 deletions(-) diff --git a/zgopmtgwy.php b/zgopmtgwy.php index d1d5d75..6a6326e 100644 --- a/zgopmtgwy.php +++ b/zgopmtgwy.php @@ -238,31 +238,33 @@ function zgopmt_init() { // // Save ZGo Order ID and Cart order // - $sql = "replace into zgo_payments (" . - "pmt_orderid," . - "pmt_wc_order," . - "pmt_wc_custname," . - "pmt_accepted," . - "pmt_confirmed," . - "pmt_amount," . - "pmt_rate," . - "pmt_zec," . - "pmt_wc_paid) values ('" . - $zgoOrderid . "','" . - $order_id . "','" . - $order->get_billing_first_name() . " " . - $order->get_billing_last_name() . "','" . - date('Y-m-d H:i:s') . "','',". - $order->get_total() . - ",0,0,0)"; - $wpdb->query($sql); + $sql3 = $wpdb->prepare('replace into zgo_payments (pmt_orderid, pmt_wc_order, pmt_wc_custname, pmt_accepted, pmt_confirmed, pmt_amount, pmt_rate, pmt_zec, pmt_wc_paid) values (%s, %s, %s, %s, %s, %f, 0, 0, 0);', + $zgoOrderid, $order_id, $order-get_billing_last_name(), date('Y-m-d H:i:s'), '', $order->get_total()) + //$sql = "replace into zgo_payments (" . + //"pmt_orderid," . + //"pmt_wc_order," . + //"pmt_wc_custname," . + //"pmt_accepted," . + //"pmt_confirmed," . + //"pmt_amount," . + //"pmt_rate," . + //"pmt_zec," . + //"pmt_wc_paid) values ('" . + //$zgoOrderid . "','" . + //$order_id . "','" . + //$order->get_billing_first_name() . " " . + //$order->get_billing_last_name() . "','" . + //date('Y-m-d H:i:s') . "','',". + //$order->get_total() . + //",0,0,0)"; + $wpdb->query($sql3); // Remove cart. WC()->cart->empty_cart(); return array( - 'result' => 'success', - 'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid, + 'result' => 'success', + 'redirect' => 'https://app.zgo.cash/invoice/' . $zgoOrderid, ); break; case 202: @@ -290,40 +292,42 @@ function zgopmt_init() { $rate = $_GET['rate']; $order = wc_get_order( $orderid ); - $sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';"; + $sql = $wpdb->prepare('select * from zgo_payments where pmt_wc_order = %s;', $orderid); + //$sql = "select * from zgo_payments where pmt_wc_order = '" . $orderid . "';"; $result = $wpdb->get_row($sql,OBJECT); if ( ! is_null($result) ) { - if ( ( $token == $this->zgotoken ) - && ( $result->pmt_orderid == $zgoOrderid ) - && ( $result->pmt_wc_paid == '0' ) ) { + if ( ( hash('sha256', $token) == hash('sha256', $this->zgotoken) ) + && ( $result->pmt_orderid == $zgoOrderid ) + && ( $result->pmt_wc_paid == '0' ) ) { switch ( $order->get_status() ) { - case 'pending': - case 'failed': - $order->payment_complete(); - $order->reduce_order_stock(); - // - // Mark order as completed in ZGo DB - // - $sql = "update zgo_payments set " . - "pmt_confirmed='" . date('Y-m-d H:i:s') . - "', pmt_rate=" . $rate . - ", pmt_zec=" . $totalzec . - ", pmt_wc_paid=1 " . - " where pmt_wc_order='" . $orderid . "';"; - $wpdb->query($sql); + case 'pending': + case 'failed': + $order->payment_complete(); + $order->reduce_order_stock(); + // + // Mark order as completed in ZGo DB + // + //$sql = "update zgo_payments set " . + //"pmt_confirmed='" . date('Y-m-d H:i:s') . + //"', pmt_rate=" . $rate . + //", pmt_zec=" . $totalzec . + //", pmt_wc_paid=1 " . + //" where pmt_wc_order='" . $orderid . "';"; + $sql2 = $wpdb->prepare('update zgo_payments set pmt_confirmed = %s, pmt_rate = %f, pmt_zec = %f, pmt_wc_paid = 1 where pmt_wc_order = %s;', date('Y-m-d H:i:s'), $rate, $totalzec, $orderid ); + $wpdb->query($sql2); - update_option('webhook_debug', $_GET); - break; - default: -// $this->console_log('Order ' . $orderid . ' already paid or cancelled...'); - break; + update_option('webhook_debug', $_GET); + break; + default: + // $this->console_log('Order ' . $orderid . ' already paid or cancelled...'); + break; } } else { -// $this->console_log('Invalid parameters...'); + // $this->console_log('Invalid parameters...'); } } else { -// $this->console_log('Database error...'); + // $this->console_log('Database error...'); } }