function funcSanitize($strMsg) { $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); $strOldMsg = $strMsg; funcDebug("strOldMsg: " . $strOldMsg); $arrIllegalChar = array("*", "1=1", "=", "\\", "#", "'", "SELECT", "select", "INSERT", "insert", "DELETE", "delete"); foreach ($arrIllegalChar as $k) { //funcDebug ("Illegal Char: " . $k . " "); while (($j = strpos($strMsg, $k)) !== false) { $strMsg = substr($strMsg, 0, $j) . substr($strMsg, $j + 1); } } if ($strMsg != $strOldMsg) { funcDebug("Original Msg: " . $strOldMsg); funcDebug("Cleaned Text: " . $strMsg); //log it to transaction database //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned $strNow = date('Y-m-j h:i:s'); $strEditedInsert = "illegal symbol existed in query and was cleaned (old: " . $strOldMsg . " , new:" . $strMsg . ", ip: " . $ip . ", httpagent: " . $httpagent . ")"; $strLogInsert = "INSERT INTO tblLog Values ('" . $strNow . "','DEV','" . $strEditedInsert . "')"; funcDebug("strLogInsert: " . $strLogInsert); $strInsertLogEntry = mysql_query($strLogInsert) or die("Log Entry Failed"); } else { } return $strMsg; }
function funcEncrypt($strMsg) { funcDebug("Entered funcEncrypt"); funcDebug($strMsg); $myString = $strMsg; $key = "N[yLJgUZKxO)%b"; $td = MCRYPT_RIJNDAEL_256; $iv_size = mcrypt_get_iv_size($td, MCRYPT_MODE_ECB); $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND); $encString = mcrypt_encrypt($td, $key, $myString, MCRYPT_MODE_ECB, $iv); //$decString = mcrypt_decrypt($td, $key, $encString, MCRYPT_MODE_CBC, $iv); $strMsg = bin2hex($encString); funcDebug($strMsg); return $strMsg; }
//change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned //$strStockID = funcSanitize ($_POST["stockID"]); $strQuery = "SELECT * FROM tblItem where stockID = '" . $strStockID . "'"; funcDebug("strQuery: " . $strQuery); $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strResult); //$row = mysql_fetch_array ($strResult); //if there are no rows in the table with the same ID, error then redirect within 5 seconds to add page if ($conNumberofRows != 1) { echo "<b>ERROR! StockID " . $strStockID . "Doesn't exist in the database or there is more than one result<br>\n"; echo "Redirecting you to the 'update' section of website</b><br>\n"; echo "<meta http-equiv='REFRESH' content='5;updateItem.htm'>"; } else { funcDebug("stockID submitted: " . $_GET["stockID"]); } while ($row = mysql_fetch_array($strResult)) { $strSubject = $row["Subject"]; $strCategory = $row["Category"]; $strStockID = $row["stockID"]; $strDescription = $row["Description"]; $strSmallPicture = $row["smallPicture"]; $strLargePicture = $row["bigPicture"]; $strShortDescription = $row["ShortDescription"]; $strName = $row["Name"]; $strCost = $row["Cost"]; $strRRP = $row["RRP"]; $strSaleRRP = $row["SaleRRP"]; $strWeight = $row["Weight"]; $strBarcode = $row["Barcode"];
?> </table> <br> <?php //echo "<!--" . $totalWeight . ", " . $str1stClassCost . ",". $strSpecialDeliveryCost ."-->"; ?> <form action='submitOrder.php?strUserID=<?php echo $strUserID; ?> ' method='POST'> <b> <?php echo "<input type='hidden' name='Postage' value='Postage - " . $strShipping . "'>"; funcDebug($line2["AddressLine1"]); funcDebug($line2["Town"]); funcDebug($line2["PostCode"]); } ?> </b> </form> <p> </td> <td width="200" align="center" valign="top"> <table width="200" border="0" align="center" cellpadding="0" cellspacing="0" bordercolor="#002A54"> <tr> <td bgcolor="#002A54"> <div align="center"><img src="images/buttons/LOGIN.gif" width="180" height="25"></div> </td> </tr> <tr> <td>
/*if ($i % 2 == 0) { //even number echo "\t<td class='seconda'><center><input type='radio' name='itemtoedit' value='" . $strStockID . "'></center></td></tr>\n"; } else { //odd number echo "\t<td class='secondb'><center><input type='radio' name='itemtoedit' value='" . $strStockID . "'></center></td></tr>\n"; } */ $i = $i + 1; } echo "<table></center></form>\n"; //close connection to database funcDebug("Closing link to db"); mysql_close($link); ?> </td> </tr> </table> <p> </p> </body> <?php // ****************************************************************** // // Name : funcDebug // Author : Adrian Farnell // Notes : funcDebug displays debugging info whilst page
function funcDeleteItem($itemcode, $qty) { funcLogtoDebug("updateOrder.php: funcDeleteItem fired (" . $itemcode . "*" . $qty . ")"); //$qty = funcSanitize($_POST['qty']); //$itemcode = funcSanitize($_POST['item']); $strBool = 0; $counter = 0; //additional check to make sure $qty is a numeric if (ereg("[0-9]+", $qty)) { funcDebug("Quantity string is numeric"); } else { echo "Invalid Input, stop trying to put non-numerics in the quantity field"; exit; } //is row locked? $strLockCheck = "SELECT ColumnLock FROM tblItem WHERE stockID = '" . $itemcode . "'"; $strLockResult = mysql_query($strLockCheck) or die("Query Failed: " . mysql_error()); while ($line = mysql_fetch_array($strLockResult, MYSQL_ASSOC)) { if ($line["ColumnLock"] == 'YES') { echo "Item being edited, please try again"; echo "<br><a href='index3.php'>Back to Shop</a>"; exit; //possible retry, or forward on back to original page?? } else { funcLogtoDebug("updateOrder.php: No locks, Free to carry on"); } } //set row lock on in tblItem $strLockQuery = "UPDATE tblItem SET ColumnLock = 'YES' WHERE stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("Query Failed: " . mysql_error()); //Lets see how much stock for this item there is //$strStockQuery = "SELECT Qty FROM tblBasket where item = '" . $itemcode ."' and PHPSessionID = '" . $strSessionID . "'"; //$strStockResult = mysql_query ($strStockQuery) or die ("Query Failed:" . mysql_error()); //while ($line = mysql_fetch_array($strStockResult, MYSQL_ASSOC)) //{ if ($itemcode != '') { //great we have some stock funcDebug($itemcode . " in basket: " . $line["Qty"]); //$qty = $line["Qty"] - $qty; funcDebug("Request to return " . $qty . " of " . $itemcode); //insert/update into tblBasket $strBasket = "SELECT * FROM tblItem where stockID = '" . $itemcode . "'"; $strBasketResult = mysql_query($strBasket) or die("Basket Query Failed:" . mysql_error()); $conNumberofRows = mysql_num_rows($strBasketResult); if ($conNumberofRows == 1) { //need to update the table $line2 = mysql_fetch_array($strBasketResult, MYSQL_ASSOC); funcDebug("Quantity of " . $itemcode . " in stock is " . $line2["NoOfItems"]); $strUpdatedBasketValue = $line2["NoOfItems"] + $qty; $strAddToBasket = "UPDATE tblItem SET NoOfItems = '" . $strUpdatedBasketValue . "' where stockID = '" . $itemcode . "'"; mysql_query($strAddToBasket) or die("Update Basket Query Failed:" . mysql_error()); } else { //catchall for invalid entries in basket. stops //before making any changes in the main tblItems. echo "Invalid number of rows in stock database, please contact us"; $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("Query Failed: " . mysql_error()); exit; } //update tblItems with new stock value /*$strUpdatedStockValue = $line["Qty"] - $qty; funcDebug ("Updated stock value: " . $strUpdatedStockValue); if ($strUpdatedStockValue == 0) { $strUpdateStockQuery = "DELETE FROM tblBasket where item = '" . $itemcode . "' and PHPSessionID = '" . $strSessionID . "'"; mysql_query ($strUpdateStockQuery) or die ("Update Query Failed: " . mysql_error()); } else { $strUpdateStockQuery = "UPDATE tblBasket SET qty = '" .$strUpdatedStockValue . "' WHERE item = '" . $itemcode ."' and PHPSessionID = '" . $strSessionID . "'"; mysql_query ($strUpdateStockQuery) or die ("Update Query Failed: " . mysql_error()); } */ $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("ColumnLock to blank Query Failed: " . mysql_error()); } //else //{ //oh dear, no stock left // echo "Not enough of that item in your basket"; //$strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode ."'"; //mysql_query ($strLockQuery) or die ("Query Failed: " . mysql_error()); //} //} //header('location: ' . $_SERVER['PHP_SELF']); //header('location: ' . $_POST['page']); echo "<meta http-equiv='refresh' content='0;url=/stock2/default.php?Action=BasketAdmin'>"; }
//start new session session_start(); if (!isset($_SESSION['cart'])) { $_SESSION['cart'] = array(); } include 'includes/SharedFunctions.php'; $qty = funcSanitize($_POST['preorderqty']); $strNow = date('Y-m-j h:i:s'); $itemcode = funcSanitize($_POST['stockID']); $email = funcSanitize($_POST['email']); $comments = funcSanitize($_POST['Comments']); $strBool = 0; $counter = 0; //additional check to make sure $qty is a numeric if (ereg("[0-9]+", $qty)) { funcDebug("Quantity string is numeric"); } else { echo "Invalid Input, stop trying to put non-numerics in the quantity field"; exit; } //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //check stockID is really at -3 $strStockQry = "SELECT stockID, NoOfItems from tblItem where stockID = '" . $itemcode . "' and NoOfItems = '-3'"; $strStockResult = mysql_query($strStockQry) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strStockResult); if ($conNumberofRows == "1") { //verify email is in our database $strEmailQry = "SELECT emailAddress from tbl_UserLogin where emailAddress = '" . $email . "'";
<?php //Write Debug information funcDebug("this is a test debug"); //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); $strBug = "<b>" . $_POST["Description"] . " </b><font size=-2><br>---------<br>ip: " . $ip . "<br>httpref: " . $httpref . "<br>httpagent: " . $httpagent . "</font>"; $strNow = date('Y-m-j h:i:s'); $strInsertQuery = "INSERT INTO tblBugs VALUES ('" . $_POST["priority"] . "','','','" . $strNow . "','" . $strBug . "','N','')"; $strInsertResult = mysql_query($strInsertQuery) or die("Query Failed :" . mysql_error()); mail("adrian@nofishhere.com,james@scifivault.com", "BUG Report", $_POST["Description"] . "\n\n The priority of this is " . $_POST["priority"], "From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "X-Mailer: PHP/" . phpversion()); redirect("displayBugs.php", 1, "<B>Redirecting...</B><br> <a href='displayBugs.php'>Click here if redirect fails</a>"); ?> <?php // Redirects to another Page using HTTP-META Tag function redirect($url, $delay = 0, $message = "") { /* redirects to a new URL using meta tags */ echo "<meta http-equiv='Refresh' content='" . $delay . "; url=" . $url . "'>"; die("<div style='font-family: Arial, Sans-serif; font-size: 12pt;' align=center> " . $message . " </div>"); }
echo "<b><font size=+1>"; } echo "<a href='subCategory.php?sTag=" . $strSTag . "&vTag=" . $strVTag . "&p=" . $counter . "'>" . $displayCounter . "</a>"; if ($strPTag == $counter) { echo "</font></b>"; } } echo " | "; if ($strPTag != $strPages - 1) { $strNext = $strPTag + 1; echo "<a href='subCategory.php?sTag=" . $strSTag . "&vTag=" . $strVTag . "&p=" . $strNext . "'> Next >> </a>"; } } //end of break up the results sets into a number of pages *************************************************************** $strQueryDisp = "SELECT stockID, smallPicture, Name, ShortDescription, NoOfItems, RRP, SaleRRP FROM tblItem where SubjectTag='" . $strSTag . "' and VersionTag='" . $strVTag . "' and NoOfItems <> -1 order by Name LIMIT " . $strPTag * 5 . ", 5"; funcDebug($strQueryDisp); $strResultDisp = mysql_query($strQueryDisp) or die("Query Failed :" . mysql_error()); echo "<TABLE width='100%' border='0'>\n"; while ($lineDisp = mysql_fetch_array($strResultDisp, MYSQL_ASSOC)) { echo "\t<TR width='100%' valign='center'> <TD width='50'> <a href='displayItem.php?Item=" . $lineDisp["stockID"] . "'><img src='" . $lineDisp["smallPicture"] . "' border='0'></a> </TD>" . "\n<TD width='100%'> <a href='displayItem.php?Item=" . $lineDisp["stockID"] . "'>" . $lineDisp["Name"] . "</a> </TD>" . "\n<TD width='100'> "; if ($lineDisp["RRP"] == $lineDisp["SaleRRP"] or $lineDisp["SaleRRP"] == 0.0) { echo "£" . $lineDisp["RRP"]; } else { //Item is for sale... echo "<del><font size ='-2' color=red>£" . $lineDisp["RRP"] . "</font></del> £" . $lineDisp["SaleRRP"]; } /* echo " </TD>" . "\n<TD width='60'> <form action='addToBasket2.php' method='post'> <br> <input TYPE='image' SRC='images/buttons/BUYBUTTON.gif' name='Buy'>
<?php include 'includes/Link.php'; include 'includes/SharedFunctionsStrict.php'; $strUserOrdertoAdd = funcSanitize($_POST["email"]); funcDebug("AddPreOrder.php: AddPreOrder.php fired " . $strUserOrdertoAdd); $strSessionID = "PreOrder"; $strAuthCookie = "PreOrder"; $strNow = date('Y-m-j H:i:s'); foreach ($_POST as $key => $val) { $arrItem = split("#", $key); $strUserID = $arrItem[0]; echo $key; exit; } $strAddressQuery = "SELECT * from tbl_UserLogin where UserID = '" . $strUserID . "'"; $strAddressResult = mysql_query($strAddressQuery) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strAddressResult); if ($conNumberofRows == 0) { echo "You've not got a delivery address"; echo "<br><br> Click <a href='UserDetails.php?strUserID=" . $strUserID . "'>here</a> to go back to shop"; exit; } while ($line2 = mysql_fetch_array($strAddressResult, MYSQL_ASSOC)) { if ($line2["FirstName"] != "") { $strFirstName = trim(funcDecrypt(hex2bin($line2["FirstName"]))); } if ($line2["SurName"] != "") { $strSurName = trim(funcDecrypt(hex2bin($line2["SurName"]))); } if ($line2["AddressLine1"] != "") {
$line2 = mysql_fetch_array($strBasketResult, MYSQL_ASSOC); funcDebug("Quantity of " . $itemcode . " in stock is " . $line2["NoOfItems"]); $strUpdatedBasketValue = $line2["NoOfItems"] + $qty; $strAddToBasket = "UPDATE tblItem SET NoOfItems = '" . $strUpdatedBasketValue . "' where stockID = '" . $itemcode . "'"; mysql_query($strAddToBasket) or die("Update Basket Query Failed:" . mysql_error()); } else { //catchall for invalid entries in basket. stops //before making any changes in the main tblItems. echo "Invalid number of rows in stock database, please contact us"; $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("Query Failed: " . mysql_error()); exit; } //update tblItems with new stock value $strUpdatedStockValue = $line["Qty"] - $qty; funcDebug("Updated stock value: " . $strUpdatedStockValue); if ($strUpdatedStockValue == 0) { $strUpdateStockQuery = "DELETE FROM tblBasket where item = '" . $itemcode . "' and PHPSessionID = '" . session_id() . "'"; mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error()); } else { $strUpdateStockQuery = "UPDATE tblBasket SET qty = '" . $strUpdatedStockValue . "' WHERE item = '" . $itemcode . "' and PHPSessionID = '" . session_id() . "'"; mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error()); } $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("ColumnLock to blank Query Failed: " . mysql_error()); } else { //oh dear, no stock left echo "Not enough stock I'm afraid for that item"; $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("Query Failed: " . mysql_error()); }
<HTML> <HEAD></HEAD> <?php include 'includes/SharedFunctions.php'; $strUserName = funcSanitize($_GET["UserID"]); $strVerifyCode = funcSanitize($_GET["VerifyKey"]); funcDebug($strUserName); funcDebug($strVerifyCode); //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); $strUserQuery = "SELECT UserID FROM tbl_UserLogin where UserID = '" . $strUserName . "'"; $strUserResult = mysql_query($strUserQuery) or die("Query Failed:" . mysql_error()); //User Exists, so Error gracefully, then forward the user on $conNumberofRows = mysql_num_rows($strUserResult); if ($conNumberofRows == 1) { //here's our user $strNow = date('Y-m-j h:i:s'); //User Doesn't exist so carry on Adding $strAddUserQuery = "UPDATE tbl_UserLogin SET UserVerified='1' where UserID='" . $strUserName . "'"; $strAddUserResult = mysql_query($strAddUserQuery) or die("Query Failed:" . mysql_error()); echo "\r\n\r\n<table border='0' cellspacing='0' cellpadding='5' width='900' align='center'>\r\n <tr>\r\n <td width='500'><a href='http://shop.scifivault.com/index3.php'><img src='images/scifi-small-best.jpg' width='403' height='62' border='0'></a>\r\n\r\n </td>\r\n <td align='right' valign='top' width='300'>\r\n\r\n\r\n </td></tr>\r\n\r\n<tr><td>\r\n<br> <font face='verdana'>Thankyou! You've succesfully verified.\r\n\r\n<p>Feel free to sign on and shop. Click on the link below to hurry things along.\r\n<br><br><a href='index3.php'>Back to Shop</a></font></td><td></td></tr>\r\n\r\n</table>\r\n\r\n\r\n\t\t"; funcLogToDebug("VerifyUser.php: " . $strUserName . " verified successfully"); //echo "<meta http-equiv='refresh' content='10;url=/index3.php'>"; } else { //we've got more than 1 user with the same user ID in the db (Shouldn't be possible)