function validOrder() { global $cookie, $cart, $ppPayment; if (!$cookie->isLogged(true)) { header('location:../../../'); exit; die('Not logged'); } elseif (!$cart->getOrderTotal(true, PayPal::BOTH)) { die('Empty cart'); } if (!($token = Tools::htmlentitiesUTF8(strval(Tools::getValue('token'))))) { global $smarty; $smarty->assign('paypalError', 'Invalid token'); displayConfirm(); die('Invalid token'); } if ($token != strval($cookie->paypal_token)) { die('Invalid cookie token'); } if (!($payerID = Tools::htmlentitiesUTF8(strval(Tools::getValue('PayerID'))))) { die('Invalid payerID'); } $ppPayment->makePayPalAPIValidation($cookie, $cart, $cart->id_currency, $payerID, 'payment'); }
} function validOrder() { global $cookie, $cart, $ppPayment; if (!$cookie->isLogged()) { die('Not logged'); } elseif (!$cart->getOrderTotalLC(true, 3)) { die('Empty cart'); } if (!($token = Tools::htmlentitiesUTF8(strval(Tools::getValue('token'))))) { die('Invalid token'); } if ($token != strval($cookie->paypal_token)) { die('Invalid cookie token'); } if (!($payerID = Tools::htmlentitiesUTF8(strval(Tools::getValue('PayerID'))))) { die('Invalid payerID'); } $ppPayment->validOrder($cookie, $cart, $cookie->id_currency, $payerID, 'payment'); } // ##### // Process !! // No submit, confirmation page if (!Tools::isSubmit('submitPayment') and !Tools::getValue('fromPayPal')) { displayConfirm(); } else { if (!isset($cookie->paypal_token) or !$cookie->paypal_token) { submitConfirm(); } validOrder(); }
} // check for dbtype // if we have clicked no on continue then we reissue the form if (isset($_POST['confirmdbtype']) && $_POST['confirmdbtype'] != 'yes') { displayInitialForm("Please select a different database type (mysql recommended)"); exit(0); } // perform confirm check if not mysql if (!preg_match("/^[\\w-_]+\$/", $_POST['dbtype'])) { displayInitialForm("dbtype contains illegal charactors"); exit(0); } elseif ($_POST['dbtype'] == 'mssql' && (!isset($_POST['confirmdbtype']) || $_POST['confirmdbtype'] != 'yes')) { displayConfirm("MS Sql is not officially supported - do you wish to continue?", 'dbtype', $_POST); exit(0); } elseif ($_POST['dbtype'] != 'mysql' && (!isset($_POST['confirmdbtype']) || $_POST['confirmdbtype'] != 'yes')) { displayConfirm("DB type is not supported this will need manual configuration - do you wish to continue?", 'dbtype', $_POST); exit(0); } // basic check for password field - just blocks some ncharacters not allowed by mysql // will still allow some characters not allowed by mysql (eg. accentuated characters, but they are not considered a security risk) // unsure whether " and ' are allowed in mysql, but we don't allow them anyway in case they cause problems if (preg_match("/[:&+\"\\']/", $_POST["password"])) { displayInitialForm("password contains illegal charactors"); exit(0); } // just basic check for username - could check for max 16 chars etc. but leave that for mysql to enforce - as long as we don't allow dangerous characters if (preg_match("/[:&+\"\\'\\s]/", $_POST["username"])) { displayInitialForm("username contains illegal charactors"); exit(0); } // Does not check for valid hostname, just checks for valid characters