function zen_db_scrub_in($string, $strip_tags = false) { if ($string == '""' || $string == "''" || strcasecmp($string, 'null') == 0 || strcasecmp($string, 'now()') == 0) { return $string; } elseif (is_string($string)) { $string = trim(stripslashes($string)); $string = nl2br($string); if ($strip_tags) { $string = strip_tags($string); } $string = mysql_real_escape_string($string); return $string; } elseif (is_array($string)) { reset($string); while (list($key, $value) = each($string)) { if (!is_numeric($value)) { $string[$key] = zen_db_scrub_in($value); } } return $string; } else { return $string; } }
unset($_GET['download_reset_on']); $messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_ON, 'success'); zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', $request_type)); } // reset single download to off if ($_GET['download_reset_off'] > 0) { // adjust download_maxdays based on current date $update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='0', download_count='0' where orders_id='" . $_GET['oID'] . "' and orders_products_download_id='" . $_GET['download_reset_off'] . "'"; unset($_GET['download_reset_off']); $db->Execute($update_downloads_query); $messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_OFF, 'success'); zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', $request_type)); } break; case 'update_order': $status = zen_db_scrub_in($_POST['status'], true); $comments = $_POST['comments']; $comments = stripslashes($comments); $comments = trim($comments); $comments = mysql_escape_string($comments); $comments = htmlspecialchars($comments); $check_status = $db->Execute("select customers_id, customers_name, customers_email_address, orders_status,\r\n date_purchased from " . TABLE_ORDERS . "\r\n where orders_id = '" . (int) $oID . "'"); if ($check_status->fields['orders_status'] != $status || zen_not_null($comments)) { $customer_notified = '0'; if (isset($_POST['notify']) && $_POST['notify'] == 'on') { $customer_notified = '1'; } update_status($oID, $status, $customer_notified, $comments); if ($customer_notified == '1') { email_latest_status($oID, $customer_notified); }
if (zen_not_null($action)) { switch ($action) { // Update Order case 'update_order': // TY TRACKER UPDATE ORDER BEGIN if (TY_TRACKER == 'True') { $oID = zen_db_prepare_input($_GET['oID']); $order = new order($oID); //$status = zen_db_prepare_input($_POST['status']); $status = zen_db_prepare_input($_POST['status'], true); // TY TRACKER 1 BEGIN, DEFINE VALUES ---------------------------------------------- $track_id1 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id1'])); $track_id2 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id2'])); $track_id3 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id3'])); $track_id4 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id4'])); $track_id5 = str_replace(" ", "", zen_db_scrub_in($_POST['track_id5'])); // END TY TRACKER 1 ------------------------------------------------------------------ //$comments = zen_db_prepare_input($_POST['comments']); $comments = mysql_real_escape_string(stripslashes($_POST)); $comments = zen_db_prepare_input($_POST['comments'], true); // Update Order Info updated 12/18/2010 to include last date modified $UpdateOrders = "update " . TABLE_ORDERS . " set\n\t\t\tcustomers_name = '" . zen_db_input(stripslashes($_POST['update_customer_name'])) . "',\n\t\t\tcustomers_company = '" . zen_db_input(stripslashes($_POST['update_customer_company'])) . "',\n\t\t\tcustomers_street_address = '" . zen_db_input(stripslashes($_POST['update_customer_street_address'])) . "',\n\t\t\tcustomers_suburb = '" . zen_db_input(stripslashes($_POST['update_customer_suburb'])) . "',\n\t\t\tcustomers_city = '" . zen_db_input(stripslashes($_POST['update_customer_city'])) . "',\n\t\t\tcustomers_state = '" . zen_db_input(stripslashes($_POST['update_customer_state'])) . "',\n\t\t\tcustomers_postcode = '" . zen_db_input(stripslashes($_POST['update_customer_postcode'])) . "',\n\t\t\tcustomers_country = '" . zen_db_input(stripslashes($_POST['update_customer_country'])) . "',\n\t\t\tcustomers_telephone = '" . zen_db_input(stripslashes($_POST['update_customer_telephone'])) . "',\n\t\t\tcustomers_email_address = '" . zen_db_input(stripslashes($_POST['update_customer_email_address'])) . "',\n\t\t\tlast_modified=now(),"; // if($SeparateBillingFields) // { $UpdateOrders .= "billing_name = '" . zen_db_input(stripslashes($_POST['update_billing_name'])) . "',\n\t\t\tbilling_company = '" . zen_db_input(stripslashes($_POST['update_billing_company'])) . "',\n\t\t\tbilling_street_address = '" . zen_db_input(stripslashes($_POST['update_billing_street_address'])) . "',\n\t\t\tbilling_suburb = '" . zen_db_input(stripslashes($_POST['update_billing_suburb'])) . "',\n\t\t\tbilling_city = '" . zen_db_input(stripslashes($_POST['update_billing_city'])) . "',\n\t\t\tbilling_state = '" . zen_db_input(stripslashes($_POST['update_billing_state'])) . "',\n\t\t\tbilling_postcode = '" . zen_db_input(stripslashes($_POST['update_billing_postcode'])) . "',\n\t\t\tbilling_country = '" . zen_db_input(stripslashes($_POST['update_billing_country'])) . "',"; // } $UpdateOrders .= "delivery_name = '" . zen_db_input(stripslashes($_POST['update_delivery_name'])) . "',\n\t\t\tdelivery_company = '" . zen_db_input(stripslashes($_POST['update_delivery_company'])) . "',\n\t\t\tdelivery_street_address = '" . zen_db_input(stripslashes($_POST['update_delivery_street_address'])) . "',\n\t\t\tdelivery_suburb = '" . zen_db_input(stripslashes($_POST['update_delivery_suburb'])) . "',\n\t\t\tdelivery_city = '" . zen_db_input(stripslashes($_POST['update_delivery_city'])) . "',\n\t\t\tdelivery_state = '" . zen_db_input(stripslashes($_POST['update_delivery_state'])) . "',\n\t\t\tdelivery_postcode = '" . zen_db_input(stripslashes($_POST['update_delivery_postcode'])) . "',\n\t\t\tdelivery_country = '" . zen_db_input(stripslashes($_POST['update_delivery_country'])) . "',\n\t\t\tpayment_method = '" . zen_db_input(stripslashes($_POST['update_info_payment_method'])) . "',\n\t\t\tcc_type = '" . zen_db_input(stripslashes($_POST['update_info_cc_type'])) . "',\n\t\t\tcc_owner = '" . zen_db_input(stripslashes($_POST['update_info_cc_owner'])) . "',"; if (substr($update_info_cc_number, 0, 8) != "(Last 4)") { $UpdateOrders .= "cc_number = '" . zen_db_input(stripslashes($_POST['update_info_cc_number'])) . "',"; } $UpdateOrders .= "cc_expires = '" . zen_db_input(stripslashes($_POST['update_info_cc_expires'])) . "',\n\t\t\torders_status = '" . zen_db_input($status) . "'";
$db->Execute("INSERT INTO " . TABLE_ORDERS_STATUS_HISTORY . "\r\n (orders_id, orders_status_id, date_added, customer_notified, comments)\r\n VALUES ('" . $oID . "',\r\n '" . $new_order['orders_status'] . "',\r\n now(),\r\n '" . $notify_split . "',\r\n '" . COMMENTS_SPLIT_OLD . $new_order_id . "')"); // entry for new order $db->Execute("INSERT INTO " . TABLE_ORDERS_STATUS_HISTORY . "\r\n (orders_id, orders_status_id, date_added, customer_notified, comments)\r\n VALUES ('" . $new_order_id . "',\r\n '" . $new_order['orders_status'] . "',\r\n now(),\r\n '" . $notify_split . "',\r\n '" . COMMENTS_SPLIT_NEW . $oID . "')"); // notify customer (if selected) if ($notify_split) { email_latest_status($oID); } } // END if (isset($_POST['split_products']) && zen_not_null($_POST['split_products'])) break; case 'history': $update_status_history = $db->Execute("SELECT * FROM " . TABLE_ORDERS_STATUS_HISTORY . "\r\n WHERE orders_id = '" . $oID . "'\r\n ORDER BY orders_status_history_id DESC"); while (!$update_status_history->EOF) { $this_history_id = $update_status_history->fields['orders_status_history_id']; $this_status = $_POST['status_' . $this_history_id]; $this_comments = zen_db_scrub_in($_POST['comments_' . $this_history_id]); $this_delete = $_POST['delete_' . $this_history_id]; $change_exists = false; if ($this_delete == 1) { zen_db_delete(TABLE_ORDERS_STATUS_HISTORY, "orders_status_history_id = '" . $this_history_id . "'"); } if ($this_status != $update_status_history->fields['orders_status_id']) { $update_history['orders_status_id'] = $this_status; $change_exists = true; } if ($this_comments != $update_status_history->fields['comments']) { $update_history['comments'] = $this_comments; $change_exists = true; } if ($change_exists) { zen_db_perform(TABLE_ORDERS_STATUS_HISTORY, $update_history, 'update', "orders_status_history_id = '" . $this_history_id . "'");
$messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_ON, 'success'); zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', 'NONSSL')); } // reset single download to off if ($_GET['download_reset_off'] > 0) { // adjust download_maxdays based on current date $update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='0', download_count='0' where orders_id='" . $_GET['oID'] . "' and orders_products_download_id='" . $_GET['download_reset_off'] . "'"; unset($_GET['download_reset_off']); $db->Execute($update_downloads_query); $messageStack->add_session(SUCCESS_ORDER_UPDATED_DOWNLOAD_OFF, 'success'); zen_redirect(zen_href_link(FILENAME_SUPER_ORDERS, zen_get_all_get_params(array('action')) . 'action=edit', 'NONSSL')); } break; case 'update_order': $status = zen_db_scrub_in($_POST['status'], true); $comments = zen_db_scrub_in($_POST['comments']); $check_status = $db->Execute("select customers_name, customers_email_address, orders_status,\r\n date_purchased from " . TABLE_ORDERS . "\r\n where orders_id = '" . (int) $oID . "'"); if ($check_status->fields['orders_status'] != $status || zen_not_null($comments)) { $customer_notified = '0'; if (isset($_POST['notify']) && $_POST['notify'] == 'on') { $customer_notified = '1'; } update_status($oID, $status, $customer_notified, $comments); if ($customer_notified == '1') { email_latest_status($oID); } if ($status == DOWNLOADS_ORDERS_STATUS_UPDATED_VALUE) { // adjust download_maxdays based on current date $zc_max_days = date_diff($check_status->fields['date_purchased'], date('Y-m-d H:i:s', time())) + DOWNLOAD_MAX_DAYS; $update_downloads_query = "update " . TABLE_ORDERS_PRODUCTS_DOWNLOAD . " set download_maxdays='" . $zc_max_days . "', download_count='" . DOWNLOAD_MAX_COUNT . "' where orders_id='" . (int) $oID . "'"; $db->Execute($update_downloads_query);
<!-- end search --> <?php // we only need to check one variable since all are passed with the form if (isset($_GET['start_date'])) { // create query based on filter crieria $orders_query_raw = "SELECT o.orders_id, o.customers_id, o.customers_name,\r\n o.payment_method, o.date_purchased, o.order_total, s.orders_status_name\r\n FROM " . TABLE_ORDERS . " o\r\n LEFT JOIN " . TABLE_ORDERS_STATUS . " s ON o.orders_status = s.orders_status_id"; if (isset($_GET['products']) && zen_not_null($_GET['products'])) { $orders_query_raw .= " LEFT JOIN " . TABLE_ORDERS_PRODUCTS . " op ON o.orders_id = op.orders_id"; } if (isset($_GET['languages']) && zen_not_null($_GET['languages'])) { $orders_query_raw .= " LEFT JOIN " . TABLE_CUSTOMERS . " c ON o.customers_id = c.customers_id"; } $orders_query_raw .= " WHERE s.language_id = '" . (int) $_SESSION['languages_id'] . "'"; $search = ''; if (isset($_GET['search']) && zen_not_null($_GET['search'])) { $keywords = zen_db_scrub_in($_GET['search'], true); $search = " and (o.customers_city like '%" . $keywords . "%' or o.customers_postcode like '%" . $keywords . "%' or date_format(o.date_purchased, '%Y-%m-%d') like '%" . $keywords . "%' or o.billing_name like '%" . $keywords . "%' or o.billing_company like '%" . $keywords . "%' or o.billing_street_address like '%" . $keywords . "%' or o.delivery_city like '%" . $keywords . "%' or o.delivery_postcode like '%" . $keywords . "%' or o.delivery_name like '%" . $keywords . "%' or o.delivery_company like '%" . $keywords . "%' or o.delivery_street_address like '%" . $keywords . "%' or o.billing_city like '%" . $keywords . "%' or o.billing_postcode like '%" . $keywords . "%' or o.customers_email_address like '%" . $keywords . "%' or o.customers_name like '%" . $keywords . "%' or o.customers_company like '%" . $keywords . "%' or o.customers_street_address like '%" . $keywords . "%' or o.customers_telephone like '%" . $keywords . "%')"; $orders_query_raw .= $search; } $sd = zen_date_raw(isset($_GET['start_date']) ? $_GET['start_date'] : ''); $ed = zen_date_raw(isset($_GET['end_date']) ? $_GET['end_date'] : ''); if ($sd != '' && $ed != '') { $orders_query_raw .= " AND o.date_purchased BETWEEN '" . $sd . "' AND DATE_ADD('" . $ed . "', INTERVAL 1 DAY)"; } if (isset($_GET['status']) && zen_not_null($_GET['status'])) { $orders_query_raw .= " AND o.orders_status = '" . $_GET['status'] . "'"; } if (isset($_GET['products']) && zen_not_null($_GET['products'])) { $orders_query_raw .= " AND op.products_id = '" . $_GET['products'] . "'"; } if (isset($_GET['customers']) && zen_not_null($_GET['customers'])) {
if (isset($_GET['payment_type_id'])) { $payment_type_id = (int) $_GET['payment_type_id']; } if (isset($_GET['payment_type_code'])) { $payment_type_code = $_GET['payment_type_code']; } switch ($action) { case 'insert': case 'save': $languages = zen_get_languages(); $payment_type_full_array = $_POST['payment_type_full']; $payment_type_code_array = $_POST['payment_type_code']; for ($i = 0; $i < sizeof($languages); $i++) { $language_id = (int) $languages[$i]['id']; $payment_type_code = zen_db_scrub_in($payment_type_code_array[$language_id], true); $payment_type_full = zen_db_scrub_in($payment_type_full_array[$language_id], true); if ($action == 'insert') { $sql_array = array('payment_type_full' => $payment_type_full, 'payment_type_code' => $payment_type_code, 'language_id' => $language_id); zen_db_perform(TABLE_SO_PAYMENT_TYPES, $sql_array); $messageStack->add(sprintf(SUCCESS_PAYMENT_TYPE_INSERTED, $sql_array['payment_type_full'], $sql_array['payment_type_code']), 'success'); } elseif ($action == 'save') { // get the original payment_type texts $pt_data = $db->Execute("select * from " . TABLE_SO_PAYMENT_TYPES . " where payment_type_id = '" . $payment_type_id . "'"); if ($pt_data->fields['payment_type_full'] != $payment_type_full) { $sql_array['payment_type_full'] = $payment_type_full; } if ($pt_data->fields['payment_type_code'] != $payment_type_code) { $sql_array['payment_type_code'] = $payment_type_code; } // don't need this //$sql_array['language_id'] = $language_id;