|
1 | 1 | <?php |
2 | 2 |
|
3 | 3 | include '../../includes/connection.php'; |
| 4 | +include '../../includes/functions.php'; |
| 5 | + |
| 6 | + |
| 7 | + |
| 8 | +if (!isset($_SERVER["HTTP_X_SELLIX_SIGNATURE"]) && !isset($_SERVER["HTTP_X_SHOPPY_SIGNATURE"])) |
| 9 | +{ |
| 10 | + die("Request isn't coming from Sellix or Shoppy."); |
| 11 | +} |
4 | 12 |
|
5 | 13 | if (isset($_SERVER["HTTP_X_SELLIX_SIGNATURE"])) |
6 | 14 | { |
|
20 | 28 | $lifetimeproduct = $row["sellixlifetimeproduct"]; |
21 | 29 |
|
22 | 30 | $payload = file_get_contents('php://input'); |
23 | | - $header_signature = $_SERVER["HTTP_X_SELLIX_SIGNATURE"]; |
| 31 | + $header_signature = sanitize($_SERVER["HTTP_X_SELLIX_SIGNATURE"]); |
24 | 32 | $signature = hash_hmac('sha512', $payload, $secret); |
25 | 33 | if (!hash_equals($signature, $header_signature)) |
26 | 34 | { // if the sellix webhook secret the request was sent from didn't match the one set in the database |
|
30 | 38 | $json = json_decode($payload); |
31 | 39 | $data = $json->data; |
32 | 40 | $custom = $data->custom_fields; // getting custom fields, the hidden fields on KeyAuth sellix embed which provide sellix the KeyAuth username |
33 | | - $result = mysqli_query($link, "SELECT `balance` FROM `accounts` WHERE `username` = '" . $custom->username . "' AND `app` = '$name'"); |
| 41 | + $result = mysqli_query($link, "SELECT `balance` FROM `accounts` WHERE `username` = '" . sanitize($custom->username) . "' AND `app` = '$name'"); |
34 | 42 |
|
35 | 43 | if (mysqli_num_rows($result) == 0) |
36 | 44 | { // if reseller not found |
|
47 | 55 | $sixmonth = $balance[4]; |
48 | 56 | $lifetime = $balance[5]; |
49 | 57 |
|
50 | | - $amount = $data->quantity; // find quantity of keys purchased |
| 58 | + $amount = sanitize($data->quantity); // find quantity of keys purchased |
51 | 59 | // then given the duration of keys they purchased, add to their balance |
52 | | - switch ($data->product_id) |
| 60 | + switch (sanitize($data->product_id)) |
53 | 61 | { |
54 | 62 | case $dayproduct: |
55 | 63 | $day = $day + $amount; |
|
69 | 77 |
|
70 | 78 | $balance = $day . '|' . $week . '|' . $month . '|' . $threemonth . '|' . $sixmonth . '|' . $lifetime; |
71 | 79 | // set balance |
72 | | - mysqli_query($link, "UPDATE `accounts` SET `balance` = '$balance' WHERE `username` = '" . $custom->username . "'"); |
| 80 | + mysqli_query($link, "UPDATE `accounts` SET `balance` = '$balance' WHERE `username` = '" . sanitize($custom->username) . "'"); |
73 | 81 | die("Success: Reseller Balance Increased"); |
74 | 82 | } |
75 | 83 |
|
|
92 | 100 | $lifetimeproduct = $row["shoppylifetimeproduct"]; |
93 | 101 |
|
94 | 102 | $payload = file_get_contents('php://input'); |
95 | | -$header_signature = $_SERVER["HTTP_X_SHOPPY_SIGNATURE"]; |
| 103 | +$header_signature = sanitize($_SERVER["HTTP_X_SHOPPY_SIGNATURE"]); |
96 | 104 | $signature = hash_hmac('sha512', $payload, $secret); |
97 | 105 | if (!hash_equals($signature, $header_signature)) |
98 | 106 | { |
99 | 107 | // if the shoppy webhook secret the request was sent from didn't match the one set in the database |
100 | 108 | die("Failure: authentication with shoppy secret failed"); |
101 | 109 | } |
102 | | - |
103 | 110 | $json = json_decode($payload); |
| 111 | +$un = sanitize($json->data->order->custom_fields[0]->value); |
104 | 112 |
|
105 | | -$un = $json->data->order->custom_fields[0]->value; |
106 | | -$productid = $json->data->order->product_id; |
| 113 | +$productid = sanitize($json->data->order->product_id); |
107 | 114 |
|
108 | 115 | $result = mysqli_query($link, "SELECT `balance` FROM `accounts` WHERE `username` = '$un' AND `app` = '$name'"); |
109 | 116 |
|
|
123 | 130 | $sixmonth = $balance[4]; |
124 | 131 | $lifetime = $balance[5]; |
125 | 132 |
|
126 | | -$amount = $json->data->order->quantity; // find quantity of keys purchased |
| 133 | +$amount = sanitize($json->data->order->quantity); // find quantity of keys purchased |
127 | 134 | // then given the duration of keys they purchased, add to their balance |
128 | 135 | switch ($productid) |
129 | 136 | { |
|
0 commit comments