function validOrder()
{
global $cookie, $cart, $ppPayment;
if (!$cookie->isLogged(true)) {
header('location:../../../');
exit;
die('Not logged');
} elseif (!$cart->getOrderTotal(true, PayPal::BOTH)) {
die('Empty cart');
}
if (!($token = Tools::htmlentitiesUTF8(strval(Tools::getValue('token'))))) {
global $smarty;
$smarty->assign('paypalError', 'Invalid token');
displayConfirm();
die('Invalid token');
}
if ($token != strval($cookie->paypal_token)) {
die('Invalid cookie token');
}
if (!($payerID = Tools::htmlentitiesUTF8(strval(Tools::getValue('PayerID'))))) {
die('Invalid payerID');
}
$ppPayment->makePayPalAPIValidation($cookie, $cart, $cart->id_currency, $payerID, 'payment');
}
}
function validOrder()
{
global $cookie, $cart, $ppPayment;
if (!$cookie->isLogged()) {
die('Not logged');
} elseif (!$cart->getOrderTotalLC(true, 3)) {
die('Empty cart');
}
if (!($token = Tools::htmlentitiesUTF8(strval(Tools::getValue('token'))))) {
die('Invalid token');
}
if ($token != strval($cookie->paypal_token)) {
die('Invalid cookie token');
}
if (!($payerID = Tools::htmlentitiesUTF8(strval(Tools::getValue('PayerID'))))) {
die('Invalid payerID');
}
$ppPayment->validOrder($cookie, $cart, $cookie->id_currency, $payerID, 'payment');
}
// #####
// Process !!
// No submit, confirmation page
if (!Tools::isSubmit('submitPayment') and !Tools::getValue('fromPayPal')) {
displayConfirm();
} else {
if (!isset($cookie->paypal_token) or !$cookie->paypal_token) {
submitConfirm();
}
validOrder();
}
}
// check for dbtype
// if we have clicked no on continue then we reissue the form
if (isset($_POST['confirmdbtype']) && $_POST['confirmdbtype'] != 'yes') {
displayInitialForm("Please select a different database type (mysql recommended)");
exit(0);
}
// perform confirm check if not mysql
if (!preg_match("/^[\\w-_]+\$/", $_POST['dbtype'])) {
displayInitialForm("dbtype contains illegal charactors");
exit(0);
} elseif ($_POST['dbtype'] == 'mssql' && (!isset($_POST['confirmdbtype']) || $_POST['confirmdbtype'] != 'yes')) {
displayConfirm("MS Sql is not officially supported - do you wish to continue?", 'dbtype', $_POST);
exit(0);
} elseif ($_POST['dbtype'] != 'mysql' && (!isset($_POST['confirmdbtype']) || $_POST['confirmdbtype'] != 'yes')) {
displayConfirm("DB type is not supported this will need manual configuration - do you wish to continue?", 'dbtype', $_POST);
exit(0);
}
// basic check for password field - just blocks some ncharacters not allowed by mysql
// will still allow some characters not allowed by mysql (eg. accentuated characters, but they are not considered a security risk)
// unsure whether " and ' are allowed in mysql, but we don't allow them anyway in case they cause problems
if (preg_match("/[:&+\"\\']/", $_POST["password"])) {
displayInitialForm("password contains illegal charactors");
exit(0);
}
// just basic check for username - could check for max 16 chars etc. but leave that for mysql to enforce - as long as we don't allow dangerous characters
if (preg_match("/[:&+\"\\'\\s]/", $_POST["username"])) {
displayInitialForm("username contains illegal charactors");
exit(0);
}
// Does not check for valid hostname, just checks for valid characters
