Jump to content


Corporate Sponsors


Latest News: (loading..)

- - - - -

Register Globals Variable conversion

Started by Aceicol, Mar 23 2005, 18:36

9 replies to this topic

#1 Aceicol

  • Community Member
  • 115 posts
  • Real Name:Alex
  • Location:Cardiff - UK

Posted 23 March 2005, 18:36

Hi

I have made my store and everything is working correctly except when it goes off to the CC Payment Processor, when it comes back it goes to the netbanx_checkout_process.php page, which is meant to update an order table and forward the page onto netbanx_callback.php with the confirmation details.

The problem is that the Netbanx module has been coded with Register Globals = on (requirement).

I would like it if someone could help me as to which parts of thes next two files I need to change to correct it to work with register_globals = off.

I am not asking people to do it for me but just some help and advice please, I can usually understand PHP to read but have more problems in writing it.

Any help will be appriciated.

netbanx_checkout_process.php

<?php
/*
  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2003 osCommerce

  Released under the GNU General Public License
*/

/*
  NetBanx Payment Module
  http://www.netbanx.com
  06/09/04 v1.1 DW
*/

  include('includes/application_top.php');


	// if the customer is not logged on, redirect them to the login page
  if (!tep_session_is_registered('customer_id')) {
    $navigation->set_snapshot(array('mode' => 'SSL', 'page' => FILENAME_CHECKOUT_PAYMENT));
    tep_redirect(tep_href_link(FILENAME_LOGIN, '', 'SSL'));
  }

  if (!tep_session_is_registered('sendto')) {
    tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL'));
  }

  if ( (tep_not_null(MODULE_PAYMENT_INSTALLED)) && (!tep_session_is_registered('payment')) ) {
    tep_redirect(tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL'));
 }

// avoid hack attempts during the checkout procedure by checking the internal cartID
  if (isset($cart->cartID) && tep_session_is_registered('cartID')) {
    if ($cart->cartID != $cartID) {
      tep_redirect(tep_href_link(FILENAME_CHECKOUT_SHIPPING, '', 'SSL'));
    }
  }

  include(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CHECKOUT_PROCESS);

// load selected payment module
  require(DIR_WS_CLASSES . 'payment.php');
//  if ($credit_covers) $payment=''; //ICW added for CREDIT CLASS
  $payment_modules = new payment($payment);

// load the selected shipping module
  require(DIR_WS_CLASSES . 'shipping.php');
  $shipping_modules = new shipping($shipping);

  require(DIR_WS_CLASSES . 'order.php');
  $order = new order;

// load the before_process function from the payment modules
  $payment_modules->before_process();

  require(DIR_WS_CLASSES . 'order_total.php');
  $order_total_modules = new order_total;

  $order_totals = $order_total_modules->process();

  $sql_data_array = array('customers_id' => $customer_id,
                          'customers_name' => $order->customer['firstname'] . ' ' . $order->customer['lastname'],
                          'customers_company' => $order->customer['company'],
                          'customers_street_address' => $order->customer['street_address'],
                          'customers_suburb' => $order->customer['suburb'],
                          'customers_city' => $order->customer['city'],
                          'customers_postcode' => $order->customer['postcode'],
                          'customers_state' => $order->customer['state'],
                          'customers_country' => $order->customer['country']['title'],
                          'customers_telephone' => $order->customer['telephone'],
                          'customers_email_address' => $order->customer['email_address'],
                          'customers_address_format_id' => $order->customer['format_id'],
                          'delivery_name' => $order->delivery['firstname'] . ' ' . $order->delivery['lastname'],
                          'delivery_company' => $order->delivery['company'],
                          'delivery_street_address' => $order->delivery['street_address'],
                          'delivery_suburb' => $order->delivery['suburb'],
                          'delivery_city' => $order->delivery['city'],
                          'delivery_postcode' => $order->delivery['postcode'],
                          'delivery_state' => $order->delivery['state'],
                          'delivery_country' => $order->delivery['country']['title'],
                          'delivery_address_format_id' => $order->delivery['format_id'],
                          'billing_name' => $order->billing['firstname'] . ' ' . $order->billing['lastname'],
                          'billing_company' => $order->billing['company'],
                          'billing_street_address' => $order->billing['street_address'],
                          'billing_suburb' => $order->billing['suburb'],
                          'billing_city' => $order->billing['city'],
                          'billing_postcode' => $order->billing['postcode'],
                          'billing_state' => $order->billing['state'],
                          'billing_country' => $order->billing['country']['title'],
                          'billing_address_format_id' => $order->billing['format_id'],
                          'payment_method' => $order->info['payment_method'],
                          'cc_type' => $order->info['cc_type'],
                          'cc_owner' => $order->info['cc_owner'],
                          'cc_number' => $order->info['cc_number'],
                          'cc_expires' => $order->info['cc_expires'],
                          'date_purchased' => 'now()',
                          'orders_status' => $order->info['order_status'],
                          'currency' => $order->info['currency'],
                          'currency_value' => $order->info['currency_value']);
  tep_db_perform(TABLE_ORDERS, $sql_data_array);
  $insert_id = tep_db_insert_id();
  for ($i=0, $n=sizeof($order_totals); $i<$n; $i++) {
    $sql_data_array = array('orders_id' => $insert_id,
                            'title' => $order_totals[$i]['title'],
                            'text' => $order_totals[$i]['text'],
                            'value' => $order_totals[$i]['value'],
                            'class' => $order_totals[$i]['code'],
                            'sort_order' => $order_totals[$i]['sort_order']);
    tep_db_perform(TABLE_ORDERS_TOTAL, $sql_data_array);
  }

  $customer_notification = (SEND_EMAILS == 'true') ? '1' : '0';
  $sql_data_array = array('orders_id' => $insert_id,
                          'orders_status_id' => $order->info['order_status'],
                          'date_added' => 'now()',
                          'customer_notified' => $customer_notification,
                          'comments' => "Customer Comments: ".$order->info['comments']."\nNetBanx Reference: ".$netbanx_reference);
  tep_db_perform(TABLE_ORDERS_STATUS_HISTORY, $sql_data_array);

// initialized for the email confirmation
  $products_ordered = '';
  $subtotal = 0;
  $total_tax = 0;

  for ($i=0, $n=sizeof($order->products); $i<$n; $i++) {
// Stock Update - Joao Correia
    if (STOCK_LIMITED == 'true') {
      if (DOWNLOAD_ENABLED == 'true') {
        $stock_query_raw = "SELECT products_quantity, pad.products_attributes_filename
                            FROM " . TABLE_PRODUCTS . " p
                            LEFT JOIN " . TABLE_PRODUCTS_ATTRIBUTES . " pa
                             ON p.products_id=pa.products_id
                            LEFT JOIN " . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . " pad
                             ON pa.products_attributes_id=pad.products_attributes_id
                            WHERE p.products_id = '" . tep_get_prid($order->products[$i]['id']) . "'";
// Will work with only one option for downloadable products
// otherwise, we have to build the query dynamically with a loop
        $products_attributes = $order->products[$i]['attributes'];
        if (is_array($products_attributes)) {
          $stock_query_raw .= " AND pa.options_id = '" . $products_attributes[0]['option_id'] . "' AND pa.options_values_id = '" . $products_attributes[0]['value_id'] . "'";
        }
        $stock_query = tep_db_query($stock_query_raw);
      } else {
        $stock_query = tep_db_query("select products_quantity from " . TABLE_PRODUCTS . " where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'");
      }
      if (tep_db_num_rows($stock_query) > 0) {
        $stock_values = tep_db_fetch_array($stock_query);
// do not decrement quantities if products_attributes_filename exists
        if ((DOWNLOAD_ENABLED != 'true') || (!$stock_values['products_attributes_filename'])) {
          $stock_left = $stock_values['products_quantity'] - $order->products[$i]['qty'];
        } else {
          $stock_left = $stock_values['products_quantity'];
        }
        tep_db_query("update " . TABLE_PRODUCTS . " set products_quantity = '" . $stock_left . "' where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'");
        if ( ($stock_left < 1) && (STOCK_ALLOW_CHECKOUT == 'false') ) {
          tep_db_query("update " . TABLE_PRODUCTS . " set products_status = '0' where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'");
        }
      }
    }

// Update products_ordered (for bestsellers list)
    tep_db_query("update " . TABLE_PRODUCTS . " set products_ordered = products_ordered + " . sprintf('%d', $order->products[$i]['qty']) . " where products_id = '" . tep_get_prid($order->products[$i]['id']) . "'");

    $sql_data_array = array('orders_id' => $insert_id,
                            'products_id' => tep_get_prid($order->products[$i]['id']),
                            'products_model' => $order->products[$i]['model'],
                            'products_name' => $order->products[$i]['name'],
                            'products_price' => $order->products[$i]['price'],
                            'final_price' => $order->products[$i]['final_price'],
                            'products_tax' => $order->products[$i]['tax'],
                            'products_quantity' => $order->products[$i]['qty']);
    tep_db_perform(TABLE_ORDERS_PRODUCTS, $sql_data_array);
    $order_products_id = tep_db_insert_id();
//    $order_total_modules->update_credit_account($i);//ICW ADDED FOR CREDIT CLASS SYSTEM
//------insert customer choosen option to order--------
    $attributes_exist = '0';
    $products_ordered_attributes = '';
    if (isset($order->products[$i]['attributes'])) {
      $attributes_exist = '1';
      for ($j=0, $n2=sizeof($order->products[$i]['attributes']); $j<$n2; $j++) {
        if (DOWNLOAD_ENABLED == 'true') {
          $attributes_query = "select popt.products_options_name, poval.products_options_values_name, pa.options_values_price, pa.price_prefix, pad.products_attributes_maxdays, pad.products_attributes_maxcount , pad.products_attributes_filename
                               from " . TABLE_PRODUCTS_OPTIONS . " popt, " . TABLE_PRODUCTS_OPTIONS_VALUES . " poval, " . TABLE_PRODUCTS_ATTRIBUTES . " pa
                               left join " . TABLE_PRODUCTS_ATTRIBUTES_DOWNLOAD . " pad
                                on pa.products_attributes_id=pad.products_attributes_id
                               where pa.products_id = '" . $order->products[$i]['id'] . "'
                                and pa.options_id = '" . $order->products[$i]['attributes'][$j]['option_id'] . "'
                                and pa.options_id = popt.products_options_id
                                and pa.options_values_id = '" . $order->products[$i]['attributes'][$j]['value_id'] . "'
                                and pa.options_values_id = poval.products_options_values_id
                                and popt.language_id = '" . $languages_id . "'
                                and poval.language_id = '" . $languages_id . "'";
          $attributes = tep_db_query($attributes_query);
        } else {
          $attributes = tep_db_query("select popt.products_options_name, poval.products_options_values_name, pa.options_values_price, pa.price_prefix from " . TABLE_PRODUCTS_OPTIONS . " popt, " . TABLE_PRODUCTS_OPTIONS_VALUES . " poval, " . TABLE_PRODUCTS_ATTRIBUTES . " pa where pa.products_id = '" . $order->products[$i]['id'] . "' and pa.options_id = '" . $order->products[$i]['attributes'][$j]['option_id'] . "' and pa.options_id = popt.products_options_id and pa.options_values_id = '" . $order->products[$i]['attributes'][$j]['value_id'] . "' and pa.options_values_id = poval.products_options_values_id and popt.language_id = '" . $languages_id . "' and poval.language_id = '" . $languages_id . "'");
        }
        $attributes_values = tep_db_fetch_array($attributes);

        $sql_data_array = array('orders_id' => $insert_id,

                                'orders_products_id' => $order_products_id,
                                'products_options' => $attributes_values['products_options_name'],
                                'products_options_values' => $attributes_values['products_options_values_name'],
                                'options_values_price' => $attributes_values['options_values_price'],
                                'price_prefix' => $attributes_values['price_prefix']);
        tep_db_perform(TABLE_ORDERS_PRODUCTS_ATTRIBUTES, $sql_data_array);

        if ((DOWNLOAD_ENABLED == 'true') && isset($attributes_values['products_attributes_filename']) && tep_not_null($attributes_values['products_attributes_filename'])) {
          $sql_data_array = array('orders_id' => $insert_id,
                                  'orders_products_id' => $order_products_id,
                                  'orders_products_filename' => $attributes_values['products_attributes_filename'],
                                  'download_maxdays' => $attributes_values['products_attributes_maxdays'],
                                  'download_count' => $attributes_values['products_attributes_maxcount']);
          tep_db_perform(TABLE_ORDERS_PRODUCTS_DOWNLOAD, $sql_data_array);
        }
        $products_ordered_attributes .= "\n\t" . $attributes_values['products_options_name'] . ' ' . $attributes_values['products_options_values_name'];
      }
    }
//------insert customer choosen option eof ----
    $total_weight += ($order->products[$i]['qty'] * $order->products[$i]['weight']);
    $total_tax += tep_calculate_tax($total_products_price, $products_tax) * $order->products[$i]['qty'];
    $total_cost += $total_products_price;

    $products_ordered .= $order->products[$i]['qty'] . ' x ' . $order->products[$i]['name'] . ' (' . $order->products[$i]['model'] . ') = ' . $currencies->display_price($order->products[$i]['final_price'], $order->products[$i]['tax'], $order->products[$i]['qty']) . $products_ordered_attributes . "\n";
  }
// $order_total_modules->apply_credit();//ICW ADDED FOR CREDIT CLASS SYSTEM
// lets start with the email confirmation
  $email_order = STORE_NAME . "\n" .
                 EMAIL_SEPARATOR . "\n" .
                 EMAIL_TEXT_ORDER_NUMBER . ' ' . $insert_id . "\n" .
                 EMAIL_TEXT_INVOICE_URL . ' ' . tep_href_link(FILENAME_ACCOUNT_HISTORY_INFO, 'order_id=' . $insert_id, 'SSL', false) . "\n" .
                 EMAIL_TEXT_DATE_ORDERED . ' ' . strftime(DATE_FORMAT_LONG) . "\n\n";
  if ($order->info['comments']) {
    $email_order .= tep_db_output($order->info['comments']) . "\n\n";
  }
  $email_order .= EMAIL_TEXT_PRODUCTS . "\n" .
                  EMAIL_SEPARATOR . "\n" .
                  $products_ordered .
                  EMAIL_SEPARATOR . "\n";

  for ($i=0, $n=sizeof($order_totals); $i<$n; $i++) {
    $email_order .= strip_tags($order_totals[$i]['title']) . ' ' . strip_tags($order_totals[$i]['text']) . "\n";
  }

  if ($order->content_type != 'virtual') {
    $email_order .= "\n" . EMAIL_TEXT_DELIVERY_ADDRESS . "\n" .
                    EMAIL_SEPARATOR . "\n" .
                    tep_address_label($customer_id, $sendto, 0, '', "\n") . "\n";
  }

  $email_order .= "\n" . EMAIL_TEXT_BILLING_ADDRESS . "\n" .
                  EMAIL_SEPARATOR . "\n" .
                  tep_address_label($customer_id, $billto, 0, '', "\n") . "\n\n";
  if (is_object($$payment)) {
    $email_order .= EMAIL_TEXT_PAYMENT_METHOD . "\n" .
                    EMAIL_SEPARATOR . "\n";
    $payment_class = $$payment;
    $email_order .= $payment_class->title . "\n\n";
    if ($payment_class->email_footer) {
      $email_order .= $payment_class->email_footer . "\n\n";
    }
  }
  tep_mail($order->customer['firstname'] . ' ' . $order->customer['lastname'], $order->customer['email_address'], EMAIL_TEXT_SUBJECT, $email_order, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);

// send emails to other people
  if (SEND_EXTRA_ORDER_EMAILS_TO != '') {
    tep_mail('', SEND_EXTRA_ORDER_EMAILS_TO, EMAIL_TEXT_SUBJECT, $email_order, STORE_OWNER, STORE_OWNER_EMAIL_ADDRESS);
  }

// load the after_process function from the payment modules
  $payment_modules->after_process();

  $cart->reset(true);

// unregister session variables used during checkout
  tep_session_unregister('sendto');
  tep_session_unregister('billto');
  tep_session_unregister('shipping');
  tep_session_unregister('payment');
  tep_session_unregister('comments');
	if(tep_session_is_registered('credit_covers')) tep_session_unregister('credit_covers');
//  $order_total_modules->clear_posts();//ICW ADDED FOR CREDIT CLASS SYSTEM
	
	
  tep_redirect(tep_href_link(FILENAME_NETBANX_CALLBACK, 'netbanx_reference=' . $netbanx_reference . '&payment_amount=' . $payment_amount. '&currency_symbol=' . $currency_symbol . '&currency_name=' . $currency_name, 'SSL'));


  require(DIR_WS_INCLUDES . 'application_bottom.php');
?>

and this is the page it passes it over to.

<?php
/*
  osCommerce, Open Source E-Commerce Solutions
  http://www.oscommerce.com

  Copyright (c) 2003 osCommerce

  Released under the GNU General Public License
*/

/*
  NetBanx Payment Module
  http://www.netbanx.com
  12/07/04 v1.0 DW
*/

  require('includes/application_top.php');

  require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_NETBANX_CALLBACK);

  $breadcrumb->add(NAVBAR_TITLE, tep_href_link(FILENAME_NETBANX_CALLBACK, '', 'NONSSL'));
?>
<!doctype html public "-//W3C//DTD HTML 4.01 Transitional//EN">
<html <?php echo HTML_PARAMS; ?>>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=<?php echo CHARSET; ?>">
<title><?php echo TITLE .' ' . NAVBAR_TITLE; ?></title>
<base href="<?php echo (getenv('HTTPS') == 'on' ? HTTPS_SERVER : HTTP_SERVER) . DIR_WS_CATALOG; ?>">
<link rel="stylesheet" type="text/css" href="stylesheet.css">
</head>
<body marginwidth="0" marginheight="0" topmargin="0" bottommargin="0" leftmargin="0" rightmargin="0">
<!-- header //-->
<?php require(DIR_WS_INCLUDES . 'header.php'); ?>
<!-- header_eof //-->

<!-- body //-->
<table border="0" width="800" cellspacing="0" cellpadding="0">
  <tr>
    <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="0">
<!-- left_navigation //-->
<?php 
// Next line Removed for version 1.4 and above
// require(DIR_WS_INCLUDES . 'column_left.php'); 
// Delete next line if using column
echo tep_draw_separator('pixel_trans.gif', '100%', '10');
?>
<!-- left_navigation_eof //-->
    </table></td>
<!-- body_text //-->
    <td width="100%" valign="top"><table border="0" width="100%" cellspacing="0" cellpadding="0">
      <tr>
        <td width="100%"><table border="0" width="100%" cellspacing="0" cellpadding="0">
          <tr>
            <td class="pageHeading"><?php echo HEADING_TITLE; ?></td>
     <!--       <td align="right"><?php echo tep_image(DIR_WS_IMAGES . 'table_background_payment.gif', HEADING_TITLE, HEADING_IMAGE_WIDTH, HEADING_IMAGE_HEIGHT); ?></td>-->
          </tr>
        </table></td>
      </tr>

<?php // Success
if(isset($netbanx_reference) && $netbanx_reference != "0") {
?>
	<tr><td class="pageHeading" width="800" colspan="2">
	<center><?php echo NETBANX_TEXT_SUCCESS; ?></center></td></tr>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="0">
	<tr> <td class="main"><center><?php echo NETBANX_REFERENCE.$netbanx_reference; ?><br><br>
   <?php echo NETBANX_PAYMENT_AMOUNT.$currency_symbol.$payment_amount." in ".$currency_name; ?><br><br></td></tr>
	</td></tr></table>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr>
	<tr><td class="pageHeading" width="100%" colspan="2">
	<center><h3><?php echo NETBANX_TEXT_SUCCESS_WAIT; ?></h3></center></td></tr>
	<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr>
<?php // Failure
} else {
?>
	<tr><td class="pageHeading" width="100%" colspan="2">
	<center></center></td></tr>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="2">
	<tr><td class="main"><center><?php echo NETBANX_TEXT_FAILURE; ?></center><br><br>
   <?php echo '<WPDISPLAY ITEM=banner>'; ?><br><br>
  <?php echo $netbanx_reference; ?>
  </td></tr>
	</td></tr></table>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr>
	<tr><td class="pageHeading" width="100%" colspan="2">
	<center><h3><?php echo NETBANX_TEXT_FAILURE_WAIT; ?></h3></center></td></tr>
	<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
    <tr>
      <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
    </tr>
<?php
}
?>
    </table></td>
    <td><img src="images/design/trans.gif" width="15" height="15"></td>  
<!-- body_text_eof //-->
    <td width="<?php echo BOX_WIDTH; ?>" valign="top"><table border="0" width="<?php echo BOX_WIDTH; ?>" cellspacing="0" cellpadding="0">
  <!-- right_navigation //-->
<?php 
// Next line Removed for version 1.4
// require(DIR_WS_INCLUDES . 'column_right.php'); 
// Delete next line if using column
echo tep_draw_separator('pixel_trans.gif', '100%', '10');
?>
<!-- right_navigation_eof //-->
    </table></td>
  <td class="righthand-back" width="20"><img src="images/design/trans.gif" width="20" height="20">&nbsp;</td>
  </tr>
</table>
<!-- body_eof //-->

<!-- footer //-->
<?php 
// Next line Optional for version 1.4 or above
  require(DIR_WS_INCLUDES . 'footer.php');
?>
<!-- footer_eof //-->
</body>
</html>
<?php require(DIR_WS_INCLUDES . 'application_bottom.php'); ?>

Any help will be gratefully recieved.

Thank you
Alex

#2 FalseDawn

  • Community Member
  • 1,489 posts
  • Real Name:SC

Posted 23 March 2005, 21:19

OSC as it stands requires register globals to be ON.

Have you installed the register globals contribution? What is your current register_globals setting?

#3 Aceicol

  • Community Member
  • 115 posts
  • Real Name:Alex
  • Location:Cardiff - UK

Posted 23 March 2005, 21:31

FalseDawn, on Mar 23 2005, 09:19 PM, said:

OSC as it stands requires register globals to be ON.

Have you installed the register globals contribution? What is your current register_globals setting?

<{POST_SNAPBACK}>


With Globals turned on I understand there is a security issue, therefore my host has turned them off.

I have come across a few hosts recently who have done this.

#4 FalseDawn

  • Community Member
  • 1,489 posts
  • Real Name:SC

Posted 23 March 2005, 21:47

You will therefore need to either install the register globals contribution to OSC, or modify the code yourself, otherwise it will not work correctly.

Have you done this?

Register Globals being turned on itself is not a security issue per se, rather it encourages sloppy code which can easily produce vulnerabilities.

#5 Aceicol

  • Community Member
  • 115 posts
  • Real Name:Alex
  • Location:Cardiff - UK

Posted 23 March 2005, 23:49

FalseDawn, on Mar 23 2005, 09:47 PM, said:

You will therefore need to either install the register globals contribution to OSC, or modify the code yourself, otherwise it will not work correctly.

Have you done this?

Register Globals being turned on itself is not a security issue per se, rather it encourages sloppy code which can easily produce vulnerabilities.

<{POST_SNAPBACK}>



Yes sorry, I realise I didn't answer your question correctly, I have installed the register globals contribution already and it seems everything is working fine except these two files.

Like I say I am not an expert on PHP but I tried to hard code the variables in the redirect code near the bottom of the netbanx_checkout_process.php page and just display them on the next page, but it wasn't passing the variables at all, so I assumed this was to do with the way the gloabls were being passed.

Do you know if this is correct or not?

Thanks
Alex

#6 FalseDawn

  • Community Member
  • 1,489 posts
  • Real Name:SC

Posted 24 March 2005, 01:50

OK, so the netbanx thing requires register_globals to be set on.
What exactly happens when you try it with this turned off?

If you need to store variables between multiple pages, an easy way is to use the $_SESSION superglobal

eg $_SESSION['my_varianle'] = myvalue

to retrieve it, just use (eg) echo $_SESSION['my_variable']

This is preferred over session_register()

It's not advisable to store unencrypted sensitive info in the Session, though.

#7 Aceicol

  • Community Member
  • 115 posts
  • Real Name:Alex
  • Location:Cardiff - UK

Posted 24 March 2005, 09:29

FalseDawn, on Mar 24 2005, 01:50 AM, said:

OK, so the netbanx thing requires register_globals to be set on.
What exactly happens when you try it with this turned off?

If you need to store variables between multiple pages, an easy way is to use the $_SESSION superglobal

eg $_SESSION['my_varianle'] = myvalue

to retrieve it, just use (eg)  echo $_SESSION['my_variable']

This is preferred over session_register()

It's not advisable to store unencrypted sensitive info in the Session, though.

<{POST_SNAPBACK}>


When register_globals = off the failed card message appears everytime even though I have recieved confirmation of payment via email and Netbanx confirm the payment has been made as well as the order.

I assume that the reason this is, is because of this bit of code.

<?php // Success
if(isset($netbanx_reference) && $netbanx_reference != "0") {
?>
<tr><td class="pageHeading" width="800" colspan="2">
<center><?php echo NETBANX_TEXT_SUCCESS; ?></center></td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="0">
<tr> <td class="main"><center><?php echo NETBANX_REFERENCE.$netbanx_reference; ?><br><br>
  <?php echo NETBANX_PAYMENT_AMOUNT.$currency_symbol.$payment_amount." in ".$currency_name; ?><br><br></td></tr>
</td></tr></table>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<tr><td class="pageHeading" width="100%" colspan="2">
<center><h3><?php echo NETBANX_TEXT_SUCCESS_WAIT; ?></h3></center></td></tr>
<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<?php // Failure
} else {
?>
<tr><td class="pageHeading" width="100%" colspan="2">
<center></center></td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="2">
<tr><td class="main"><center><?php echo NETBANX_TEXT_FAILURE; ?></center><br><br>
  <?php echo '<WPDISPLAY ITEM=banner>'; ?><br><br>
 <?php echo $netbanx_reference; ?>
 </td></tr>
</td></tr></table>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<tr><td class="pageHeading" width="100%" colspan="2">
<center><h3><?php echo NETBANX_TEXT_FAILURE_WAIT; ?></h3></center></td></tr>
<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<?php
}
?>

I assume that the following line 

if(isset($netbanx_reference) && $netbanx_reference != "0") {

Checks to see if the $netbanx_reference variable is not empty and if so display the NETBANX_SUCCESS message, whereas if the variable is empty it then shows the NETBANX_FAILED message.

I think that this is where the problem lies. As the variables aren't being passed correctly the $netbanx_reference is always empty.

Am I right here?

Thanks
Alex

#8 smic717394

  • Community Member
  • 61 posts
  • Real Name:Robert
  • Gender:Male
  • Location:London, UK

Posted 09 February 2010, 10:11

View PostAceicol, on 24 March 2005, 09:29, said:

When register_globals = off the failed card message appears everytime even though I have recieved confirmation of payment via email and Netbanx confirm the payment has been made as well as the order.

I assume that the reason this is, is because of this bit of code.

<?php // Success
if(isset($netbanx_reference) && $netbanx_reference != "0") {
?>
<tr><td class="pageHeading" width="800" colspan="2">
<center><?php echo NETBANX_TEXT_SUCCESS; ?></center></td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="0">
<tr> <td class="main"><center><?php echo NETBANX_REFERENCE.$netbanx_reference; ?><br><br>
  <?php echo NETBANX_PAYMENT_AMOUNT.$currency_symbol.$payment_amount." in ".$currency_name; ?><br><br></td></tr>
</td></tr></table>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<tr><td class="pageHeading" width="100%" colspan="2">
<center><h3><?php echo NETBANX_TEXT_SUCCESS_WAIT; ?></h3></center></td></tr>
<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_ACCOUNT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<?php // Failure
} else {
?>
<tr><td class="pageHeading" width="100%" colspan="2">
<center></center></td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr><tr><td align="center" colspan="2"><table border="2" bordercolor="#FF0000" width="80%" cellspacing="0" cellpadding="2">
<tr><td class="main"><center><?php echo NETBANX_TEXT_FAILURE; ?></center><br><br>
  <?php echo '<WPDISPLAY ITEM=banner>'; ?><br><br>
 <?php echo $netbanx_reference; ?>
 </td></tr>
</td></tr></table>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<tr><td class="pageHeading" width="100%" colspan="2">
<center><h3><?php echo NETBANX_TEXT_FAILURE_WAIT; ?></h3></center></td></tr>
<tr align="right"><td><?php echo '<a href="' . tep_href_link(FILENAME_CHECKOUT_PAYMENT, '', 'SSL') . '">' . tep_image_button('button_continue.gif', IMAGE_BUTTON_CONTINUE) . '</a>'; ?><td></tr>
   <tr>
     <td><?php echo tep_draw_separator('pixel_trans.gif', '100%', '50'); ?></td>
   </tr>
<?php
}
?>

I assume that the following line 

if(isset($netbanx_reference) && $netbanx_reference != "0") {

Checks to see if the $netbanx_reference variable is not empty and if so display the NETBANX_SUCCESS message, whereas if the variable is empty it then shows the NETBANX_FAILED message.

I think that this is where the problem lies. As the variables aren't being passed correctly the $netbanx_reference is always empty.

Am I right here?

Thanks
Alex

How did you fixed this Alex, i get the same problem,the transaction fails every time even if the transaction passes. can you share please your netbanx_callback.php

Thank you

#9 spooks

  • Community Member
  • 7,017 posts
  • Real Name:Sam
  • Gender:Male
  • Location:UK

Posted 09 February 2010, 10:23

View Postsmic717394, on 09 February 2010, 10:11, said:

How did you fixed this Alex, i get the same problem,the transaction fails every time even if the transaction passes. can you share please your netbanx_callback.php

Thank you


Is there no newer module thats been correctly written, the general rule is if it needs rg on leave well alone!!


Anyway looking at this it seems $netbanx_reference is not set prior to check, u would need to find out what it should be set with ($_GET / $_POST)
Sam

Remember, What you think I ment may not be what I thought I ment when I said it.

Contributions:

Auto Backup your Database, Easy way

Multi Images with Fancy Pop-ups, Easy way

Products in columns with multi buy etc etc

Disable any Category or Product, Easy way

Secure & Improve your account pages et al.

#10 MrPhil

  • Community Member
  • 3,291 posts
  • Real Name:Phil
  • Gender:Male

Posted 09 February 2010, 17:03

If you think that the poorly written code is passing $netbanx_reference as a register global variable, add the following code ahead of the first reference to that variable:
if (isset($_REQUEST['netbanx_reference']) {
  $netbanx_reference = $_REQUEST['netbanx_reference'];
}
That should define it if it was passed in, and leave it undefined (unset) if it wasn't.
Back to General Support · Next Unread Topic →


  1. osCommerce Support Forum
  2. osCommerce Online Merchant v2.x
  3. General Support
  4. Forum Rules