<?php include 'includes/Link.php'; include 'includes/SharedFunctions.php'; echo "<b>This is the Discontinued Stock View</b>"; $strUserID = funcSanitize($_POST["UserID"]); //query to get all baskets $strQuery = "SELECT stockID, Name, NoOfItems, RRP FROM tblItem where NoOfItems = -1 order by NoOfItems"; //execute query $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); if (mysql_num_rows($strResult) != 0) { echo "<p><table><tr><td class='titleRow'>stockID</td><td class='titleRow'>Name</td><td class='titleRow'>NoOfItems</td><td class='titleRow'>RRP</td></tr>"; while ($line = mysql_fetch_array($strResult, MYSQL_ASSOC)) { echo "\n<tr>"; echo "\n<td><a href='default.php?Action=ViewItem&stockID=" . $line["stockID"] . "'>" . $line["stockID"] . "</a></td><td>" . $line["Name"] . "</td><td>" . $line["NoOfItems"] . "</td><td>" . $line["RRP"] . "</td>"; echo "\n</tr>"; } echo "</table>"; } else { echo "<p>No Outstanding orders to display!"; }
$strQuery = "INSERT INTO tblSession (PHPSESSIONID, TimeStmp) values ('" . session_id() . "', '" . $strNow . "')"; $strResult = mysql_query($strQuery) or die("Query Failed:" . mysql_error()); } ?> <HTML> <HEAD> <TITLE>Sci-Fi Vault</TITLE> <link rel="stylesheet" href="stylesheets/mainstylesheet.css" type="text/css"> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000" leftmargin="0" topmargin="0"> <?php $strStockID = funcSanitize($_GET['Item']); if ($strStockID == "") { echo "<meta http-equiv='REFRESH' content='0; URL=index3.php'>"; exit; } //Write Debug information funcDebug("this is a test debug"); //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_readStor", "fhyF=ruR^#1|WO") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned funcDebug("stockID: " . $strStockID); $strQuery = "SELECT * FROM tblItem where stockID LIKE '" . $strStockID . "'";
<?php //connect to server include 'includes/Link.php'; include 'includes/SharedFunctions.php'; $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); $strNow = date('Y-m-j G:i:s'); $strItem1 = funcSanitize($_POST["SPitem1"]); $strItem2 = funcSanitize($_POST["SPitem2"]); $strItem3 = funcSanitize($_POST["SPitem3"]); $strItem4 = funcSanitize($_POST["SPitem4"]); $strItem5 = funcSanitize($_POST["SPitem5"]); $strItem6 = funcSanitize($_POST["SPitem6"]); funcLogToDebug("submitSpecialItemsFP.php: " . $strItem1 . "," . $strItem2 . "," . $strItem3 . "," . $strItem4 . "," . $strItem5); //first thing is first, remove all special items (subcategory) tags for the posted category $strQuery = "UPDATE tblItem SET DisplayonFrontPage = '0' where DisplayonFrontPage = '1'"; //echo $strQuery; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 1st item $strQuery = "UPDATE tblItem SET DisplayonFrontPage = '1' where stockID = '" . $strItem1 . "'"; //echo "<br>" . $strQuery; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 2nd item $strQuery = "UPDATE tblItem SET DisplayonFrontPage = '1' where stockID = '" . $strItem2 . "'"; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 3rd item $strQuery = "UPDATE tblItem SET DisplayonFrontPage = '1' where stockID = '" . $strItem3 . "'"; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 4th item $strQuery = "UPDATE tblItem SET DisplayonFrontPage = '1' where stockID = '" . $strItem4 . "'";
$strUpdateQuery = "UPDATE tbl_UserLogin SET LastLoginTime = '" . $strNow . "', UserStatus = '0' where UserID = '" . $strUserID . "'"; $strUpdateResult = mysql_query($strUpdateQuery) or die("Query Failed:" . mysql_error()); //echo $value; //echo "<b>" . $cookieData; //echo $_POST["url"]; funcLogtoDebug("AuthenticateUser.php: " . $strUserID . " logged in from " . funcSanitize($_SERVER["HTTP_REFERER"])); if ($_POST["url"] == 'BasketLogin.php') { //echo $_POST["url"]; echo "<meta http-equiv='refresh' content='0;url=/ChooseDelivery.php?strUserID=" . $strUserID . "'>"; } elseif ($_POST["pagelink"] == "") { funcLogtoDebug("AuthenticateUser.php: " . $strUserID . " forwarding to account management"); echo "<meta http-equiv='refresh' content='0;url=/UserOutstandingOrders.php?strUserID=" . $strUserID . "'>"; } else { //echo $_GET["url"]; //echo "<meta http-equiv='refresh' content='0;url=/UserOutstandingOrders.php?strUserID=" . $strUserID ."'>"; funcLogtoDebug("AuthenticateUser.php: " . $strUserID . " forwarding to " . funcSanitize($_POST["pagelink"])); echo "<meta http-equiv='refresh' content='0;url=" . $_POST["pagelink"] . "'>"; } } elseif ($conNumberofRows == 0) { funcLogtoDebug("AuthenticateUser.php: " . $strUserID . " doesn't appear in the database.."); echo "User and/or Password incorrect"; echo "<meta http-equiv='refresh' content='0;url=/UserLogon.php?UserPassError=1'>"; $strUpdateQuery = "UPDATE tbl_UserLogin SET UserStatus = '" . $strUserState . "' where UserID = '" . $strUserID . "'"; $strUpdateResult = mysql_query($strUpdateQuery) or die("Query Failed:" . mysql_error()); //echo "<br>" . $strUserID; //echo "<br>" . $strPassword ."(" . md5($strPassword) .")"; //echo "<br>" . $strEmailAddress; } else { funcLogtoDebug("AuthenticateUser.php: " . $strUserID . " multiple user entries with this user/pwd/combo"); echo "Serious Error here! More than 1 entry in the database with this user/password/email combination."; }
//update tblItems with new stock value $strUpdatedStockValue = $line["NoOfItems"] - $qty; //funcDebug ("Updated stock value: " . $strUpdatedStockValue); $strUpdateStockQuery = "UPDATE tblItem SET NoOfItems = '" . $strUpdatedStockValue . "' WHERE stockID = '" . $itemcode . "'"; mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error()); $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("ColumnLock to blank Query Failed: " . mysql_error()); } else { //oh dear, no stock left echo "Not enough stock I'm afraid for that item"; $strLockQuery = "UPDATE tblItem SET ColumnLock = '' where stockID = '" . $itemcode . "'"; mysql_query($strLockQuery) or die("Query Failed: " . mysql_error()); exit; } } //header('location: ' . $_SERVER['PHP_SELF']); if (isset($_POST['Search'])) { header('location: ' . $_POST['page'] . "?Search=" . funcSanitize($_POST['Search'])); } else { header('location: ' . $_POST['page']); } exit; } ?> <HTML> <br><a href="index3.php">index3.php</a> <br><a href="session.php">session.php</a> </HTML>
<?php include 'includes/SharedFunctions.php'; $strStockID = funcSanitize($_POST["stockID"]); echo "<meta http-equiv='Refresh' content='0; url=default.php?Action=AmendItem&stockID=" . $strStockID . "'>";
<?php include 'includes/Link.php'; include 'includes/SharedFunctionsStrict.php'; $strUserOrdertoAdd = funcSanitize($_POST["email"]); funcDebug("AddPreOrder.php: AddPreOrder.php fired " . $strUserOrdertoAdd); $strSessionID = "PreOrder"; $strAuthCookie = "PreOrder"; $strNow = date('Y-m-j H:i:s'); foreach ($_POST as $key => $val) { $arrItem = split("#", $key); $strUserID = $arrItem[0]; echo $key; exit; } $strAddressQuery = "SELECT * from tbl_UserLogin where UserID = '" . $strUserID . "'"; $strAddressResult = mysql_query($strAddressQuery) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strAddressResult); if ($conNumberofRows == 0) { echo "You've not got a delivery address"; echo "<br><br> Click <a href='UserDetails.php?strUserID=" . $strUserID . "'>here</a> to go back to shop"; exit; } while ($line2 = mysql_fetch_array($strAddressResult, MYSQL_ASSOC)) { if ($line2["FirstName"] != "") { $strFirstName = trim(funcDecrypt(hex2bin($line2["FirstName"]))); } if ($line2["SurName"] != "") { $strSurName = trim(funcDecrypt(hex2bin($line2["SurName"]))); } if ($line2["AddressLine1"] != "") {
$strLimit = "LIMIT 5"; } $strCOQuery = "SELECT * FROM tbl_Orders where emailAddress = '" . $strUserID . "' and status = 'SENT' order by IPNDateTime DESC " . $strLimit; $strCOResults = mysql_query($strCOQuery) or die("Query Failed :" . mysql_error()); if (mysql_num_rows($strCOResults) != 0) { echo "<p>\n<table id='rightmenus'>"; echo "<tr><td id='headings'>Order No</td><td id='headings'>Email Address</td><td id='headings'>Payment Received</td><td id='headings'>Cost</td><td id='headings'>Status</td></tr>"; while ($line = mysql_fetch_array($strCOResults, MYSQL_ASSOC)) { echo "<tr> <td> <a href='/stock2/OrderView.php?strOrder=" . $line["OrderNo"] . "'>" . $line["OrderNo"] . "</a></td><td>" . $line["emailaddress"] . " </td><td> " . $line["IPNDateTime"] . "</td><td>£" . sprintf("%01.2f", $line["Shipping"] + $line["Cost"]) . "</td> <td>" . $line["Status"] . "</td> </tr>"; } echo "</table>"; } else { echo "<p>No Completed Orders"; } echo "<p><b>Pre Orders</b> "; if (funcSanitize($_GET["subAction"]) == "PO") { echo "(all)"; $strLimit = ""; } else { echo "(last 5...)"; $strLimit = "LIMIT 5"; } $strPOQuery = "SELECT * FROM tbl_PreOrder where emailaddress = '" . $strUserID . "' order by date DESC " . $strLimit; $strPOResults = mysql_query($strPOQuery) or die("Query Failed :" . mysql_error()); if (mysql_num_rows($strPOResults) != 0) { echo "<form action='submitPreOrder.php' method='POST'>"; echo "<p>\n<table id='rightmenus'>"; echo "<tr><td id='headings'>stockID</td><td id='headings'>Date Recieved</td><td id='headings'>Qty</td><td></td></tr>"; while ($line = mysql_fetch_array($strPOResults, MYSQL_ASSOC)) { echo "<tr> <td> " . $line["stockID"] . "</td><td>" . $line["date"] . " </td><td> " . $line["qty"] . "</td><td> \r\n\t\t\t\t<input type='checkbox' name='combineorder[]' value='" . $line["stockID"] . "#" . $line["qty"] . "#" . $line["emailaddress"] . "#" . $line["uid"] . "'>\r\n\t\t\t\t</td> </tr>"; //echo "<input type='hidden' name='qty' value='" . $line["qty"] ."'>";
dateline[9] = month + "/" + date + "/" + year2; dateline[10] = month + "-" + date + "-" + year2; dateline[11] = days[day] + " " + months[month] + " " + date; dateline[12] = days[day] + ", " + date + " " + months[month] + " " + year; document.write(dateline[Style]); //--> </script> </div> </td> </tr> </table> <BR> <?php include 'includes/SharedFunctionsStrict.php'; $strUserID = funcSanitize($_GET["user"]); echo $strUserID; /************************************************************************ * connect to database *************************************************************************/ $link = mysql_connect("localhost", "sfvault_readStor", "fhyF=ruR^#1|WO") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); $strQuery = "SELECT * from tbl_UserLogin where UserID = '" . $strUserID . "'"; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strResult); if ($conNumberofRows = 1) { while ($line = mysql_fetch_array($strResult, MYSQL_ASSOC)) { if ($line["FirstName"] != "") { $strFirstName = trim(funcDecrypt(hex2bin($line["FirstName"]))); }
<HTML> <HEAD><link rel="stylesheet" href="stylesheets/mainstylesheet.css" type="text/css"></HEAD> <BODY> <?php //standard functions include 'includes/SharedFunctionsStrict.php'; //Connect to database $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); mysql_select_db("sfvault_store") or die("Could not select database"); //Place posted email address in to a string $strEmailAddress = funcSanitize($_POST["email"]); //check user is in our database //Does User Exist $strUserQuery = "SELECT UserID,emailAddress,password FROM tbl_UserLogin where emailAddress = '" . $strEmailAddress . "'"; $strUserResult = mysql_query($strUserQuery) or die("Query Failed:" . mysql_error()); //User Exists, so Error gracefully, then forward the user on $conNumberofRows = mysql_num_rows($strUserResult); if ($conNumberofRows == 0) { //if not, log to event log and forward to front page. funcLogToDebug("passwordRetrieval.php: No user in DB for " . $strEmailAddress); echo "<meta http-equiv='refresh' content='0;url=/index3.php'>"; } else { //User Does exist so end //Generate 8 digit random password $length = 8; $key_chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'; $rand_max = strlen($key_chars) - 1; for ($i = 0; $i < $length; $i++) { $rand_pos = rand(0, $rand_max);
<?php //expires cookies after 1/2 hour $sessionExpire = 60 * 30; session_set_cookie_params($sessionExpire); //start new session session_start(); if (!isset($_SESSION['cart'])) { $_SESSION['cart'] = array(); } include 'includes/SharedFunctions.php'; if (isset($_POST['Update'])) { $qty = funcSanitize($_POST['qty']); $itemcode = funcSanitize($_POST['item']); $strBool = 0; $counter = 0; //additional check to make sure $qty is a numeric if (ereg("[0-9]+", $qty)) { funcDebug("Quantity string is numeric"); } else { echo "Invalid Input, stop trying to put non-numerics in the quantity field"; exit; } //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //is row locked? $strLockCheck = "SELECT ColumnLock FROM tblItem WHERE stockID = '" . $itemcode . "'"; $strLockResult = mysql_query($strLockCheck) or die("Query Failed: " . mysql_error()); while ($line = mysql_fetch_array($strLockResult, MYSQL_ASSOC)) {
<HTML> <HEAD></HEAD> <?php include 'includes/SharedFunctions.php'; $strUserName = funcSanitize($_GET["UserID"]); $strVerifyCode = funcSanitize($_GET["VerifyKey"]); funcDebug($strUserName); funcDebug($strVerifyCode); //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); $strUserQuery = "SELECT UserID FROM tbl_UserLogin where UserID = '" . $strUserName . "'"; $strUserResult = mysql_query($strUserQuery) or die("Query Failed:" . mysql_error()); //User Exists, so Error gracefully, then forward the user on $conNumberofRows = mysql_num_rows($strUserResult); if ($conNumberofRows == 1) { //here's our user $strNow = date('Y-m-j h:i:s'); //User Doesn't exist so carry on Adding $strAddUserQuery = "UPDATE tbl_UserLogin SET UserVerified='1' where UserID='" . $strUserName . "'"; $strAddUserResult = mysql_query($strAddUserQuery) or die("Query Failed:" . mysql_error()); echo "\r\n\r\n<table border='0' cellspacing='0' cellpadding='5' width='900' align='center'>\r\n <tr>\r\n <td width='500'><a href='http://shop.scifivault.com/index3.php'><img src='images/scifi-small-best.jpg' width='403' height='62' border='0'></a>\r\n\r\n </td>\r\n <td align='right' valign='top' width='300'>\r\n\r\n\r\n </td></tr>\r\n\r\n<tr><td>\r\n<br> <font face='verdana'>Thankyou! You've succesfully verified.\r\n\r\n<p>Feel free to sign on and shop. Click on the link below to hurry things along.\r\n<br><br><a href='index3.php'>Back to Shop</a></font></td><td></td></tr>\r\n\r\n</table>\r\n\r\n\r\n\t\t"; funcLogToDebug("VerifyUser.php: " . $strUserName . " verified successfully"); //echo "<meta http-equiv='refresh' content='10;url=/index3.php'>"; } else { //we've got more than 1 user with the same user ID in the db (Shouldn't be possible)
<?php include 'includes/Link.php'; include 'includes/SharedFunctions.php'; $basketCode = funcSanitize($_GET["BasketID"]); echo "<b>This is the Basket Contents View (" . $basketCode . ")</b>"; //query to get all items in basket $strQuery = "SELECT t.item, c.name, t.qty, c.RRP, c.SaleRRP, c.ShortDescription, c.stockID\r\n\t\tFROM tblBasket t\r\n\t\tINNER JOIN tblItem c\r\n\t\tON t.item = c.stockId\r\n\t\tWHERE t.PHPSessionID = '" . $basketCode . "'"; //execute query $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); if (mysql_num_rows($strResult) != 0) { echo "<p><table><tr><td class='titleRow'>Qty</td><td class='titleRow'>Name</td><td class='titleRow'>QuickFind</td><td class='titleRow'>Cost/Item</td><td class='titleRow'>Cost</td></tr>"; while ($line = mysql_fetch_array($strResult, MYSQL_ASSOC)) { if ($line["RRP"] == $line["SaleRRP"] or $line["SaleRRP"] == 0.0) { $strPrice = $line["RRP"]; } else { $strPrice = $line["SaleRRP"]; } echo "\n<tr>"; echo "\n<td>" . $line["qty"] . "</td><td> " . $line["name"] . " </td><td><a href='default.php?Action=ViewItem&stockID=" . $line["stockID"] . "'>" . $line["stockID"] . "</a></td><td>" . sprintf("%01.2f", $strPrice) . "</td><td>" . sprintf("%01.2f", $strPrice * $line["qty"]) . "</td>"; echo "\n</tr>"; } echo "</table>"; } else { echo "<p>Nothing in this basket!"; }
<p> </p> </td> <td width="100%" align="center" valign="top"> <?php //connect to database server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to the correct database mysql_select_db("sfvault_store") or die("Could not select database"); if ($_GET["p"] == "") { $strPTag = "0"; } else { $strPTag = funcSanitize($_GET["p"]); } $strSearch = funcSanitize($_POST["Search"]); if ($strSearch == "") { $strSearch = funcSanitize($_GET["Search"]); } //echo $strSearch ." is here"; //break up the results sets into a number of pages *************************************************************** $strNumberQuery = "select count(*) as ItemCount from tblItem where NoOfItems <> -1 and (Name like '%" . $strSearch . "%' or Description like '%" . $strSearch . " %' or stockID like '%" . $strSearch . "%')"; $strNumberResult = mysql_query($strNumberQuery) or die("Query Failed: " . mysql_error()); while ($lineRes = mysql_fetch_array($strNumberResult, MYSQL_ASSOC)) { $strTotalItems = $lineRes["ItemCount"]; } if ($strSearch == "") { $strTotalItems = "0"; } //echo $strTotalItems . "<BR>"; $strPages = ceil($strTotalItems / 5); if ($strPages != 0) { if ($strPTag != 0) {
include 'includes/SharedFunctions.php'; $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); $strNow = date('Y-m-j G:i:s'); //$strPrice = substr($item, strpos($item,"(" )+1 , strrpos($item,")")- strpos($item,"(" )-1); //echo $_POST["SubjectTag"]; $strSTag = funcSanitize(substr($_POST["SubjectTag"], 0, strpos($_POST["SubjectTag"], "#"))); //echo "<br>" . $strSTag; $strCTag = funcSanitize(substr($_POST["SubjectTag"], strpos($_POST["SubjectTag"], "#") + 1, strrpos($_POST["SubjectTag"], "#") - 1 - strpos($_POST["SubjectTag"], "#"))); //echo "<br>" . $strVTag; $strVTag = funcSanitize(substr($_POST["SubjectTag"], strrpos($_POST["SubjectTag"], "#") + 1)); //echo "<br>" . $strCTag; $strItem1 = funcSanitize($_POST["item1"]); $strItem2 = funcSanitize($_POST["item2"]); $strItem3 = funcSanitize($_POST["item3"]); //first thing is first, remove all special items (subcategory) tags for the posted category $strQuery = "UPDATE tblItem SET DisplayonSubCatPage = '0' where SubjectTag = '" . $strSTag . "' and CategoryTag = '" . $strCTag . "' and VersionTag = '" . $strVTag . "' and DisplayonSubCatPage = '1'"; //echo $strQuery; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 1st item $strQuery = "UPDATE tblItem SET DisplayonSubCatPage = '1' where stockID = '" . $strItem1 . "'"; //echo "<br>" . $strQuery; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 2nd item $strQuery = "UPDATE tblItem SET DisplayonSubCatPage = '1' where stockID = '" . $strItem2 . "'"; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); //run query to update 3rd item $strQuery = "UPDATE tblItem SET DisplayonSubCatPage = '1' where stockID = '" . $strItem3 . "'"; $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); redirect("default.php?Action=SpecialItems", 0, "");
<?php //Get data from adduser.htm $strFirstName = funcSanitize($_POST["FirstName"]); $strSurName = funcSanitize($_POST["SurName"]); $strAddressLine1 = funcSanitize($_POST["AddressLine1"]); $strAddressLine2 = funcSanitize($_POST["AddressLine2"]); $strTown = funcSanitize($_POST["Town"]); $strCounty = funcSanitize($_POST["County"]); $strCountry = funcSanitize($_POST["Country"]); $strPostCode = funcSanitize($_POST["PostCode"]); $strDayTimeNo = funcSanitize($_POST["DayTimeNo"]); $strMobile = funcSanitize($_POST["Mobile"]); //$strEmailAddress = funcSanitize ($_POST["EmailAddress"]); $strEmailAddress = funcSanitize($strUserID); $strMailUser = funcSanitize($_POST["emailUser"]); if ($strMailUser == 'on') { $strMailUser = '******'; } else { $strMailUser = '******'; } $strEncFirstName = funcEncrypt($strFirstName); $strEncSurName = funcEncrypt($strSurName); $strEncAddressLine1 = funcEncrypt($strAddressLine1); $strEncAddressLine2 = funcEncrypt($strAddressLine2); $strEncTown = funcEncrypt($strTown); $strEncCounty = funcEncrypt($strCounty); $strEncCountry = funcEncrypt($strCountry); $strEncPostCode = funcEncrypt($strPostCode); $strEncDayTimeNo = funcEncrypt($strDayTimeNo); $strEncMobile = funcEncrypt($strMobile);
$strSaleRRP = funcSanitize($strSaleRRP); $strWeight = funcSanitize($strWeight); $strBarcode = funcSanitize($strBarcode); $strFeatures = funcSanitize($strFeatures); $strVersion = funcSanitize($strVersion); $strSize = funcSanitize($strSize); $strPercentDiscount = funcSanitize($strPercentDiscount); $strWholesalePrice = funcSanitize($strWholesalePrice); $strSupplier = funcSanitize($strSupplier); $strAvailability = funcSanitize($strAvailability); $strNoOfItems = funcSanitize($strNoOfItems); $strSubject = funcSanitize($strSubject); $strCategory = funcSanitize($strCategory); $strSubjectTag = funcSanitize($strSubjectTag); $strCategoryTag = funcSanitize($strCategoryTag); $strVersionTag = funcSanitize($strVersionTag); $strInsertQuery = "INSERT INTO tblItem VALUES ('" . $strDescription . "','" . $strStockID . "','" . $strSmallPicture . "','" . $strBigPicture . "','" . $strShortDescription . "','" . $strName . "','" . $strCost . "','" . $strRRP . "','" . $strSaleRRP . "','" . $strWeight . "','" . $strBarcode . "','" . $strFeatures . "','" . $strVersion . "','" . $strSize . "','" . $strPercentDiscount . "','" . $strWholesalePrice . "','" . $strSupplier . "','" . $strAvailability . "','" . $strCategory . "','" . $strSubject . "','" . $strNoOfItems . "','" . $strSubjectTag . "','" . $strCategoryTag . "','" . $strVersionTag . "', '','','')"; funcDebug("strInsertQuery: " . $strInsertQuery); //$strUpdateQuery = "UPDATE tblItem SET Description = '" . $strDescription . "', smallPicture = '" . $strSmallPicture . "', bigPicture = '" . $strBigPicture . "', ShortDescription = '" .$strShortDescription . "', Name = '" . $strName . "', Cost = '" . $strCost . "', RRP = '" . $strRRP . "', SaleRRP = '" . $strSaleRRP . "', Weight = '" . $strWeight . "', Barcode = '" . $strBarcode . "', Features = '" . $strFeatures . "', Version = '" . $strVersion . "', Size = '" . $strSize ."', PercentDiscount = '" . $strPercentDiscount . "', WholesalePrice = '" . $strWholesalePrice . "', Supplier = '" . $strSupplier . "', Availability = '" . $strAvailabilty . "' WHERE stockID = '" . $strStockID . "'"; //funcDebug ("strUpdateQuery: " . $strUpdateQuery ); $strInsertResult = mysql_query($strInsertQuery) or die("Query Failed :" . mysql_error()); $strNow = date('Y-m-j h:i:s'); $strEditedInsert = "INSERT: \$\$" . $strStockID . "\$\$,\$\$" . $strSmallPicture . "\$\$,\$\$" . $strBigPicture . "\$\$,\$\$" . $strShortDescription . "\$\$,\$\$" . $strName . "\$\$,\$\$" . $strCost . "\$\$,\$\$" . $strRRP . "\$\$,\$\$" . $strSaleRRP . "\$\$,\$\$" . $strWeight . "\$\$,\$\$" . $strBarcode . "\$\$,\$\$" . $strFeatures . "\$\$,\$\$" . $strVersion . "\$\$,\$\$" . $strSize . "\$\$,\$\$" . $strPercentDiscount . "\$\$,\$\$" . $strWholesalePrice . "\$\$,\$\$" . $strSupplier . "\$\$,\$\$" . $strAvailability . "\$\$,\$\$" . $strNoOfItems . "\$\$,\$\$" . strSubjectTag . "\$\$,\$\$" . $strCategoryTag . "\$\$,\$\$" . $strVersionTag; $strLogInsert = "INSERT INTO tblLog Values ('" . $strNow . "','DEV','" . $strEditedInsert . "')"; funcDebug("strLogInsert: " . $strLogInsert); $strInsertLogEntry = mysql_query($strLogInsert) or die("Log Entry Failed"); } //close connection to database funcDebug("Closing link to db"); mysql_close($link); redirect("displayItem.php?stockID=" . $strStockID, 1, "<B>Redirecting...</B><br> <a href='displayItem.php?stockID=" . $strStockID . "'>Click here if redirect fails</a>");
<?php //expires cookies after 1/2 hour $sessionExpire = 60 * 30; session_set_cookie_params($sessionExpire); //start new session session_start(); if (!isset($_SESSION['cart'])) { $_SESSION['cart'] = array(); } include 'includes/SharedFunctionsStrict.php'; if (isset($_POST['remove']) or isset($_POST['altRemove'])) { $itemcode = funcSanitize($_POST['removeitem']); $emailaddress = funcSanitize($_POST['emailaddress']); $strBool = 0; $counter = 0; funcDeleteItem($itemcode, $emailaddress); } function funcDeleteItem($itemcode, $emailaddress) { //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //$qty = "1"; //$itemcode = funcSanitize($_POST['removeitem']); $strBool = 0; $counter = 0; $strUpdateStockQuery = "DELETE FROM tbl_PreOrder where stockID = '" . $itemcode . "' and emailaddress = '" . $emailaddress . "'"; mysql_query($strUpdateStockQuery) or die("Update Query Failed: " . mysql_error()); funcLogToDebug("RemovePreOrder.php: PreOrder for " . $itemcode . " by " . $emailaddress . "was removed.");
?> <HTML> <HEAD> <?php //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //Get data from adduser.htm $strPassword1 = funcSanitize($_POST['Password']); $strPassword2 = funcSanitize($_POST['Password2']); $strPassword3 = funcSanitize($_POST['Password3']); //check old password is correct $strPasswordQry = "SELECT Password from tbl_UserLogin where UserID = '" . $strUserID . "'"; $strPasswordResult = mysql_query($strPasswordQry) or die("Query Failed:" . mysql_error()); $conNumberofRows = mysql_num_rows($strPasswordResult); if ($conNumberofRows == 1) { while ($linePassword = mysql_fetch_array($strPasswordResult, MYSQL_ASSOC)) { if ($linePassword["Password"] == md5($strPassword1)) { //old password correct, you may progress... } else { //old password wrong echo "<meta http-equiv='refresh' content='0;url=/UserPasswordChange.php?strUserID=" . $strUserID . "&PasswordError=4'>"; echo "</HEAD></HTML>"; funcLogToDebug("updatePassword.php:" . $strUserID . " got password wrong"); exit; }
$strBarcode = funcSanitize($strBarcode); $strFeatures = funcSanitize($strFeatures); $strVersion = funcSanitize($strVersion); $strSize = funcSanitize($strSize); $strPercentDiscount = funcSanitize($strPercentDiscount); $strWholesalePrice = funcSanitize($strWholesalePrice); $strSupplier = funcSanitize($strSupplier); $strAvailability = funcSanitize($strAvailability); $strNoOfItems = funcSanitize($strNoOfItems); $strSubject = funcSanitize($strSubject); $strCategory = funcSanitize($strCategory); $strSubjectTag = funcSanitize($strSubjectTag); $strCategoryTag = funcSanitize($strCategoryTag); $strVersionTag = funcSanitize($strVersionTag); $strFrontPage = funcSanitize($strFrontPage); $strSubCatPage = funcSanitize($strSubCatPage); $strInsertQuery = "INSERT INTO tblItem VALUES ('" . $strDescription . "','" . $strStockID . "','" . $strSmallPicture . "','" . $strBigPicture . "','" . $strShortDescription . "','" . $strName . "','" . $strCost . "','" . $strRRP . "','" . $strSaleRRP . "','" . $strWeight . "','" . $strBarcode . "','" . $strFeatures . "','" . $strVersion . "','" . $strSize . "','" . $strPercentDiscount . "','" . $strWholesalePrice . "','" . $strSupplier . "','" . $strAvailability . "','" . $strCategory . "','" . $strSubject . "','" . $strNoOfItems . "','" . $strSubjectTag . "','" . $strCategoryTag . "','" . $strVersionTag . "', '" . $strFrontPage . "','','" . $strSubCatPage . "')"; funcDebug("strInsertQuery: " . $strInsertQuery); //$strUpdateQuery = "UPDATE tblItem SET Description = '" . $strDescription . "', smallPicture = '" . $strSmallPicture . "', bigPicture = '" . $strBigPicture . "', ShortDescription = '" .$strShortDescription . "', Name = '" . $strName . "', Cost = '" . $strCost . "', RRP = '" . $strRRP . "', SaleRRP = '" . $strSaleRRP . "', Weight = '" . $strWeight . "', Barcode = '" . $strBarcode . "', Features = '" . $strFeatures . "', Version = '" . $strVersion . "', Size = '" . $strSize ."', PercentDiscount = '" . $strPercentDiscount . "', WholesalePrice = '" . $strWholesalePrice . "', Supplier = '" . $strSupplier . "', Availability = '" . $strAvailabilty . "' WHERE stockID = '" . $strStockID . "'"; //funcDebug ("strUpdateQuery: " . $strUpdateQuery ); $strInsertResult = mysql_query($strInsertQuery) or die("Query Failed :" . mysql_error()); $strNow = date('Y-m-j h:i:s'); $strEditedInsert = "INSERT: \$\$" . $strStockID . "\$\$,\$\$" . $strSmallPicture . "\$\$,\$\$" . $strBigPicture . "\$\$,\$\$" . $strShortDescription . "\$\$,\$\$" . $strName . "\$\$,\$\$" . $strCost . "\$\$,\$\$" . $strRRP . "\$\$,\$\$" . $strSaleRRP . "\$\$,\$\$" . $strWeight . "\$\$,\$\$" . $strBarcode . "\$\$,\$\$" . $strFeatures . "\$\$,\$\$" . $strVersion . "\$\$,\$\$" . $strSize . "\$\$,\$\$" . $strPercentDiscount . "\$\$,\$\$" . $strWholesalePrice . "\$\$,\$\$" . $strSupplier . "\$\$,\$\$" . $strAvailability . "\$\$,\$\$" . $strNoOfItems . "\$\$,\$\$" . strSubjectTag . "\$\$,\$\$" . $strCategoryTag . "\$\$,\$\$" . $strVersionTag; $strLogInsert = "INSERT INTO tblLog Values ('" . $strNow . "','DEV','" . $strEditedInsert . "')"; funcDebug("strLogInsert: " . $strLogInsert); $strInsertLogEntry = mysql_query($strLogInsert) or die("Log Entry Failed"); } //close connection to database funcDebug("Closing link to db"); mysql_close($link); redirect("default.php?Action=ViewItem&stockID=" . $strStockID, 1, "<B>Redirecting...</B><br> <a href='default.php?Action=AmendItem&stockID=" . $strStockID . "'>Click here if redirect fails</a>");
<?php //connect to server include 'includes/Link.php'; include 'includes/SharedFunctions.php'; $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); $strNow = date('Y-m-j G:i:s'); $strTitle = funcSanitize($_POST["Title"]); $strDescription = funcSanitize($_POST["Description"]); $strLink = $_POST["Link"]; $strInsertQuery = "INSERT INTO tbl_News VALUES ('', '" . $strTitle . "','" . $strLink . "','" . $strNow . "','" . $strDescription . "')"; $strInsertResult = mysql_query($strInsertQuery) or die("Query Failed :" . mysql_error()); redirect("default.php?Action=News", 1, "<B>Redirecting...</B><br> <a href='default.php?Action=News'>Click here if redirect fails</a>"); ?> <?php // Redirects to another Page using HTTP-META Tag function redirect($url, $delay = 0, $message = "") { /* redirects to a new URL using meta tags */ echo "<meta http-equiv='Refresh' content='" . $delay . "; url=" . $url . "'>"; die("<div style='font-family: Arial, Sans-serif; font-size: 12pt;' align=center> " . $message . " </div>"); } ?>
<td width="391" valign="top"> <div align="right"><font face="Verdana, Arial, Helvetica, sans-serif" size="6"><b>Invoice</b></font></div> </td> </tr> </table> <br> <font face="Verdana, Arial, Helvetica, sans-serif"><table border="1" cellspacing="0" cellpadding="5" width="900" align="center"> </font><font face="Verdana, Arial, Helvetica, sans-serif"><tr></font> <font face="Verdana, Arial, Helvetica, sans-serif"><td></font> <font face="Verdana, Arial, Helvetica, sans-serif"> <?php //connect to database $link = mysql_connect("localhost", "sfvault_readStor", "fhyF=ruR^#1|WO") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); $strOrderNo = funcSanitize($_GET['strOrder']); //query to get all baskets $strQuery = "SELECT * FROM tbl_Orders where OrderNo = '" . $strOrderNo . "'"; //execute query $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); while ($line = mysql_fetch_array($strResult, MYSQL_ASSOC)) { $strOrderNo = $line["OrderNo"]; $strOrderSubmitted = $line["DateTme"]; $strCookie = $line["Cookie"]; $strItems = $line["Items"]; $strShipping = $line["Shipping"]; $strCost = $line["Cost"]; $strAddress = strtoupper($line["Address"]); $strEmailAddress = $line["emailaddress"]; $strName = strtoupper($line["Name"]); $strPhone = $line["Phone"];
//if query returns non zero, then update the timestamp $strNow = date('Y-m-j h:i:s'); $strQuery = "UPDATE tblSession SET TimeStmp = '" . $strNow . "' where PHPSESSIONID = '" . session_id() . "'"; $strResult = mysql_query($strQuery) or die("Query Failed:" . mysql_error()); } else { echo "\n<!-- INSERT -->"; //if query returns zero rows, insert new row $strNow = date('Y-m-j h:i:s'); $strQuery = "INSERT INTO tblSession (PHPSESSIONID, TimeStmp) values ('" . session_id() . "', '" . $strNow . "')"; $strResult = mysql_query($strQuery) or die("Query Failed:" . mysql_error()); } // get the tags //$strCTag = funcSanitize($_GET['cTag']); $strVTag = funcSanitize($_GET['vTag']); $strSTag = funcSanitize($_GET['sTag']); $strPTag = funcSanitize($_GET['p']); echo "<!-- " . $strVTag . " & " . $strSTag . "-->"; ?> <!-- I'm expecting a URL like this: http://blah/Category.php?sTag=XX--> <HTML> <HEAD> <TITLE>Sci-Fi Vault</TITLE> <link rel="stylesheet" href="stylesheets/mainstylesheet.css" type="text/css"> </HEAD> <BODY bgcolor="#FFFFFF" text="#000000" link="#000000" vlink="#000000" alink="#000000" leftmargin="0" topmargin="0"> <table border="0" cellspacing="0" cellpadding="5" width="900" align="center">
<BODY> <?php include 'includes/SharedFunctionsStrict.php'; //Write Debug information funcDebug("this is a test debug"); //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned $strNow = date('Y-m-j h:i:s'); $strStatus = funcSanitize($_POST["STATUS"]); $strOrder = funcSanitize($_POST["orderno"]); funcLogToDebug("updateOrder.php: Order (" . $strOrder . ") changed status to " . $strStatus); $strUpdateQuery = "UPDATE tbl_Orders SET Status = '" . $strStatus . "' WHERE OrderNo = '" . $strOrder . "'"; $strUpdateResult = mysql_query($strUpdateQuery) or die("Query Failed :" . mysql_error()); //query to get all baskets $strQuery = "SELECT * FROM tbl_Orders where OrderNo = '" . $strOrder . "'"; //execute query $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); while ($line = mysql_fetch_array($strResult, MYSQL_ASSOC)) { $strOrderNo = $line["OrderNo"]; $strOrderSubmitted = $line["DateTme"]; $strCookie = $line["Cookie"]; $strItems = $line["Items"]; $strShipping = $line["Shipping"]; $strCost = $line["Cost"]; $strAddress = $line["Address"];
//Write Debug information funcDebug("this is a test debug"); //mail webmasters $ip = getenv("REMOTE_ADDR"); $httpref = getenv("HTTP_REFERER"); $httpagent = getenv("HTTP_USER_AGENT"); //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned $strFix = funcSanitize($_POST["fix2"]); $strNow = date('Y-m-j h:i:s'); $strPriority = funcSanitize($_POST["STATUS"]); $strBugQuery = "SELECT * from tblBugs where IssueNo = '" . $strFix . "'"; $strBugResult = mysql_query($strBugQuery) or die("Query Failed :" . mysql_error()); while ($lineBug = mysql_fetch_array($strBugResult, MYSQL_ASSOC)) { $arrIssue = split("</br>", $lineBug["Issue"]); $strIssue = str_replace("<br>", "", $arrIssue[0]); } if ($strFix != "") { $strUpdateQuery = "UPDATE tblBugs SET Fixed = 'Y', WhenFixed = '" . $strNow . "' WHERE IssueNo = '" . $_POST["fix"] . "'"; mail("adrian@nofishhere.com,james@scifivault.com,david@scifivault.com,hilary@scifivault.com", "BUG Changed status from Open to Closed", "Issue No: " . $_POST["fix"] . " has been closed off " . $ip . "\n\n" . $strIssue, "From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "X-Mailer: PHP/" . phpversion()); } else { $strUpdateQuery = "UPDATE tblBugs SET Priority = '" . $strPriority . "' WHERE IssueNo = '" . $_POST["fix2"] . "'"; mail("adrian@nofishhere.com,james@scifivault.com,david@scifivault.com,hilary@scifivault.com", "BUG Changed Priority to " . $strPriority, "Issue No: " . $_POST["fix2"] . " has changed status " . $ip . "\n\n" . $strIssue, "From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "X-Mailer: PHP/" . phpversion()); } $strUpdateResult = mysql_query($strUpdateQuery) or die("Query Failed :" . mysql_error()); //close connection to database
<?php include 'includes/SharedFunctionsStrict.php'; $strMailText = funcSanitize($_POST['feedback']); $strURL = funcSanitize($_POST['URL']); mail("webmaster@scifivault.com,adrian@nofishhere.com,hilary@scifivault.com,david@scifivault.com", "Feedback", $strMailText, "From: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "Reply-To: webmaster@{$_SERVER['SERVER_NAME']}\r\n" . "X-Mailer: PHP/" . phpversion()); echo "<meta http-equiv='refresh' content='0;url=" . $strURL . "'>";
<?php //expires cookies after 1/2 hour $sessionExpire = 60 * 30; session_set_cookie_params($sessionExpire); //start new session session_start(); if (!isset($_SESSION['cart'])) { $_SESSION['cart'] = array(); } include 'includes/SharedFunctions.php'; $qty = funcSanitize($_POST['preorderqty']); $strNow = date('Y-m-j h:i:s'); $itemcode = funcSanitize($_POST['stockID']); $email = funcSanitize($_POST['email']); $comments = funcSanitize($_POST['Comments']); $strBool = 0; $counter = 0; //additional check to make sure $qty is a numeric if (ereg("[0-9]+", $qty)) { funcDebug("Quantity string is numeric"); } else { echo "Invalid Input, stop trying to put non-numerics in the quantity field"; exit; } //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //check stockID is really at -3 $strStockQry = "SELECT stockID, NoOfItems from tblItem where stockID = '" . $itemcode . "' and NoOfItems = '-3'";
#centerrightcontent p { font-size:10px} </style> </head> <body> <p align="center"> <?php include 'includes/SharedFunctionsStrict.php'; $strStockID = funcSanitize($_GET["stockID"]); //Write Debug information funcDebug("this is a test debug"); //connect to server funcDebug("Connecting to database"); $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); funcDebug("Connected to database"); //change to correct database mysql_select_db("sfvault_store") or die("Could not select database"); //run query to see if result is returned //$strStockID = funcSanitize ($_POST["stockID"]); $strQuery = "SELECT * FROM tblItem where stockID = '" . $strStockID . "'"; funcDebug("strQuery: " . $strQuery); $strResult = mysql_query($strQuery) or die("Query Failed :" . mysql_error()); $conNumberofRows = mysql_num_rows($strResult); //$row = mysql_fetch_array ($strResult);
<?php //expires cookies after 1/2 hour $sessionExpire = 60 * 30; session_set_cookie_params($sessionExpire); //start new session session_start(); if (!isset($_SESSION['cart'])) { $_SESSION['cart'] = array(); } include 'includes/SharedFunctionsStrict.php'; if (isset($_POST['remove']) or isset($_POST['altRemove'])) { $qty = "1"; $itemcode = funcSanitize($_POST['removeitem']); $strBool = 0; $counter = 0; //additional check to make sure $qty is a numeric if (ereg("[0-9]+", $qty)) { //funcDebug ("Quantity string is numeric"); //echo $itemcode; funcDeleteItem(session_id(), $itemcode, $qty); } else { echo "Invalid Input, stop trying to put non-numerics in the quantity field"; exit; } } function funcDeleteItem($strSessionID, $itemcode, $qty) { //connect to server $link = mysql_connect("localhost", "sfvault_writeSto", "Ti*ESUf3*_b?Km") or die("Could not connect: " . mysql_error()); //change to correct database