function funcSanitize($strMsg)
{
$ip = getenv("REMOTE_ADDR");
$httpref = getenv("HTTP_REFERER");
$httpagent = getenv("HTTP_USER_AGENT");
$strOldMsg = $strMsg;
funcDebug("strOldMsg: " . $strOldMsg);
$arrIllegalChar = array("*", "1=1", "=", "\\", "#", "'", "SELECT", "select", "INSERT", "insert", "DELETE", "delete");
foreach ($arrIllegalChar as $k) {
//funcDebug ("Illegal Char: " . $k . " ");
while (($j = strpos($strMsg, $k)) !== false) {
$strMsg = substr($strMsg, 0, $j) . substr($strMsg, $j + 1);
}
}
if ($strMsg != $strOldMsg) {
funcDebug("Original Msg: " . $strOldMsg);
funcDebug("Cleaned Text: " . $strMsg);
//log it to transaction database
//connect to server
funcDebug("Connecting to database");
$link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error());
funcDebug("Connected to database");
//change to correct database
mysql_select_db("sfvault_store") or die("Could not select database");
//run query to see if result is returned
$strNow = date('Y-m-j h:i:s');
$strEditedInsert = "illegal symbol existed in query and was cleaned (old: " . $strOldMsg . " , new:" . $strMsg . ", ip: " . $ip . ", httpagent: " . $httpagent . ")";
$strLogInsert = "INSERT INTO tblLog Values ('" . $strNow . "','DEV','" . $strEditedInsert . "')";
funcDebug("strLogInsert: " . $strLogInsert);
$strInsertLogEntry = mysql_query($strLogInsert) or die("Log Entry Failed");
} else {
}
return $strMsg;
}
function funcEncrypt($strMsg)
{
funcDebug("Entered funcEncrypt");
funcDebug($strMsg);
$myString = $strMsg;
$key = "N[yLJgUZKxO)%b";
$td = MCRYPT_RIJNDAEL_256;
$iv_size = mcrypt_get_iv_size($td, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$encString = mcrypt_encrypt($td, $key, $myString, MCRYPT_MODE_ECB, $iv);
//$decString = mcrypt_decrypt($td, $key, $encString, MCRYPT_MODE_CBC, $iv);
$strMsg = bin2hex($encString);
funcDebug($strMsg);
return $strMsg;
}
//change to correct database
mysql_select_db("sfvault_store") or die("Could not select database");
//run query to see if result is returned
//$strStockID = funcSanitize ($_POST["stockID"]);
$strQuery = "SELECT * FROM tblItem where stockID = '" . $strStockID . "'";
funcDebug("strQuery: " . $strQuery);
$strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error());
$conNumberofRows = mysql_num_rows($strResult);
//$row = mysql_fetch_array ($strResult);
//if there are no rows in the table with the same ID, error then redirect within 5 seconds to add page
if ($conNumberofRows != 1) {
echo "<b>ERROR! StockID " . $strStockID . "Doesn't exist in the database or there is more than one result<br>\n";
echo "Redirecting you to the 'update' section of website</b><br>\n";
echo "<meta http-equiv='REFRESH' content='5;updateItem.htm'>";
} else {
funcDebug("stockID submitted: " . $_GET["stockID"]);
}
while ($row = mysql_fetch_array($strResult)) {
$strSubject = $row["Subject"];
$strCategory = $row["Category"];
$strStockID = $row["stockID"];
$strDescription = $row["Description"];
$strSmallPicture = $row["smallPicture"];
$strLargePicture = $row["bigPicture"];
$strShortDescription = $row["ShortDescription"];
$strName = $row["Name"];
$strCost = $row["Cost"];
$strRRP = $row["RRP"];
$strSaleRRP = $row["SaleRRP"];
$strWeight = $row["Weight"];
$strBarcode = $row["Barcode"];
?>
</table>
<br>
<?php
//echo "<!--" . $totalWeight . ", " . $str1stClassCost . ",". $strSpecialDeliveryCost ."-->";
?>
<form action='submitOrder.php?strUserID=<?php
echo $strUserID;
?>
' method='POST'>
<b>
<?php
echo "<input type='hidden' name='Postage' value='Postage - " . $strShipping . "'>";
funcDebug($line2["AddressLine1"]);
funcDebug($line2["Town"]);
funcDebug($line2["PostCode"]);
}
?>
</b>
</form>
<p>
</td>
<td width="200" align="center" valign="top">
<table width="200" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#002A54">
<tr>
<td bgcolor="#002A54">
<div align="center"><img src="images/buttons/LOGIN.gif" width="180" height="25"></div>
</td>
</tr>
<tr>
<td>
/*if ($i % 2 == 0)
{
//even number
echo "\t<td class='seconda'><center><input type='radio' name='itemtoedit' value='" . $strStockID . "'></center></td></tr>\n";
}
else
{
//odd number
echo "\t<td class='secondb'><center><input type='radio' name='itemtoedit' value='" . $strStockID . "'></center></td></tr>\n";
}
*/
$i = $i + 1;
}
echo "<table></center></form>\n";
//close connection to database
funcDebug("Closing link to db");
mysql_close($link);
?>
</td>
</tr>
</table>
<p> </p>
</body>
<?php
// ******************************************************************
//
// Name : funcDebug
// Author : Adrian Farnell
// Notes : funcDebug displays debugging info whilst page
function funcDeleteItem($itemcode, $qty)
{
funcLogtoDebug("updateOrder.php: funcDeleteItem fired (" . $itemcode . "*" . $qty . ")");
//$qty = funcSanitize($_POST['qty']);
//$itemcode = funcSanitize($_POST['item']);
$strBool = 0;
$counter = 0;
//additional check to make sure $qty is a numeric
if (ereg("[0-9]+", $qty)) {
funcDebug("Quantity string is numeric");
} else {
echo "Invalid Input, stop trying to put non-numerics in the quantity field";
exit;
}
//is row locked?
$strLockCheck = "SELECT ColumnLock FROM tblItem WHERE stockID = '" . $itemcode . "'";
$strLockResult = mysql_query($strLockCheck) or die("Query Failed: " . mysql_error());
while ($line = mysql_fetch_array($strLockResult, MYSQL_ASSOC)) {
if ($line["ColumnLock"] == 'YES') {
echo "Item being edited, please try again";
echo "<br><a href='index3.php'>Back to Shop</a>";
exit;
//possible retry, or forward on back to original page??
} else {
funcLogtoDebug("updateOrder.php: No locks, Free to carry on");
}
}
//set row lock on in tblItem
$strLockQuery = "UPDATE tblItem SET ColumnLock = 'YES' WHERE stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("Query Failed: " . mysql_error());
//Lets see how much stock for this item there is
//$strStockQuery = "SELECT Qty FROM tblBasket where item = '" . $itemcode ."' and PHPSessionID = '" . $strSessionID . "'";
//$strStockResult = mysql_query ($strStockQuery) or die ("Query Failed:" . mysql_error());
//while ($line = mysql_fetch_array($strStockResult, MYSQL_ASSOC))
//{
if ($itemcode != '') {
//great we have some stock
funcDebug($itemcode . " in basket: " . $line["Qty"]);
//$qty = $line["Qty"] - $qty;
funcDebug("Request to return " . $qty . " of " . $itemcode);
//insert/update into tblBasket
$strBasket = "SELECT * FROM tblItem where stockID = '" . $itemcode . "'";
$strBasketResult = mysql_query($strBasket) or die("Basket Query Failed:" . mysql_error());
$conNumberofRows = mysql_num_rows($strBasketResult);
if ($conNumberofRows == 1) {
//need to update the table
$line2 = mysql_fetch_array($strBasketResult, MYSQL_ASSOC);
funcDebug("Quantity of " . $itemcode . " in stock is " . $line2["NoOfItems"]);
$strUpdatedBasketValue = $line2["NoOfItems"] + $qty;
$strAddToBasket = "UPDATE tblItem SET NoOfItems = '" . $strUpdatedBasketValue . "' where stockID = '" . $itemcode . "'";
mysql_query($strAddToBasket) or die("Update Basket Query Failed:" . mysql_error());
} else {
//catchall for invalid entries in basket. stops
//before making any changes in the main tblItems.
echo "Invalid number of rows in stock database, please contact us";
$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("Query Failed: " . mysql_error());
exit;
}
//update tblItems with new stock value
/*$strUpdatedStockValue = $line["Qty"] - $qty;
funcDebug ("Updated stock value: " . $strUpdatedStockValue);
if ($strUpdatedStockValue == 0)
{
$strUpdateStockQuery = "DELETE FROM tblBasket where item = '" . $itemcode . "' and PHPSessionID = '" . $strSessionID . "'";
mysql_query ($strUpdateStockQuery) or die ("Update Query Failed: " . mysql_error());
}
else
{
$strUpdateStockQuery = "UPDATE tblBasket SET qty = '" .$strUpdatedStockValue . "' WHERE item = '" . $itemcode ."' and PHPSessionID = '" . $strSessionID . "'";
mysql_query ($strUpdateStockQuery) or die ("Update Query Failed: " . mysql_error());
}
*/
$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("ColumnLock to blank Query Failed: " . mysql_error());
}
//else
//{
//oh dear, no stock left
// echo "Not enough of that item in your basket";
//$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode ."'";
//mysql_query ($strLockQuery) or die ("Query Failed: " . mysql_error());
//}
//}
//header('location: ' . $_SERVER['PHP_SELF']);
//header('location: ' . $_POST['page']);
echo "<meta http-equiv='refresh' content='0;url=/stock2/default.php?Action=BasketAdmin'>";
}
//start new session
session_start();
if (!isset($_SESSION['cart'])) {
$_SESSION['cart'] = array();
}
include 'includes/SharedFunctions.php';
$qty = funcSanitize($_POST['preorderqty']);
$strNow = date('Y-m-j h:i:s');
$itemcode = funcSanitize($_POST['stockID']);
$email = funcSanitize($_POST['email']);
$comments = funcSanitize($_POST['Comments']);
$strBool = 0;
$counter = 0;
//additional check to make sure $qty is a numeric
if (ereg("[0-9]+", $qty)) {
funcDebug("Quantity string is numeric");
} else {
echo "Invalid Input, stop trying to put non-numerics in the quantity field";
exit;
}
//connect to server
$link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error());
//change to correct database
mysql_select_db("sfvault_store") or die("Could not select database");
//check stockID is really at -3
$strStockQry = "SELECT stockID, NoOfItems from tblItem where stockID = '" . $itemcode . "' and NoOfItems = '-3'";
$strStockResult = mysql_query($strStockQry) or die("Query Failed :" . mysql_error());
$conNumberofRows = mysql_num_rows($strStockResult);
if ($conNumberofRows == "1") {
//verify email is in our database
$strEmailQry = "SELECT emailAddress from tbl_UserLogin where emailAddress = '" . $email . "'";
<?php
//Write Debug information
funcDebug("this is a test debug");
//connect to server
funcDebug("Connecting to database");
$link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error());
funcDebug("Connected to database");
//change to correct database
mysql_select_db("sfvault_store") or die("Could not select database");
$ip = getenv("REMOTE_ADDR");
$httpref = getenv("HTTP_REFERER");
$httpagent = getenv("HTTP_USER_AGENT");
$strBug = "<b>" . $_POST["Description"] . " </b><font size=-2><br>---------<br>ip: " . $ip . "<br>httpref: " . $httpref . "<br>httpagent: " . $httpagent . "</font>";
$strNow = date('Y-m-j h:i:s');
$strInsertQuery = "INSERT INTO tblBugs VALUES ('" . $_POST["priority"] . "','','','" . $strNow . "','" . $strBug . "','N','')";
$strInsertResult = mysql_query($strInsertQuery) or die("Query Failed :" . mysql_error());
mail("adrian@nofishhere.com,james@scifivault.com", "BUG Report", $_POST["Description"] . "\n\n The priority of this is " . $_POST["priority"], "From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "X-Mailer: PHP/" . phpversion());
redirect("displayBugs.php", 1, "<B>Redirecting...</B><br> <a href='displayBugs.php'>Click here if redirect fails</a>");
?>
<?php
// Redirects to another Page using HTTP-META Tag
function redirect($url, $delay = 0, $message = "")
{
/* redirects to a new URL using meta tags */
echo "<meta http-equiv='Refresh' content='" . $delay . "; url=" . $url . "'>";
die("<div style='font-family: Arial, Sans-serif; font-size: 12pt;' align=center> " . $message . " </div>");
}
echo "<b><font size=+1>";
}
echo "<a href='subCategory.php?sTag=" . $strSTag . "&vTag=" . $strVTag . "&p=" . $counter . "'>" . $displayCounter . "</a>";
if ($strPTag == $counter) {
echo "</font></b>";
}
}
echo " | ";
if ($strPTag != $strPages - 1) {
$strNext = $strPTag + 1;
echo "<a href='subCategory.php?sTag=" . $strSTag . "&vTag=" . $strVTag . "&p=" . $strNext . "'> Next >> </a>";
}
}
//end of break up the results sets into a number of pages ***************************************************************
$strQueryDisp = "SELECT stockID, smallPicture, Name, ShortDescription, NoOfItems, RRP, SaleRRP FROM tblItem where SubjectTag='" . $strSTag . "' and VersionTag='" . $strVTag . "' and NoOfItems <> -1 order by Name LIMIT " . $strPTag * 5 . ", 5";
funcDebug($strQueryDisp);
$strResultDisp = mysql_query($strQueryDisp) or die("Query Failed :" . mysql_error());
echo "<TABLE width='100%' border='0'>\n";
while ($lineDisp = mysql_fetch_array($strResultDisp, MYSQL_ASSOC)) {
echo "\t<TR width='100%' valign='center'> <TD width='50'> <a href='displayItem.php?Item=" . $lineDisp["stockID"] . "'><img src='" . $lineDisp["smallPicture"] . "' border='0'></a> </TD>" . "\n<TD width='100%'> <a href='displayItem.php?Item=" . $lineDisp["stockID"] . "'>" . $lineDisp["Name"] . "</a> </TD>" . "\n<TD width='100'> ";
if ($lineDisp["RRP"] == $lineDisp["SaleRRP"] or $lineDisp["SaleRRP"] == 0.0) {
echo "£" . $lineDisp["RRP"];
} else {
//Item is for sale...
echo "<del><font size ='-2' color=red>£" . $lineDisp["RRP"] . "</font></del> £" . $lineDisp["SaleRRP"];
}
/*
echo " </TD>"
. "\n<TD width='60'>
<form action='addToBasket2.php' method='post'> <br>
<input TYPE='image' SRC='images/buttons/BUYBUTTON.gif' name='Buy'>
<?php
include 'includes/Link.php';
include 'includes/SharedFunctionsStrict.php';
$strUserOrdertoAdd = funcSanitize($_POST["email"]);
funcDebug("AddPreOrder.php: AddPreOrder.php fired " . $strUserOrdertoAdd);
$strSessionID = "PreOrder";
$strAuthCookie = "PreOrder";
$strNow = date('Y-m-j H:i:s');
foreach ($_POST as $key => $val) {
$arrItem = split("#", $key);
$strUserID = $arrItem[0];
echo $key;
exit;
}
$strAddressQuery = "SELECT * from tbl_UserLogin where UserID = '" . $strUserID . "'";
$strAddressResult = mysql_query($strAddressQuery) or die("Query Failed :" . mysql_error());
$conNumberofRows = mysql_num_rows($strAddressResult);
if ($conNumberofRows == 0) {
echo "You've not got a delivery address";
echo "<br><br> Click <a href='UserDetails.php?strUserID=" . $strUserID . "'>here</a> to go back to shop";
exit;
}
while ($line2 = mysql_fetch_array($strAddressResult, MYSQL_ASSOC)) {
if ($line2["FirstName"] != "") {
$strFirstName = trim(funcDecrypt(hex2bin($line2["FirstName"])));
}
if ($line2["SurName"] != "") {
$strSurName = trim(funcDecrypt(hex2bin($line2["SurName"])));
}
if ($line2["AddressLine1"] != "") {
$line2 = mysql_fetch_array($strBasketResult, MYSQL_ASSOC);
funcDebug("Quantity of " . $itemcode . " in stock is " . $line2["NoOfItems"]);
$strUpdatedBasketValue = $line2["NoOfItems"] + $qty;
$strAddToBasket = "UPDATE tblItem SET NoOfItems = '" . $strUpdatedBasketValue . "' where stockID = '" . $itemcode . "'";
mysql_query($strAddToBasket) or die("Update Basket Query Failed:" . mysql_error());
} else {
//catchall for invalid entries in basket. stops
//before making any changes in the main tblItems.
echo "Invalid number of rows in stock database, please contact us";
$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("Query Failed: " . mysql_error());
exit;
}
//update tblItems with new stock value
$strUpdatedStockValue = $line["Qty"] - $qty;
funcDebug("Updated stock value: " . $strUpdatedStockValue);
if ($strUpdatedStockValue == 0) {
$strUpdateStockQuery = "DELETE FROM tblBasket where item = '" . $itemcode . "' and PHPSessionID = '" . session_id() . "'";
mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error());
} else {
$strUpdateStockQuery = "UPDATE tblBasket SET qty = '" . $strUpdatedStockValue . "' WHERE item = '" . $itemcode . "' and PHPSessionID = '" . session_id() . "'";
mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error());
}
$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("ColumnLock to blank Query Failed: " . mysql_error());
} else {
//oh dear, no stock left
echo "Not enough stock I'm afraid for that item";
$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'";
mysql_query($strLockQuery) or die("Query Failed: " . mysql_error());
}
<HTML>
<HEAD></HEAD>
<?php
include 'includes/SharedFunctions.php';
$strUserName = funcSanitize($_GET["UserID"]);
$strVerifyCode = funcSanitize($_GET["VerifyKey"]);
funcDebug($strUserName);
funcDebug($strVerifyCode);
//connect to server
$link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error());
//change to correct database
mysql_select_db("sfvault_store") or die("Could not select database");
$strUserQuery = "SELECT UserID FROM tbl_UserLogin where UserID = '" . $strUserName . "'";
$strUserResult = mysql_query($strUserQuery) or die("Query Failed:" . mysql_error());
//User Exists, so Error gracefully, then forward the user on
$conNumberofRows = mysql_num_rows($strUserResult);
if ($conNumberofRows == 1) {
//here's our user
$strNow = date('Y-m-j h:i:s');
//User Doesn't exist so carry on Adding
$strAddUserQuery = "UPDATE tbl_UserLogin SET UserVerified='1' where UserID='" . $strUserName . "'";
$strAddUserResult = mysql_query($strAddUserQuery) or die("Query Failed:" . mysql_error());
echo "\r\n\r\n<table border='0' cellspacing='0' cellpadding='5' width='900' align='center'>\r\n <tr>\r\n <td width='500'><a href='http://shop.scifivault.com/index3.php'><img src='images/scifi-small-best.jpg' width='403' height='62' border='0'></a>\r\n\r\n </td>\r\n <td align='right' valign='top' width='300'>\r\n\r\n\r\n </td></tr>\r\n\r\n<tr><td>\r\n<br> <font face='verdana'>Thankyou! You've succesfully verified.\r\n\r\n<p>Feel free to sign on and shop. Click on the link below to hurry things along.\r\n<br><br><a href='index3.php'>Back to Shop</a></font></td><td></td></tr>\r\n\r\n</table>\r\n\r\n\r\n\t\t";
funcLogToDebug("VerifyUser.php: " . $strUserName . " verified successfully");
//echo "<meta http-equiv='refresh' content='10;url=/index3.php'>";
} else {
//we've got more than 1 user with the same user ID in the db (Shouldn't be possible)
