function zen_db_scrub_in($string, $strip_tags = false)
{
if ($string == '""' || $string == "''" || strcasecmp($string, 'null') == 0 || strcasecmp($string, 'now()') == 0) {
return $string;
} elseif (is_string($string)) {
$string = trim(stripslashes($string));
$string = nl2br($string);
if ($strip_tags) {
$string = strip_tags($string);
}
$string = mysql_real_escape_string($string);
return $string;
} elseif (is_array($string)) {
reset($string);
while (list($key, $value) = each($string)) {
if (!is_numeric($value)) {
$string[$key] = zen_db_scrub_in($value);
}
}
return $string;
} else {
return $string;
}
}
unset($_GET['download_reset_on']);
$messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_ON, 'success');
zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', $request_type));
}
// reset single download to off
if ($_GET['download_reset_off'] > 0) {
// adjust download_maxdays based on current date
$update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='0', download_count='0' where orders_id='" . $_GET['oID'] . "' and orders_products_download_id='" . $_GET['download_reset_off'] . "'";
unset($_GET['download_reset_off']);
$db->Execute($update_downloads_query);
$messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_OFF, 'success');
zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', $request_type));
}
break;
case 'update_order':
$status = zen_db_scrub_in($_POST['status'], true);
$comments = $_POST['comments'];
$comments = stripslashes($comments);
$comments = trim($comments);
$comments = mysql_escape_string($comments);
$comments = htmlspecialchars($comments);
$check_status = $db->Execute("select customers_id, customers_name, customers_email_address, orders_status,\r\n date_purchased from " . TABLE_ORDERS . "\r\n where orders_id = '" . (int) $oID . "'");
if ($check_status->fields['orders_status'] != $status || zen_not_null($comments)) {
$customer_notified = '0';
if (isset($_POST['notify']) && $_POST['notify'] == 'on') {
$customer_notified = '1';
}
update_status($oID, $status, $customer_notified, $comments);
if ($customer_notified == '1') {
email_latest_status($oID, $customer_notified);
}
if (zen_not_null($action)) {
switch ($action) {
// Update Order
case 'update_order':
// TY TRACKER UPDATE ORDER BEGIN
if (TY_TRACKER == 'True') {
$oID = zen_db_prepare_input($_GET['oID']);
$order = new order($oID);
//$status = zen_db_prepare_input($_POST['status']);
$status = zen_db_prepare_input($_POST['status'], true);
// TY TRACKER 1 BEGIN, DEFINE VALUES ----------------------------------------------
$track_id1 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id1']));
$track_id2 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id2']));
$track_id3 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id3']));
$track_id4 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id4']));
$track_id5 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id5']));
// END TY TRACKER 1 ------------------------------------------------------------------
//$comments = zen_db_prepare_input($_POST['comments']);
$comments = mysql_real_escape_string(stripslashes($_POST));
$comments = zen_db_prepare_input($_POST['comments'], true);
// Update Order Info updated 12/18/2010 to include last date modified
$UpdateOrders = "update " . TABLE_ORDERS . " set\n\t\t\tcustomers_name = '" . zen_db_input(stripslashes($_POST['update_customer_name'])) . "',\n\t\t\tcustomers_company = '" . zen_db_input(stripslashes($_POST['update_customer_company'])) . "',\n\t\t\tcustomers_street_address = '" . zen_db_input(stripslashes($_POST['update_customer_street_address'])) . "',\n\t\t\tcustomers_suburb = '" . zen_db_input(stripslashes($_POST['update_customer_suburb'])) . "',\n\t\t\tcustomers_city = '" . zen_db_input(stripslashes($_POST['update_customer_city'])) . "',\n\t\t\tcustomers_state = '" . zen_db_input(stripslashes($_POST['update_customer_state'])) . "',\n\t\t\tcustomers_postcode = '" . zen_db_input(stripslashes($_POST['update_customer_postcode'])) . "',\n\t\t\tcustomers_country = '" . zen_db_input(stripslashes($_POST['update_customer_country'])) . "',\n\t\t\tcustomers_telephone = '" . zen_db_input(stripslashes($_POST['update_customer_telephone'])) . "',\n\t\t\tcustomers_email_address = '" . zen_db_input(stripslashes($_POST['update_customer_email_address'])) . "',\n\t\t\tlast_modified=now(),";
// if($SeparateBillingFields)
// {
$UpdateOrders .= "billing_name = '" . zen_db_input(stripslashes($_POST['update_billing_name'])) . "',\n\t\t\tbilling_company = '" . zen_db_input(stripslashes($_POST['update_billing_company'])) . "',\n\t\t\tbilling_street_address = '" . zen_db_input(stripslashes($_POST['update_billing_street_address'])) . "',\n\t\t\tbilling_suburb = '" . zen_db_input(stripslashes($_POST['update_billing_suburb'])) . "',\n\t\t\tbilling_city = '" . zen_db_input(stripslashes($_POST['update_billing_city'])) . "',\n\t\t\tbilling_state = '" . zen_db_input(stripslashes($_POST['update_billing_state'])) . "',\n\t\t\tbilling_postcode = '" . zen_db_input(stripslashes($_POST['update_billing_postcode'])) . "',\n\t\t\tbilling_country = '" . zen_db_input(stripslashes($_POST['update_billing_country'])) . "',";
// }
$UpdateOrders .= "delivery_name = '" . zen_db_input(stripslashes($_POST['update_delivery_name'])) . "',\n\t\t\tdelivery_company = '" . zen_db_input(stripslashes($_POST['update_delivery_company'])) . "',\n\t\t\tdelivery_street_address = '" . zen_db_input(stripslashes($_POST['update_delivery_street_address'])) . "',\n\t\t\tdelivery_suburb = '" . zen_db_input(stripslashes($_POST['update_delivery_suburb'])) . "',\n\t\t\tdelivery_city = '" . zen_db_input(stripslashes($_POST['update_delivery_city'])) . "',\n\t\t\tdelivery_state = '" . zen_db_input(stripslashes($_POST['update_delivery_state'])) . "',\n\t\t\tdelivery_postcode = '" . zen_db_input(stripslashes($_POST['update_delivery_postcode'])) . "',\n\t\t\tdelivery_country = '" . zen_db_input(stripslashes($_POST['update_delivery_country'])) . "',\n\t\t\tpayment_method = '" . zen_db_input(stripslashes($_POST['update_info_payment_method'])) . "',\n\t\t\tcc_type = '" . zen_db_input(stripslashes($_POST['update_info_cc_type'])) . "',\n\t\t\tcc_owner = '" . zen_db_input(stripslashes($_POST['update_info_cc_owner'])) . "',";
if (substr($update_info_cc_number, 0, 8) != "(Last 4)") {
$UpdateOrders .= "cc_number = '" . zen_db_input(stripslashes($_POST['update_info_cc_number'])) . "',";
}
$UpdateOrders .= "cc_expires = '" . zen_db_input(stripslashes($_POST['update_info_cc_expires'])) . "',\n\t\t\torders_status = '" . zen_db_input($status) . "'";
$db->Execute("INSERT INTO " . TABLE_ORDERS_STATUS_HISTORY . "\r\n (orders_id, orders_status_id, date_added, customer_notified, comments)\r\n VALUES ('" . $oID . "',\r\n '" . $new_order['orders_status'] . "',\r\n now(),\r\n '" . $notify_split . "',\r\n '" . COMMENTS_SPLIT_OLD . $new_order_id . "')");
// entry for new order
$db->Execute("INSERT INTO " . TABLE_ORDERS_STATUS_HISTORY . "\r\n (orders_id, orders_status_id, date_added, customer_notified, comments)\r\n VALUES ('" . $new_order_id . "',\r\n '" . $new_order['orders_status'] . "',\r\n now(),\r\n '" . $notify_split . "',\r\n '" . COMMENTS_SPLIT_NEW . $oID . "')");
// notify customer (if selected)
if ($notify_split) {
email_latest_status($oID);
}
}
// END if (isset($_POST['split_products']) && zen_not_null($_POST['split_products']))
break;
case 'history':
$update_status_history = $db->Execute("SELECT * FROM " . TABLE_ORDERS_STATUS_HISTORY . "\r\n WHERE orders_id = '" . $oID . "'\r\n ORDER BY orders_status_history_id DESC");
while (!$update_status_history->EOF) {
$this_history_id = $update_status_history->fields['orders_status_history_id'];
$this_status = $_POST['status_' . $this_history_id];
$this_comments = zen_db_scrub_in($_POST['comments_' . $this_history_id]);
$this_delete = $_POST['delete_' . $this_history_id];
$change_exists = false;
if ($this_delete == 1) {
zen_db_delete(TABLE_ORDERS_STATUS_HISTORY, "orders_status_history_id = '" . $this_history_id . "'");
}
if ($this_status != $update_status_history->fields['orders_status_id']) {
$update_history['orders_status_id'] = $this_status;
$change_exists = true;
}
if ($this_comments != $update_status_history->fields['comments']) {
$update_history['comments'] = $this_comments;
$change_exists = true;
}
if ($change_exists) {
zen_db_perform(TABLE_ORDERS_STATUS_HISTORY, $update_history, 'update', "orders_status_history_id = '" . $this_history_id . "'");
$messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_ON, 'success');
zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', 'NONSSL'));
}
// reset single download to off
if ($_GET['download_reset_off'] > 0) {
// adjust download_maxdays based on current date
$update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='0', download_count='0' where orders_id='" . $_GET['oID'] . "' and orders_products_download_id='" . $_GET['download_reset_off'] . "'";
unset($_GET['download_reset_off']);
$db->Execute($update_downloads_query);
$messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_OFF, 'success');
zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', 'NONSSL'));
}
break;
case 'update_order':
$status = zen_db_scrub_in($_POST['status'], true);
$comments = zen_db_scrub_in($_POST['comments']);
$check_status = $db->Execute("select customers_name, customers_email_address, orders_status,\r\n date_purchased from " . TABLE_ORDERS . "\r\n where orders_id = '" . (int) $oID . "'");
if ($check_status->fields['orders_status'] != $status || zen_not_null($comments)) {
$customer_notified = '0';
if (isset($_POST['notify']) && $_POST['notify'] == 'on') {
$customer_notified = '1';
}
update_status($oID, $status, $customer_notified, $comments);
if ($customer_notified == '1') {
email_latest_status($oID);
}
if ($status == DOWNLOADS_ORDERS_STATUS_UPDATED_VALUE) {
// adjust download_maxdays based on current date
$zc_max_days = date_diff($check_status->fields['date_purchased'], date('Y-m-d H:i:s', time())) + DOWNLOAD_MAX_DAYS;
$update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='" . $zc_max_days . "', download_count='" . DOWNLOAD_MAX_COUNT . "' where orders_id='" . (int) $oID . "'";
$db->Execute($update_downloads_query);
<!-- end search -->
<?php
// we only need to check one variable since all are passed with the form
if (isset($_GET['start_date'])) {
// create query based on filter crieria
$orders_query_raw = "SELECT o.orders_id, o.customers_id, o.customers_name,\r\n o.payment_method, o.date_purchased, o.order_total, s.orders_status_name\r\n FROM " . TABLE_ORDERS . " o\r\n LEFT JOIN " . TABLE_ORDERS_STATUS . " s ON o.orders_status = s.orders_status_id";
if (isset($_GET['products']) && zen_not_null($_GET['products'])) {
$orders_query_raw .= " LEFT JOIN " . TABLE_ORDERS_PRODUCTS . " op ON o.orders_id = op.orders_id";
}
if (isset($_GET['languages']) && zen_not_null($_GET['languages'])) {
$orders_query_raw .= " LEFT JOIN " . TABLE_CUSTOMERS . " c ON o.customers_id = c.customers_id";
}
$orders_query_raw .= " WHERE s.language_id = '" . (int) $_SESSION['languages_id'] . "'";
$search = '';
if (isset($_GET['search']) && zen_not_null($_GET['search'])) {
$keywords = zen_db_scrub_in($_GET['search'], true);
$search = " and (o.customers_city like '%" . $keywords . "%' or o.customers_postcode like '%" . $keywords . "%' or date_format(o.date_purchased, '%Y-%m-%d') like '%" . $keywords . "%' or o.billing_name like '%" . $keywords . "%' or o.billing_company like '%" . $keywords . "%' or o.billing_street_address like '%" . $keywords . "%' or o.delivery_city like '%" . $keywords . "%' or o.delivery_postcode like '%" . $keywords . "%' or o.delivery_name like '%" . $keywords . "%' or o.delivery_company like '%" . $keywords . "%' or o.delivery_street_address like '%" . $keywords . "%' or o.billing_city like '%" . $keywords . "%' or o.billing_postcode like '%" . $keywords . "%' or o.customers_email_address like '%" . $keywords . "%' or o.customers_name like '%" . $keywords . "%' or o.customers_company like '%" . $keywords . "%' or o.customers_street_address like '%" . $keywords . "%' or o.customers_telephone like '%" . $keywords . "%')";
$orders_query_raw .= $search;
}
$sd = zen_date_raw(isset($_GET['start_date']) ? $_GET['start_date'] : '');
$ed = zen_date_raw(isset($_GET['end_date']) ? $_GET['end_date'] : '');
if ($sd != '' && $ed != '') {
$orders_query_raw .= " AND o.date_purchased BETWEEN '" . $sd . "' AND DATE_ADD('" . $ed . "', INTERVAL 1 DAY)";
}
if (isset($_GET['status']) && zen_not_null($_GET['status'])) {
$orders_query_raw .= " AND o.orders_status = '" . $_GET['status'] . "'";
}
if (isset($_GET['products']) && zen_not_null($_GET['products'])) {
$orders_query_raw .= " AND op.products_id = '" . $_GET['products'] . "'";
}
if (isset($_GET['customers']) && zen_not_null($_GET['customers'])) {
if (isset($_GET['payment_type_id'])) {
$payment_type_id = (int) $_GET['payment_type_id'];
}
if (isset($_GET['payment_type_code'])) {
$payment_type_code = $_GET['payment_type_code'];
}
switch ($action) {
case 'insert':
case 'save':
$languages = zen_get_languages();
$payment_type_full_array = $_POST['payment_type_full'];
$payment_type_code_array = $_POST['payment_type_code'];
for ($i = 0; $i < sizeof($languages); $i++) {
$language_id = (int) $languages[$i]['id'];
$payment_type_code = zen_db_scrub_in($payment_type_code_array[$language_id], true);
$payment_type_full = zen_db_scrub_in($payment_type_full_array[$language_id], true);
if ($action == 'insert') {
$sql_array = array('payment_type_full' => $payment_type_full, 'payment_type_code' => $payment_type_code, 'language_id' => $language_id);
zen_db_perform(TABLE_SO_PAYMENT_TYPES, $sql_array);
$messageStack->add(sprintf(SUCCESS_PAYMENT_TYPE_INSERTED, $sql_array['payment_type_full'], $sql_array['payment_type_code']), 'success');
} elseif ($action == 'save') {
// get the original payment_type texts
$pt_data = $db->Execute("select * from " . TABLE_SO_PAYMENT_TYPES . " where payment_type_id = '" . $payment_type_id . "'");
if ($pt_data->fields['payment_type_full'] != $payment_type_full) {
$sql_array['payment_type_full'] = $payment_type_full;
}
if ($pt_data->fields['payment_type_code'] != $payment_type_code) {
$sql_array['payment_type_code'] = $payment_type_code;
}
// don't need this
//$sql_array['language_id'] = $language_id;
