Version Description
- SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
- BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
- BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
- BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
- BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
- ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
- ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to 'sanitize_text_field'.
Download this release
Release Info
Developer | strangerstudios |
Plugin | Paid Memberships Pro |
Version | 1.9.3 |
Comparing to | |
See all releases |
Code changes from version 1.9.2.2 to 1.9.3
- adminpages/addons.php +1 -1
- adminpages/admin_header.php +2 -2
- adminpages/advancedsettings.php +20 -4
- adminpages/discountcodes.php +22 -5
- adminpages/emailsettings.php +10 -0
- adminpages/membershiplevels.php +25 -15
- adminpages/orders.php +44 -38
- adminpages/pagesettings.php +27 -12
- adminpages/paymentsettings.php +19 -2
- adminpages/reports/login.php +16 -12
- adminpages/reports/memberships.php +3 -1
- classes/class-deny-network-activation.php +2 -2
- classes/class.memberorder.php +15 -4
- classes/gateways/class.pmprogateway.php +1 -1
- classes/gateways/class.pmprogateway_braintree.php +4 -4
- classes/gateways/class.pmprogateway_check.php +1 -1
- classes/gateways/class.pmprogateway_cybersource.php +1 -1
- classes/gateways/class.pmprogateway_paypalexpress.php +9 -9
- classes/gateways/class.pmprogateway_stripe.php +11 -11
- includes/addons.php +1 -1
- includes/functions.php +41 -6
- paid-memberships-pro.php +2 -2
- preheaders/billing.php +19 -19
- preheaders/cancel.php +1 -1
- preheaders/checkout.php +5 -5
- preheaders/invoice.php +1 -1
- readme.txt +10 -1
- services/authnet-silent-post.php +1 -1
- services/braintree-webhook.php +3 -3
- services/ipnhandler.php +3 -3
- services/stripe-webhook.php +2 -2
- services/twocheckout-ins.php +3 -2
adminpages/addons.php
CHANGED
@@ -30,7 +30,7 @@
|
|
30 |
|
31 |
//get plugin status for filters
|
32 |
if(!empty($_REQUEST['plugin_status']))
|
33 |
-
$status = $_REQUEST['plugin_status'];
|
34 |
|
35 |
//make sure we have an approved status
|
36 |
$approved_statuses = array('all', 'active', 'inactive', 'update', 'uninstalled');
|
30 |
|
31 |
//get plugin status for filters
|
32 |
if(!empty($_REQUEST['plugin_status']))
|
33 |
+
$status = pmpro_sanitize_with_safelist($_REQUEST['plugin_status'], array('', 'all', 'active', 'inactive', 'update', 'uninstalled'));
|
34 |
|
35 |
//make sure we have an approved status
|
36 |
$approved_statuses = array('all', 'active', 'inactive', 'update', 'uninstalled');
|
adminpages/admin_header.php
CHANGED
@@ -2,7 +2,7 @@
|
|
2 |
require_once(dirname(__FILE__) . "/functions.php");
|
3 |
|
4 |
if(isset($_REQUEST['page']))
|
5 |
-
$view = $_REQUEST['page'];
|
6 |
else
|
7 |
$view = "";
|
8 |
|
@@ -14,7 +14,7 @@
|
|
14 |
if(!isset($edit))
|
15 |
{
|
16 |
if(isset($_REQUEST['edit']))
|
17 |
-
$edit = $_REQUEST['edit'];
|
18 |
else
|
19 |
$edit = false;
|
20 |
}
|
2 |
require_once(dirname(__FILE__) . "/functions.php");
|
3 |
|
4 |
if(isset($_REQUEST['page']))
|
5 |
+
$view = sanitize_text_field($_REQUEST['page']);
|
6 |
else
|
7 |
$view = "";
|
8 |
|
14 |
if(!isset($edit))
|
15 |
{
|
16 |
if(isset($_REQUEST['edit']))
|
17 |
+
$edit = intval($_REQUEST['edit']);
|
18 |
else
|
19 |
$edit = false;
|
20 |
}
|
adminpages/advancedsettings.php
CHANGED
@@ -5,15 +5,29 @@
|
|
5 |
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
|
6 |
}
|
7 |
|
8 |
-
global $wpdb, $msg, $msgt;
|
9 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10 |
//get/set settings
|
11 |
if(!empty($_REQUEST['savesettings']))
|
12 |
{
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
13 |
//other settings
|
14 |
-
pmpro_setOption("nonmembertext");
|
15 |
-
pmpro_setOption("notloggedintext");
|
16 |
-
pmpro_setOption("rsstext");
|
17 |
pmpro_setOption("filterqueries");
|
18 |
pmpro_setOption("showexcerpts");
|
19 |
pmpro_setOption("hideads");
|
@@ -88,6 +102,8 @@
|
|
88 |
?>
|
89 |
|
90 |
<form action="" method="post" enctype="multipart/form-data">
|
|
|
|
|
91 |
<h2><?php _e('Advanced Settings', 'paid-memberships-pro' );?></h2>
|
92 |
|
93 |
<table class="form-table">
|
5 |
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
|
6 |
}
|
7 |
|
8 |
+
global $wpdb, $msg, $msgt, $allowedposttags;
|
9 |
|
10 |
+
//check nonce for saving settings
|
11 |
+
if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_advancedsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_advancedsettings_nonce'))) {
|
12 |
+
$msg = -1;
|
13 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
14 |
+
unset($_REQUEST['savesettings']);
|
15 |
+
}
|
16 |
+
|
17 |
//get/set settings
|
18 |
if(!empty($_REQUEST['savesettings']))
|
19 |
{
|
20 |
+
//handle the text settings for better security handling
|
21 |
+
$nonmembertext = wp_kses(wp_unslash($_POST['nonmembertext']), $allowedposttags);
|
22 |
+
update_option('pmpro_nonmembertext', $nonmembertext);
|
23 |
+
|
24 |
+
$notloggedintext = wp_kses(wp_unslash($_POST['notloggedintext']), $allowedposttags);
|
25 |
+
update_option('pmpro_notloggedintext', $notloggedintext);
|
26 |
+
|
27 |
+
$rsstext = wp_kses(wp_unslash($_POST['rsstext']), $allowedposttags);
|
28 |
+
update_option('pmpro_rsstext', $rsstext);
|
29 |
+
|
30 |
//other settings
|
|
|
|
|
|
|
31 |
pmpro_setOption("filterqueries");
|
32 |
pmpro_setOption("showexcerpts");
|
33 |
pmpro_setOption("hideads");
|
102 |
?>
|
103 |
|
104 |
<form action="" method="post" enctype="multipart/form-data">
|
105 |
+
<?php wp_nonce_field('savesettings', 'pmpro_advancedsettings_nonce');?>
|
106 |
+
|
107 |
<h2><?php _e('Advanced Settings', 'paid-memberships-pro' );?></h2>
|
108 |
|
109 |
<table class="form-table">
|
adminpages/discountcodes.php
CHANGED
@@ -28,6 +28,13 @@
|
|
28 |
else
|
29 |
$s = "";
|
30 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
31 |
if($saveid)
|
32 |
{
|
33 |
//get vars
|
@@ -127,6 +134,8 @@
|
|
127 |
{
|
128 |
foreach($levels_a as $level_id)
|
129 |
{
|
|
|
|
|
130 |
//get the values ready
|
131 |
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
|
132 |
$initial_payment = sanitize_text_field($initial_payment_a[$n]);
|
@@ -253,18 +262,25 @@
|
|
253 |
if(!empty($level_errors))
|
254 |
{
|
255 |
$pmpro_msg = __("There were errors updating the level values: ", 'paid-memberships-pro' ) . implode(" ", $level_errors);
|
256 |
-
$pmpro_msgt = "error";
|
257 |
}
|
258 |
else
|
259 |
{
|
260 |
-
//all good. set edit =
|
261 |
-
$edit =
|
262 |
-
|
263 |
do_action("pmpro_save_discount_code", $saveid);
|
264 |
}
|
265 |
}
|
266 |
}
|
267 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
268 |
//are we deleting?
|
269 |
if(!empty($delete))
|
270 |
{
|
@@ -375,6 +391,7 @@
|
|
375 |
?>
|
376 |
<form action="" method="post">
|
377 |
<input name="saveid" type="hidden" value="<?php echo $edit?>" />
|
|
|
378 |
<table class="form-table">
|
379 |
<tbody>
|
380 |
<tr>
|
@@ -735,7 +752,7 @@
|
|
735 |
<a href="?page=pmpro-discountcodes&edit=<?php echo $code->id?>"><?php _e('edit', 'paid-memberships-pro' );?></a>
|
736 |
</td>
|
737 |
<td>
|
738 |
-
<a href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__('Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ), $code->code));?>', '?page=pmpro-discountcodes&delete
|
739 |
</td>
|
740 |
</tr>
|
741 |
<?php
|
28 |
else
|
29 |
$s = "";
|
30 |
|
31 |
+
//check nonce for saving codes
|
32 |
+
if (!empty($_REQUEST['saveid']) && (empty($_REQUEST['pmpro_discountcodes_nonce']) || !check_admin_referer('save', 'pmpro_discountcodes_nonce'))) {
|
33 |
+
$pmpro_msgt = 'error';
|
34 |
+
$pmpro_msg = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
35 |
+
$saveid = false;
|
36 |
+
}
|
37 |
+
|
38 |
if($saveid)
|
39 |
{
|
40 |
//get vars
|
134 |
{
|
135 |
foreach($levels_a as $level_id)
|
136 |
{
|
137 |
+
$level_id = intval($level_id); //sanitized
|
138 |
+
|
139 |
//get the values ready
|
140 |
$n = array_search($level_id, $all_levels_a); //this is the key location of this level's values
|
141 |
$initial_payment = sanitize_text_field($initial_payment_a[$n]);
|
262 |
if(!empty($level_errors))
|
263 |
{
|
264 |
$pmpro_msg = __("There were errors updating the level values: ", 'paid-memberships-pro' ) . implode(" ", $level_errors);
|
265 |
+
$pmpro_msgt = "error";
|
266 |
}
|
267 |
else
|
268 |
{
|
269 |
+
//all good. set edit = false so we go back to the overview page
|
270 |
+
$edit = false;
|
271 |
+
|
272 |
do_action("pmpro_save_discount_code", $saveid);
|
273 |
}
|
274 |
}
|
275 |
}
|
276 |
|
277 |
+
//check nonce for deleting codes
|
278 |
+
if (!empty($_REQUEST['delete']) && (empty($_REQUEST['pmpro_discountcodes_nonce']) || !check_admin_referer('delete', 'pmpro_discountcodes_nonce'))) {
|
279 |
+
$pmpro_msgt = 'error';
|
280 |
+
$pmpro_msg = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
281 |
+
$delete = false;
|
282 |
+
}
|
283 |
+
|
284 |
//are we deleting?
|
285 |
if(!empty($delete))
|
286 |
{
|
391 |
?>
|
392 |
<form action="" method="post">
|
393 |
<input name="saveid" type="hidden" value="<?php echo $edit?>" />
|
394 |
+
<?php wp_nonce_field('save', 'pmpro_discountcodes_nonce');?>
|
395 |
<table class="form-table">
|
396 |
<tbody>
|
397 |
<tr>
|
752 |
<a href="?page=pmpro-discountcodes&edit=<?php echo $code->id?>"><?php _e('edit', 'paid-memberships-pro' );?></a>
|
753 |
</td>
|
754 |
<td>
|
755 |
+
<a href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__('Are you sure you want to delete the %s discount code? The subscriptions for existing users will not change, but new users will not be able to use this code anymore.', 'paid-memberships-pro' ), $code->code));?>', '<?php echo wp_nonce_url(admin_url('admin.php?page=pmpro-discountcodes&delete=' . $code->id), 'delete', 'pmpro_discountcodes_nonce');?>'); void(0);"><?php _e('delete', 'paid-memberships-pro' );?></a>
|
756 |
</td>
|
757 |
</tr>
|
758 |
<?php
|
adminpages/emailsettings.php
CHANGED
@@ -9,6 +9,14 @@
|
|
9 |
|
10 |
//get/set settings
|
11 |
global $pmpro_pages;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
12 |
if(!empty($_REQUEST['savesettings']))
|
13 |
{
|
14 |
//email options
|
@@ -66,6 +74,8 @@
|
|
66 |
?>
|
67 |
|
68 |
<form action="" method="post" enctype="multipart/form-data">
|
|
|
|
|
69 |
<h2><?php _e('Email Settings', 'paid-memberships-pro' );?></h2>
|
70 |
<p><?php _e('By default, system generated emails are sent from <em><strong>wordpress@yourdomain.com</strong></em>. You can update this from address using the fields below.', 'paid-memberships-pro' );?></p>
|
71 |
|
9 |
|
10 |
//get/set settings
|
11 |
global $pmpro_pages;
|
12 |
+
|
13 |
+
//check nonce for saving settings
|
14 |
+
if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_emailsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_emailsettings_nonce'))) {
|
15 |
+
$msg = -1;
|
16 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
17 |
+
unset($_REQUEST['savesettings']);
|
18 |
+
}
|
19 |
+
|
20 |
if(!empty($_REQUEST['savesettings']))
|
21 |
{
|
22 |
//email options
|
74 |
?>
|
75 |
|
76 |
<form action="" method="post" enctype="multipart/form-data">
|
77 |
+
<?php wp_nonce_field('savesettings', 'pmpro_emailsettings_nonce');?>
|
78 |
+
|
79 |
<h2><?php _e('Email Settings', 'paid-memberships-pro' );?></h2>
|
80 |
<p><?php _e('By default, system generated emails are sent from <em><strong>wordpress@yourdomain.com</strong></em>. You can update this from address using the fields below.', 'paid-memberships-pro' );?></p>
|
81 |
|
adminpages/membershiplevels.php
CHANGED
@@ -5,7 +5,7 @@
|
|
5 |
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
|
6 |
}
|
7 |
|
8 |
-
global $wpdb, $msg, $msgt, $pmpro_currency_symbol;
|
9 |
|
10 |
//some vars
|
11 |
$gateway = pmpro_getOption("gateway");
|
@@ -37,31 +37,40 @@
|
|
37 |
if(isset($_REQUEST['deleteid']))
|
38 |
$deleteid = intval($_REQUEST['deleteid']);
|
39 |
|
40 |
-
|
41 |
-
|
42 |
-
$
|
43 |
-
$
|
44 |
-
$
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
45 |
if(!empty($_REQUEST['recurring']))
|
46 |
$ml_recurring = 1;
|
47 |
else
|
48 |
$ml_recurring = 0;
|
49 |
-
$ml_billing_amount =
|
50 |
-
$ml_cycle_number =
|
51 |
-
$ml_cycle_period =
|
52 |
-
$ml_billing_limit =
|
53 |
if(!empty($_REQUEST['custom_trial']))
|
54 |
$ml_custom_trial = 1;
|
55 |
else
|
56 |
$ml_custom_trial = 0;
|
57 |
-
$ml_trial_amount =
|
58 |
-
$ml_trial_limit =
|
59 |
if(!empty($_REQUEST['expiration']))
|
60 |
$ml_expiration = 1;
|
61 |
else
|
62 |
$ml_expiration = 0;
|
63 |
-
$ml_expiration_number =
|
64 |
-
$ml_expiration_period =
|
65 |
$ml_categories = array();
|
66 |
|
67 |
//reversing disable to allow here
|
@@ -306,6 +315,7 @@
|
|
306 |
<form action="" method="post" enctype="multipart/form-data">
|
307 |
<input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
|
308 |
<input type="hidden" name="action" value="save_membershiplevel" />
|
|
|
309 |
<table class="form-table">
|
310 |
<tbody>
|
311 |
<tr>
|
@@ -683,7 +693,7 @@
|
|
683 |
</td>
|
684 |
<td><?php if($level->allow_signups) { ?><a href="<?php echo add_query_arg( 'level', $level->id, pmpro_url("checkout") );?>"><?php _e('Yes', 'paid-memberships-pro' );?></a><?php } else { ?><?php _e('No', 'paid-memberships-pro' );?><?php } ?></td>
|
685 |
|
686 |
-
<td><a title="<?php _e('edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url('admin.php' ) ); ?>" class="button-primary"><?php _e('edit', 'paid-memberships-pro' ); ?></a> <a title="<?php _e('copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => -1, 'copy' => $level->id ), admin_url( 'admin.php' ) ); ?>" class="button-secondary"><?php _e('copy', 'paid-memberships-pro' ); ?></a> <a title="<?php _e('delete', 'paid-memberships-pro' ); ?>" href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__("Are you sure you want to delete membership level %s? All subscriptions will be cancelled.", 'paid-memberships-pro' ), $level->name));?>', '<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'action' => 'delete_membership_level', 'deleteid' => $level->id ), admin_url( 'admin.php' ) ); ?>'); void(0);" class="button-secondary"><?php _e('delete', 'paid-memberships-pro' ); ?></a></td>
|
687 |
</tr>
|
688 |
<?php
|
689 |
}
|
5 |
die(__("You do not have permissions to perform this action.", 'paid-memberships-pro' ));
|
6 |
}
|
7 |
|
8 |
+
global $wpdb, $msg, $msgt, $pmpro_currency_symbol, $allowedposttags;
|
9 |
|
10 |
//some vars
|
11 |
$gateway = pmpro_getOption("gateway");
|
37 |
if(isset($_REQUEST['deleteid']))
|
38 |
$deleteid = intval($_REQUEST['deleteid']);
|
39 |
|
40 |
+
//check nonce
|
41 |
+
if(!empty($action) && (empty($_REQUEST['pmpro_membershiplevels_nonce']) || !check_admin_referer($action, 'pmpro_membershiplevels_nonce'))) {
|
42 |
+
$msg = -1;
|
43 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
44 |
+
$action = false;
|
45 |
+
}
|
46 |
+
|
47 |
+
if($action == "save_membershiplevel") {
|
48 |
+
|
49 |
+
$ml_name = wp_kses(wp_unslash($_REQUEST['name']), $allowedposttags);
|
50 |
+
$ml_description = wp_kses(wp_unslash($_REQUEST['description']), $allowedposttags);
|
51 |
+
$ml_confirmation = wp_kses(wp_unslash($_REQUEST['confirmation']), $allowedposttags);
|
52 |
+
|
53 |
+
$ml_initial_payment = sanitize_text_field($_REQUEST['initial_payment']);
|
54 |
if(!empty($_REQUEST['recurring']))
|
55 |
$ml_recurring = 1;
|
56 |
else
|
57 |
$ml_recurring = 0;
|
58 |
+
$ml_billing_amount = sanitize_text_field($_REQUEST['billing_amount']);
|
59 |
+
$ml_cycle_number = intval($_REQUEST['cycle_number']);
|
60 |
+
$ml_cycle_period = sanitize_text_field($_REQUEST['cycle_period']);
|
61 |
+
$ml_billing_limit = intval($_REQUEST['billing_limit']);
|
62 |
if(!empty($_REQUEST['custom_trial']))
|
63 |
$ml_custom_trial = 1;
|
64 |
else
|
65 |
$ml_custom_trial = 0;
|
66 |
+
$ml_trial_amount = sanitize_text_field($_REQUEST['trial_amount']);
|
67 |
+
$ml_trial_limit = intval($_REQUEST['trial_limit']);
|
68 |
if(!empty($_REQUEST['expiration']))
|
69 |
$ml_expiration = 1;
|
70 |
else
|
71 |
$ml_expiration = 0;
|
72 |
+
$ml_expiration_number = intval($_REQUEST['expiration_number']);
|
73 |
+
$ml_expiration_period = sanitize_text_field($_REQUEST['expiration_period']);
|
74 |
$ml_categories = array();
|
75 |
|
76 |
//reversing disable to allow here
|
315 |
<form action="" method="post" enctype="multipart/form-data">
|
316 |
<input name="saveid" type="hidden" value="<?php echo esc_attr($edit); ?>" />
|
317 |
<input type="hidden" name="action" value="save_membershiplevel" />
|
318 |
+
<?php wp_nonce_field('save_membershiplevel', 'pmpro_membershiplevels_nonce'); ?>
|
319 |
<table class="form-table">
|
320 |
<tbody>
|
321 |
<tr>
|
693 |
</td>
|
694 |
<td><?php if($level->allow_signups) { ?><a href="<?php echo add_query_arg( 'level', $level->id, pmpro_url("checkout") );?>"><?php _e('Yes', 'paid-memberships-pro' );?></a><?php } else { ?><?php _e('No', 'paid-memberships-pro' );?><?php } ?></td>
|
695 |
|
696 |
+
<td><a title="<?php _e('edit', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => $level->id ), admin_url('admin.php' ) ); ?>" class="button-primary"><?php _e('edit', 'paid-memberships-pro' ); ?></a> <a title="<?php _e('copy', 'paid-memberships-pro' ); ?>" href="<?php echo add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'edit' => -1, 'copy' => $level->id ), admin_url( 'admin.php' ) ); ?>" class="button-secondary"><?php _e('copy', 'paid-memberships-pro' ); ?></a> <a title="<?php _e('delete', 'paid-memberships-pro' ); ?>" href="javascript:askfirst('<?php echo str_replace("'", "\'", sprintf(__("Are you sure you want to delete membership level %s? All subscriptions will be cancelled.", 'paid-memberships-pro' ), $level->name));?>', '<?php echo wp_nonce_url(add_query_arg( array( 'page' => 'pmpro-membershiplevels', 'action' => 'delete_membership_level', 'deleteid' => $level->id ), admin_url( 'admin.php' ) ), 'delete_membership_level', 'pmpro_membershiplevels_nonce'); ?>'); void(0);" class="button-secondary"><?php _e('delete', 'paid-memberships-pro' ); ?></a></td>
|
697 |
</tr>
|
698 |
<?php
|
699 |
}
|
adminpages/orders.php
CHANGED
@@ -140,7 +140,7 @@ if ( empty( $filter ) || $filter === "all" ) {
|
|
140 |
//emailing?
|
141 |
if ( ! empty( $_REQUEST['email'] ) && ! empty( $_REQUEST['order'] ) ) {
|
142 |
$email = new PMProEmail();
|
143 |
-
$user = get_user_by( 'email', $_REQUEST['email'] );
|
144 |
$order = new MemberOrder( $_REQUEST['order'] );
|
145 |
if ( $email->sendBillableInvoiceEmail( $user, $order ) ) {
|
146 |
$pmpro_msg = __( "Invoice emailed successfully.", 'paid-memberships-pro' );
|
@@ -176,6 +176,11 @@ $read_only_fields = apply_filters( "pmpro_orders_read_only_fields", array(
|
|
176 |
"subscription_transaction_id"
|
177 |
) );
|
178 |
|
|
|
|
|
|
|
|
|
|
|
179 |
//saving?
|
180 |
if ( ! empty( $_REQUEST['save'] ) ) {
|
181 |
//start with old order if applicable
|
@@ -189,7 +194,7 @@ if ( ! empty( $_REQUEST['save'] ) ) {
|
|
189 |
|
190 |
//update values
|
191 |
if ( ! in_array( "code", $read_only_fields ) && isset( $_POST['code'] ) ) {
|
192 |
-
$order->code = $_POST['code'];
|
193 |
}
|
194 |
if ( ! in_array( "user_id", $read_only_fields ) && isset( $_POST['user_id'] ) ) {
|
195 |
$order->user_id = intval( $_POST['user_id'] );
|
@@ -198,90 +203,95 @@ if ( ! empty( $_REQUEST['save'] ) ) {
|
|
198 |
$order->membership_id = intval( $_POST['membership_id'] );
|
199 |
}
|
200 |
if ( ! in_array( "billing_name", $read_only_fields ) && isset( $_POST['billing_name'] ) ) {
|
201 |
-
$order->billing->name =
|
202 |
}
|
203 |
if ( ! in_array( "billing_street", $read_only_fields ) && isset( $_POST['billing_street'] ) ) {
|
204 |
-
$order->billing->street =
|
205 |
}
|
206 |
if ( ! in_array( "billing_city", $read_only_fields ) && isset( $_POST['billing_city'] ) ) {
|
207 |
-
$order->billing->city =
|
208 |
}
|
209 |
if ( ! in_array( "billing_state", $read_only_fields ) && isset( $_POST['billing_state'] ) ) {
|
210 |
-
$order->billing->state =
|
211 |
}
|
212 |
if ( ! in_array( "billing_zip", $read_only_fields ) && isset( $_POST['billing_zip'] ) ) {
|
213 |
-
$order->billing->zip = $_POST['billing_zip'];
|
214 |
}
|
215 |
if ( ! in_array( "billing_country", $read_only_fields ) && isset( $_POST['billing_country'] ) ) {
|
216 |
-
$order->billing->country =
|
217 |
}
|
218 |
if ( ! in_array( "billing_phone", $read_only_fields ) && isset( $_POST['billing_phone'] ) ) {
|
219 |
-
$order->billing->phone = $_POST['billing_phone'];
|
220 |
}
|
221 |
if ( ! in_array( "subtotal", $read_only_fields ) && isset( $_POST['subtotal'] ) ) {
|
222 |
-
$order->subtotal = $_POST['subtotal'];
|
223 |
}
|
224 |
if ( ! in_array( "tax", $read_only_fields ) && isset( $_POST['tax'] ) ) {
|
225 |
-
$order->tax = $_POST['tax'];
|
226 |
}
|
227 |
if ( ! in_array( "couponamount", $read_only_fields ) && isset( $_POST['couponamount'] ) ) {
|
228 |
-
$order->couponamount = $_POST['couponamount'];
|
229 |
}
|
230 |
if ( ! in_array( "total", $read_only_fields ) && isset( $_POST['total'] ) ) {
|
231 |
-
$order->total = $_POST['total'];
|
232 |
}
|
233 |
if ( ! in_array( "payment_type", $read_only_fields ) && isset( $_POST['payment_type'] ) ) {
|
234 |
-
$order->payment_type = $_POST['payment_type'];
|
235 |
}
|
236 |
if ( ! in_array( "cardtype", $read_only_fields ) && isset( $_POST['cardtype'] ) ) {
|
237 |
-
$order->cardtype = $_POST['cardtype'];
|
238 |
}
|
239 |
if ( ! in_array( "accountnumber", $read_only_fields ) && isset( $_POST['accountnumber'] ) ) {
|
240 |
-
$order->accountnumber = $_POST['accountnumber'];
|
241 |
}
|
242 |
if ( ! in_array( "expirationmonth", $read_only_fields ) && isset( $_POST['expirationmonth'] ) ) {
|
243 |
-
$order->expirationmonth = $_POST['expirationmonth'];
|
244 |
}
|
245 |
if ( ! in_array( "expirationyear", $read_only_fields ) && isset( $_POST['expirationyear'] ) ) {
|
246 |
-
$order->expirationyear = $_POST['expirationyear'];
|
247 |
-
}
|
248 |
-
if ( ! in_array( "ExpirationDate", $read_only_fields ) && isset( $_POST['ExpirationDate'] ) ) {
|
249 |
-
$order->ExpirationDate = $order->expirationmonth . $order->expirationyear;
|
250 |
}
|
|
|
251 |
if ( ! in_array( "status", $read_only_fields ) && isset( $_POST['status'] ) ) {
|
252 |
-
$order->status =
|
253 |
}
|
254 |
if ( ! in_array( "gateway", $read_only_fields ) && isset( $_POST['gateway'] ) ) {
|
255 |
-
$order->gateway = $_POST['gateway'];
|
256 |
}
|
257 |
if ( ! in_array( "gateway_environment", $read_only_fields ) && isset( $_POST['gateway_environment'] ) ) {
|
258 |
-
$order->gateway_environment = $_POST['gateway_environment'];
|
259 |
}
|
260 |
if ( ! in_array( "payment_transaction_id", $read_only_fields ) && isset( $_POST['payment_transaction_id'] ) ) {
|
261 |
-
$order->payment_transaction_id = $_POST['payment_transaction_id'];
|
262 |
}
|
263 |
if ( ! in_array( "subscription_transaction_id", $read_only_fields ) && isset( $_POST['subscription_transaction_id'] ) ) {
|
264 |
-
$order->subscription_transaction_id = $_POST['subscription_transaction_id'];
|
265 |
}
|
266 |
if ( ! in_array( "notes", $read_only_fields ) && isset( $_POST['notes'] ) ) {
|
267 |
-
|
|
|
268 |
}
|
269 |
|
270 |
//affiliate stuff
|
271 |
$affiliates = apply_filters( "pmpro_orders_show_affiliate_ids", false );
|
272 |
if ( ! empty( $affiliates ) ) {
|
273 |
if ( ! in_array( "affiliate_id", $read_only_fields ) ) {
|
274 |
-
$order->affiliate_id = $_POST['affiliate_id'];
|
275 |
}
|
276 |
if ( ! in_array( "affiliate_subid", $read_only_fields ) ) {
|
277 |
-
$order->affiliate_subid = $_POST['affiliate_subid'];
|
278 |
}
|
279 |
}
|
280 |
|
|
|
|
|
|
|
|
|
|
|
|
|
281 |
//save
|
282 |
-
if ( $order->saveOrder() !== false ) {
|
283 |
//handle timestamp
|
284 |
-
if ( $order->updateTimestamp( $_POST['ts_year'], $_POST['ts_month'], $_POST['ts_day'] ) !== false ) {
|
285 |
$pmpro_msg = __( "Order saved successfully.", 'paid-memberships-pro' );
|
286 |
$pmpro_msgt = "success";
|
287 |
} else {
|
@@ -364,6 +374,7 @@ require_once( dirname( __FILE__ ) . "/admin_header.php" );
|
|
364 |
<?php } ?>
|
365 |
|
366 |
<form method="post" action="">
|
|
|
367 |
|
368 |
<table class="form-table">
|
369 |
<tbody>
|
@@ -944,13 +955,8 @@ require_once( dirname( __FILE__ ) . "/admin_header.php" );
|
|
944 |
|
945 |
</select>
|
946 |
|
947 |
-
<?php
|
948 |
-
|
949 |
-
$default_statuses = array( "", "success", "cancelled", "review", "token", "refunded" );
|
950 |
-
$used_statuses = $wpdb->get_col( "SELECT DISTINCT(status) FROM $wpdb->pmpro_membership_orders" );
|
951 |
-
$statuses = array_unique( array_merge( $default_statuses, $used_statuses ) );
|
952 |
-
asort( $statuses );
|
953 |
-
$statuses = apply_filters( "pmpro_order_statuses", $statuses );
|
954 |
?>
|
955 |
<select id="status" name="status">
|
956 |
<?php foreach ( $statuses as $the_status ) { ?>
|
140 |
//emailing?
|
141 |
if ( ! empty( $_REQUEST['email'] ) && ! empty( $_REQUEST['order'] ) ) {
|
142 |
$email = new PMProEmail();
|
143 |
+
$user = get_user_by( 'email', sanitize_email($_REQUEST['email']) );
|
144 |
$order = new MemberOrder( $_REQUEST['order'] );
|
145 |
if ( $email->sendBillableInvoiceEmail( $user, $order ) ) {
|
146 |
$pmpro_msg = __( "Invoice emailed successfully.", 'paid-memberships-pro' );
|
176 |
"subscription_transaction_id"
|
177 |
) );
|
178 |
|
179 |
+
//if this is a new order or copy of one, let's make all fields editable
|
180 |
+
if( ! empty( $_REQUEST['order'] ) && $_REQUEST['order'] < 0 ) {
|
181 |
+
$read_only_fields = array();
|
182 |
+
}
|
183 |
+
|
184 |
//saving?
|
185 |
if ( ! empty( $_REQUEST['save'] ) ) {
|
186 |
//start with old order if applicable
|
194 |
|
195 |
//update values
|
196 |
if ( ! in_array( "code", $read_only_fields ) && isset( $_POST['code'] ) ) {
|
197 |
+
$order->code = sanitize_text_field( $_POST['code'] );
|
198 |
}
|
199 |
if ( ! in_array( "user_id", $read_only_fields ) && isset( $_POST['user_id'] ) ) {
|
200 |
$order->user_id = intval( $_POST['user_id'] );
|
203 |
$order->membership_id = intval( $_POST['membership_id'] );
|
204 |
}
|
205 |
if ( ! in_array( "billing_name", $read_only_fields ) && isset( $_POST['billing_name'] ) ) {
|
206 |
+
$order->billing->name = sanitize_text_field(wp_unslash( $_POST['billing_name'] ));
|
207 |
}
|
208 |
if ( ! in_array( "billing_street", $read_only_fields ) && isset( $_POST['billing_street'] ) ) {
|
209 |
+
$order->billing->street = sanitize_text_field(wp_unslash( $_POST['billing_street'] ));
|
210 |
}
|
211 |
if ( ! in_array( "billing_city", $read_only_fields ) && isset( $_POST['billing_city'] ) ) {
|
212 |
+
$order->billing->city = sanitize_text_field(wp_unslash( $_POST['billing_city'] ));
|
213 |
}
|
214 |
if ( ! in_array( "billing_state", $read_only_fields ) && isset( $_POST['billing_state'] ) ) {
|
215 |
+
$order->billing->state = sanitize_text_field(wp_unslash( $_POST['billing_state'] ));
|
216 |
}
|
217 |
if ( ! in_array( "billing_zip", $read_only_fields ) && isset( $_POST['billing_zip'] ) ) {
|
218 |
+
$order->billing->zip = sanitize_text_field( $_POST['billing_zip'] );
|
219 |
}
|
220 |
if ( ! in_array( "billing_country", $read_only_fields ) && isset( $_POST['billing_country'] ) ) {
|
221 |
+
$order->billing->country = sanitize_text_field(wp_unslash( $_POST['billing_country'] ));
|
222 |
}
|
223 |
if ( ! in_array( "billing_phone", $read_only_fields ) && isset( $_POST['billing_phone'] ) ) {
|
224 |
+
$order->billing->phone = sanitize_text_field( $_POST['billing_phone'] );
|
225 |
}
|
226 |
if ( ! in_array( "subtotal", $read_only_fields ) && isset( $_POST['subtotal'] ) ) {
|
227 |
+
$order->subtotal = sanitize_text_field( $_POST['subtotal'] );
|
228 |
}
|
229 |
if ( ! in_array( "tax", $read_only_fields ) && isset( $_POST['tax'] ) ) {
|
230 |
+
$order->tax = sanitize_text_field( $_POST['tax'] );
|
231 |
}
|
232 |
if ( ! in_array( "couponamount", $read_only_fields ) && isset( $_POST['couponamount'] ) ) {
|
233 |
+
$order->couponamount = sanitize_text_field( $_POST['couponamount'] );
|
234 |
}
|
235 |
if ( ! in_array( "total", $read_only_fields ) && isset( $_POST['total'] ) ) {
|
236 |
+
$order->total = sanitize_text_field( $_POST['total'] );
|
237 |
}
|
238 |
if ( ! in_array( "payment_type", $read_only_fields ) && isset( $_POST['payment_type'] ) ) {
|
239 |
+
$order->payment_type = sanitize_text_field( $_POST['payment_type'] );
|
240 |
}
|
241 |
if ( ! in_array( "cardtype", $read_only_fields ) && isset( $_POST['cardtype'] ) ) {
|
242 |
+
$order->cardtype = sanitize_text_field( $_POST['cardtype'] );
|
243 |
}
|
244 |
if ( ! in_array( "accountnumber", $read_only_fields ) && isset( $_POST['accountnumber'] ) ) {
|
245 |
+
$order->accountnumber = sanitize_text_field( $_POST['accountnumber'] );
|
246 |
}
|
247 |
if ( ! in_array( "expirationmonth", $read_only_fields ) && isset( $_POST['expirationmonth'] ) ) {
|
248 |
+
$order->expirationmonth = sanitize_text_field( $_POST['expirationmonth'] );
|
249 |
}
|
250 |
if ( ! in_array( "expirationyear", $read_only_fields ) && isset( $_POST['expirationyear'] ) ) {
|
251 |
+
$order->expirationyear = sanitize_text_field( $_POST['expirationyear'] );
|
|
|
|
|
|
|
252 |
}
|
253 |
+
|
254 |
if ( ! in_array( "status", $read_only_fields ) && isset( $_POST['status'] ) ) {
|
255 |
+
$order->status = pmpro_sanitize_with_safelist( $_POST['status'], pmpro_getOrderStatuses() );
|
256 |
}
|
257 |
if ( ! in_array( "gateway", $read_only_fields ) && isset( $_POST['gateway'] ) ) {
|
258 |
+
$order->gateway = sanitize_text_field( $_POST['gateway'] );
|
259 |
}
|
260 |
if ( ! in_array( "gateway_environment", $read_only_fields ) && isset( $_POST['gateway_environment'] ) ) {
|
261 |
+
$order->gateway_environment = sanitize_text_field( $_POST['gateway_environment'] );
|
262 |
}
|
263 |
if ( ! in_array( "payment_transaction_id", $read_only_fields ) && isset( $_POST['payment_transaction_id'] ) ) {
|
264 |
+
$order->payment_transaction_id = sanitize_text_field( $_POST['payment_transaction_id'] );
|
265 |
}
|
266 |
if ( ! in_array( "subscription_transaction_id", $read_only_fields ) && isset( $_POST['subscription_transaction_id'] ) ) {
|
267 |
+
$order->subscription_transaction_id = sanitize_text_field( $_POST['subscription_transaction_id'] );
|
268 |
}
|
269 |
if ( ! in_array( "notes", $read_only_fields ) && isset( $_POST['notes'] ) ) {
|
270 |
+
global $allowedposttags;
|
271 |
+
$order->notes = wp_kses(wp_unslash($_REQUEST['notes']), $allowedposttags);
|
272 |
}
|
273 |
|
274 |
//affiliate stuff
|
275 |
$affiliates = apply_filters( "pmpro_orders_show_affiliate_ids", false );
|
276 |
if ( ! empty( $affiliates ) ) {
|
277 |
if ( ! in_array( "affiliate_id", $read_only_fields ) ) {
|
278 |
+
$order->affiliate_id = sanitize_text_field( $_POST['affiliate_id'] );
|
279 |
}
|
280 |
if ( ! in_array( "affiliate_subid", $read_only_fields ) ) {
|
281 |
+
$order->affiliate_subid = sanitize_text_field( $_POST['affiliate_subid'] );
|
282 |
}
|
283 |
}
|
284 |
|
285 |
+
//check nonce for saving
|
286 |
+
$nonceokay = true;
|
287 |
+
if (empty($_REQUEST['pmpro_orders_nonce']) || !check_admin_referer('save', 'pmpro_orders_nonce')) {
|
288 |
+
$nonceokay = false;
|
289 |
+
}
|
290 |
+
|
291 |
//save
|
292 |
+
if ( $order->saveOrder() !== false && $nonceokay) {
|
293 |
//handle timestamp
|
294 |
+
if ( $order->updateTimestamp( intval($_POST['ts_year']), intval($_POST['ts_month']), intval($_POST['ts_day']) ) !== false ) {
|
295 |
$pmpro_msg = __( "Order saved successfully.", 'paid-memberships-pro' );
|
296 |
$pmpro_msgt = "success";
|
297 |
} else {
|
374 |
<?php } ?>
|
375 |
|
376 |
<form method="post" action="">
|
377 |
+
<?php wp_nonce_field('save', 'pmpro_orders_nonce');?>
|
378 |
|
379 |
<table class="form-table">
|
380 |
<tbody>
|
955 |
|
956 |
</select>
|
957 |
|
958 |
+
<?php
|
959 |
+
$statuses = pmpro_getOrderStatuses();
|
|
|
|
|
|
|
|
|
|
|
960 |
?>
|
961 |
<select id="status" name="status">
|
962 |
<?php foreach ( $statuses as $the_status ) { ?>
|
adminpages/pagesettings.php
CHANGED
@@ -23,15 +23,22 @@ global $pmpro_pages;
|
|
23 |
$extra_pages = apply_filters('pmpro_extra_page_settings', array());
|
24 |
$post_types = apply_filters('pmpro_admin_pagesetting_post_type_array', array( 'page' ) );
|
25 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
26 |
if (!empty($_REQUEST['savesettings'])) {
|
27 |
//page ids
|
28 |
-
pmpro_setOption("account_page_id");
|
29 |
-
pmpro_setOption("billing_page_id");
|
30 |
-
pmpro_setOption("cancel_page_id");
|
31 |
-
pmpro_setOption("checkout_page_id");
|
32 |
-
pmpro_setOption("confirmation_page_id");
|
33 |
-
pmpro_setOption("invoice_page_id");
|
34 |
-
pmpro_setOption("levels_page_id");
|
35 |
|
36 |
//update the pages array
|
37 |
$pmpro_pages["account"] = pmpro_getOption("account_page_id");
|
@@ -45,7 +52,7 @@ if (!empty($_REQUEST['savesettings'])) {
|
|
45 |
//save additional pages
|
46 |
if (!empty($extra_pages)) {
|
47 |
foreach ($extra_pages as $name => $label) {
|
48 |
-
pmpro_setOption($name . '_page_id');
|
49 |
$pmpro_pages[$name] = pmpro_getOption($name . '_page_id');
|
50 |
}
|
51 |
}
|
@@ -55,6 +62,13 @@ if (!empty($_REQUEST['savesettings'])) {
|
|
55 |
$msgt = __("Your page settings have been updated.", 'paid-memberships-pro' );
|
56 |
}
|
57 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
58 |
//are we generating pages?
|
59 |
if (!empty($_REQUEST['createpages'])) {
|
60 |
|
@@ -72,7 +86,7 @@ if (!empty($_REQUEST['createpages'])) {
|
|
72 |
|
73 |
} else {
|
74 |
//generate extra pages one at a time
|
75 |
-
$pmpro_page_name = $_REQUEST['page_name'];
|
76 |
$pmpro_page_id = $pmpro_pages[$pmpro_page_name];
|
77 |
$pages[$pmpro_page_name] = $extra_pages[$pmpro_page_name];
|
78 |
}
|
@@ -89,8 +103,9 @@ require_once(dirname(__FILE__) . "/admin_header.php");
|
|
89 |
?>
|
90 |
|
91 |
|
92 |
-
<form action="" method="post" enctype="multipart/form-data">
|
93 |
-
|
|
|
94 |
<?php
|
95 |
global $pmpro_pages_ready;
|
96 |
if ($pmpro_pages_ready) {
|
@@ -100,7 +115,7 @@ require_once(dirname(__FILE__) . "/admin_header.php");
|
|
100 |
} else {
|
101 |
?>
|
102 |
<p><?php _e('Assign the WordPress pages for each required Paid Memberships Pro page or', 'paid-memberships-pro' ); ?> <a
|
103 |
-
href="?page=pmpro-pagesettings&createpages=1"><?php _e('click here to let us generate them for you', 'paid-memberships-pro' ); ?></a>.
|
104 |
</p>
|
105 |
<?php
|
106 |
}
|
23 |
$extra_pages = apply_filters('pmpro_extra_page_settings', array());
|
24 |
$post_types = apply_filters('pmpro_admin_pagesetting_post_type_array', array( 'page' ) );
|
25 |
|
26 |
+
//check nonce for saving settings
|
27 |
+
if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_pagesettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_pagesettings_nonce'))) {
|
28 |
+
$msg = -1;
|
29 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
30 |
+
unset($_REQUEST['savesettings']);
|
31 |
+
}
|
32 |
+
|
33 |
if (!empty($_REQUEST['savesettings'])) {
|
34 |
//page ids
|
35 |
+
pmpro_setOption("account_page_id", NULL, 'intval');
|
36 |
+
pmpro_setOption("billing_page_id", NULL, 'intval');
|
37 |
+
pmpro_setOption("cancel_page_id", NULL, 'intval');
|
38 |
+
pmpro_setOption("checkout_page_id", NULL, 'intval');
|
39 |
+
pmpro_setOption("confirmation_page_id", NULL, 'intval');
|
40 |
+
pmpro_setOption("invoice_page_id", NULL, 'intval');
|
41 |
+
pmpro_setOption("levels_page_id", NULL, 'intval');
|
42 |
|
43 |
//update the pages array
|
44 |
$pmpro_pages["account"] = pmpro_getOption("account_page_id");
|
52 |
//save additional pages
|
53 |
if (!empty($extra_pages)) {
|
54 |
foreach ($extra_pages as $name => $label) {
|
55 |
+
pmpro_setOption($name . '_page_id', NULL, 'intval');
|
56 |
$pmpro_pages[$name] = pmpro_getOption($name . '_page_id');
|
57 |
}
|
58 |
}
|
62 |
$msgt = __("Your page settings have been updated.", 'paid-memberships-pro' );
|
63 |
}
|
64 |
|
65 |
+
//check nonce for generating pages
|
66 |
+
if (!empty($_REQUEST['createpages']) && (empty($_REQUEST['pmpro_pagesettings_nonce']) || !check_admin_referer('createpages', 'pmpro_pagesettings_nonce'))) {
|
67 |
+
$msg = -1;
|
68 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
69 |
+
unset($_REQUEST['createpages']);
|
70 |
+
}
|
71 |
+
|
72 |
//are we generating pages?
|
73 |
if (!empty($_REQUEST['createpages'])) {
|
74 |
|
86 |
|
87 |
} else {
|
88 |
//generate extra pages one at a time
|
89 |
+
$pmpro_page_name = sanitize_text_field($_REQUEST['page_name']);
|
90 |
$pmpro_page_id = $pmpro_pages[$pmpro_page_name];
|
91 |
$pages[$pmpro_page_name] = $extra_pages[$pmpro_page_name];
|
92 |
}
|
103 |
?>
|
104 |
|
105 |
|
106 |
+
<form action="<?php echo admin_url('admin.php?page=pmpro-pagesettings');?>" method="post" enctype="multipart/form-data">
|
107 |
+
<?php wp_nonce_field('savesettings', 'pmpro_pagesettings_nonce');?>
|
108 |
+
<h2><?php _e('Pages', 'paid-memberships-pro' ); ?></h2>
|
109 |
<?php
|
110 |
global $pmpro_pages_ready;
|
111 |
if ($pmpro_pages_ready) {
|
115 |
} else {
|
116 |
?>
|
117 |
<p><?php _e('Assign the WordPress pages for each required Paid Memberships Pro page or', 'paid-memberships-pro' ); ?> <a
|
118 |
+
href="<?php echo wp_nonce_url(admin_url('admin.php?page=pmpro-pagesettings&createpages=1'), 'createpages', 'pmpro_pagesettings_nonce');?>"><?php _e('click here to let us generate them for you', 'paid-memberships-pro' ); ?></a>.
|
119 |
</p>
|
120 |
<?php
|
121 |
}
|
adminpages/paymentsettings.php
CHANGED
@@ -13,14 +13,29 @@
|
|
13 |
//define options
|
14 |
$payment_options = array_unique(apply_filters("pmpro_payment_options", array('gateway')));
|
15 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
16 |
//get/set settings
|
17 |
if(!empty($_REQUEST['savesettings']))
|
18 |
{
|
19 |
/*
|
20 |
Save any value that might have been passed in
|
21 |
*/
|
22 |
-
foreach($payment_options as $option)
|
23 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
24 |
|
25 |
/*
|
26 |
Some special case options still worked out here
|
@@ -90,6 +105,8 @@
|
|
90 |
?>
|
91 |
|
92 |
<form action="" method="post" enctype="multipart/form-data">
|
|
|
|
|
93 |
<h2><?php _e('Payment Gateway', 'paid-memberships-pro' );?> & <?php _e('SSL Settings', 'paid-memberships-pro' );?></h2>
|
94 |
|
95 |
<p><?php _e('Learn more about <a title="Paid Memberships Pro - SSL Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/ssl/">SSL</a> or <a title="Paid Memberships Pro - Payment Gateway Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/payment-gateway/">Payment Gateway Settings</a>.', 'paid-memberships-pro' ); ?></p>
|
13 |
//define options
|
14 |
$payment_options = array_unique(apply_filters("pmpro_payment_options", array('gateway')));
|
15 |
|
16 |
+
//check nonce for saving settings
|
17 |
+
if (!empty($_REQUEST['savesettings']) && (empty($_REQUEST['pmpro_paymentsettings_nonce']) || !check_admin_referer('savesettings', 'pmpro_paymentsettings_nonce'))) {
|
18 |
+
$msg = -1;
|
19 |
+
$msgt = __("Are your sure you want to do that? Try again.", 'paid-memberships-pro' );
|
20 |
+
unset($_REQUEST['savesettings']);
|
21 |
+
}
|
22 |
+
|
23 |
//get/set settings
|
24 |
if(!empty($_REQUEST['savesettings']))
|
25 |
{
|
26 |
/*
|
27 |
Save any value that might have been passed in
|
28 |
*/
|
29 |
+
foreach($payment_options as $option) {
|
30 |
+
//for now we make a special case for sslseal, but we need a way to specify sanitize functions for other fields
|
31 |
+
if($option == 'sslseal') {
|
32 |
+
global $allowedposttags;
|
33 |
+
$sslseal = wp_kses(wp_unslash($_POST['sslseal']), $allowedposttags);
|
34 |
+
update_option('pmpro_sslseal', $sslseal);
|
35 |
+
} else {
|
36 |
+
pmpro_setOption($option);
|
37 |
+
}
|
38 |
+
}
|
39 |
|
40 |
/*
|
41 |
Some special case options still worked out here
|
105 |
?>
|
106 |
|
107 |
<form action="" method="post" enctype="multipart/form-data">
|
108 |
+
<?php wp_nonce_field('savesettings', 'pmpro_paymentsettings_nonce');?>
|
109 |
+
|
110 |
<h2><?php _e('Payment Gateway', 'paid-memberships-pro' );?> & <?php _e('SSL Settings', 'paid-memberships-pro' );?></h2>
|
111 |
|
112 |
<p><?php _e('Learn more about <a title="Paid Memberships Pro - SSL Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/ssl/">SSL</a> or <a title="Paid Memberships Pro - Payment Gateway Settings" target="_blank" href="http://www.paidmembershipspro.com/support/initial-plugin-setup/payment-gateway/">Payment Gateway Settings</a>.', 'paid-memberships-pro' ); ?></p>
|
adminpages/reports/login.php
CHANGED
@@ -65,14 +65,18 @@ function pmpro_report_login_page()
|
|
65 |
|
66 |
//vars
|
67 |
if(!empty($_REQUEST['s']))
|
68 |
-
$s = $_REQUEST['s'];
|
69 |
else
|
70 |
$s = "";
|
71 |
|
72 |
-
if(!empty($_REQUEST['l']))
|
73 |
-
|
74 |
-
|
|
|
|
|
|
|
75 |
$l = "";
|
|
|
76 |
?>
|
77 |
<form id="posts-filter" method="get" action="">
|
78 |
<h1>
|
@@ -124,7 +128,7 @@ function pmpro_report_login_page()
|
|
124 |
if($l == "all")
|
125 |
$sqlQuery .= " AND mu.status = 'active' AND mu.membership_id > 0 ";
|
126 |
elseif($l)
|
127 |
-
$sqlQuery .= " AND mu.membership_id = '" . $l . "' ";
|
128 |
|
129 |
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
|
130 |
}
|
@@ -136,7 +140,7 @@ function pmpro_report_login_page()
|
|
136 |
if($l == "all")
|
137 |
$sqlQuery .= " AND mu.membership_id > 0 AND mu.status = 'active' ";
|
138 |
elseif($l)
|
139 |
-
$sqlQuery .= " AND mu.membership_id = '" . $l . "' ";
|
140 |
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
|
141 |
}
|
142 |
|
@@ -273,11 +277,11 @@ function pmpro_report_login_wp_visits()
|
|
273 |
$visits = array("last"=>"N/A", "thisdate"=>NULL, "month"=>0, "thismonth"=>NULL, "alltime"=>0);
|
274 |
|
275 |
//track logins for user
|
276 |
-
$visits['last'] = date_i18n(get_option("date_format"));
|
277 |
-
$visits['alltime']
|
278 |
$thismonth = date_i18n("n", $now);
|
279 |
if($thismonth == $visits['thismonth'])
|
280 |
-
$visits['month']
|
281 |
else
|
282 |
{
|
283 |
$visits['month'] = 1;
|
@@ -293,17 +297,17 @@ function pmpro_report_login_wp_visits()
|
|
293 |
if(empty($visits))
|
294 |
$visits = array("today"=>0, "thisdate"=>NULL, "month"=>0, "thismonth"=> NULL, "alltime"=>0);
|
295 |
|
296 |
-
$visits['alltime']
|
297 |
$thisdate = date_i18n("Y-d-m", $now);
|
298 |
if($thisdate == $visits['thisdate'])
|
299 |
-
$visits['today']
|
300 |
else
|
301 |
{
|
302 |
$visits['today'] = 1;
|
303 |
$visits['thisdate'] = $thisdate;
|
304 |
}
|
305 |
if($thismonth == $visits['thismonth'])
|
306 |
-
$visits['month']
|
307 |
else
|
308 |
{
|
309 |
$visits['month'] = 1;
|
65 |
|
66 |
//vars
|
67 |
if(!empty($_REQUEST['s']))
|
68 |
+
$s = sanitize_text_field($_REQUEST['s']);
|
69 |
else
|
70 |
$s = "";
|
71 |
|
72 |
+
if(!empty($_REQUEST['l'])) {
|
73 |
+
if($_REQUEST['l'] == 'all')
|
74 |
+
$l = 'all';
|
75 |
+
else
|
76 |
+
$l = intval($_REQUEST['l']);
|
77 |
+
} else {
|
78 |
$l = "";
|
79 |
+
}
|
80 |
?>
|
81 |
<form id="posts-filter" method="get" action="">
|
82 |
<h1>
|
128 |
if($l == "all")
|
129 |
$sqlQuery .= " AND mu.status = 'active' AND mu.membership_id > 0 ";
|
130 |
elseif($l)
|
131 |
+
$sqlQuery .= " AND mu.membership_id = '" . esc_sql($l) . "' ";
|
132 |
|
133 |
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
|
134 |
}
|
140 |
if($l == "all")
|
141 |
$sqlQuery .= " AND mu.membership_id > 0 AND mu.status = 'active' ";
|
142 |
elseif($l)
|
143 |
+
$sqlQuery .= " AND mu.membership_id = '" . esc_sql($l) . "' ";
|
144 |
$sqlQuery .= "GROUP BY u.ID ORDER BY user_registered DESC LIMIT $start, $limit";
|
145 |
}
|
146 |
|
277 |
$visits = array("last"=>"N/A", "thisdate"=>NULL, "month"=>0, "thismonth"=>NULL, "alltime"=>0);
|
278 |
|
279 |
//track logins for user
|
280 |
+
$visits['last'] = date_i18n(get_option("date_format"), $now);
|
281 |
+
$visits['alltime'] = $visits['alltime'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
|
282 |
$thismonth = date_i18n("n", $now);
|
283 |
if($thismonth == $visits['thismonth'])
|
284 |
+
$visits['month'] = $visits['month'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
|
285 |
else
|
286 |
{
|
287 |
$visits['month'] = 1;
|
297 |
if(empty($visits))
|
298 |
$visits = array("today"=>0, "thisdate"=>NULL, "month"=>0, "thismonth"=> NULL, "alltime"=>0);
|
299 |
|
300 |
+
$visits['alltime'] = $visits['alltime'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
|
301 |
$thisdate = date_i18n("Y-d-m", $now);
|
302 |
if($thisdate == $visits['thisdate'])
|
303 |
+
$visits['today'] = $visits['today'] + 1; // BUG FIX: Caused fatal error in certain PHP versions
|
304 |
else
|
305 |
{
|
306 |
$visits['today'] = 1;
|
307 |
$visits['thisdate'] = $thisdate;
|
308 |
}
|
309 |
if($thismonth == $visits['thismonth'])
|
310 |
+
$visits['month'] = $visits['month'] + 1;// BUG FIX: Caused fatal error in certain PHP versions
|
311 |
else
|
312 |
{
|
313 |
$visits['month'] = 1;
|
adminpages/reports/memberships.php
CHANGED
@@ -60,8 +60,10 @@ function pmpro_report_memberships_widget() {
|
|
60 |
<?php
|
61 |
//level stats
|
62 |
$count = 0;
|
|
|
|
|
63 |
foreach($levels as $level) {
|
64 |
-
if($count++
|
65 |
?>
|
66 |
<tr class="pmpro_report_tr_sub" style="display: none;">
|
67 |
<th scope="row">- <?php echo $level->name;?></th>
|
60 |
<?php
|
61 |
//level stats
|
62 |
$count = 0;
|
63 |
+
$max_level_count = apply_filters( 'pmpro_admin_reports_included_levels', 3 );
|
64 |
+
|
65 |
foreach($levels as $level) {
|
66 |
+
if($count++ >= $max_level_count) break;
|
67 |
?>
|
68 |
<tr class="pmpro_report_tr_sub" style="display: none;">
|
69 |
<th scope="row">- <?php echo $level->name;?></th>
|
classes/class-deny-network-activation.php
CHANGED
@@ -27,7 +27,7 @@ class PMPro_Deny_Network_Activation {
|
|
27 |
global $current_screen;
|
28 |
if ( !empty($_REQUEST['pmpro_deny_network_activation']) && ( 'sites-network' === $current_screen->id || 'plugins-network' === $current_screen->id ) ) {
|
29 |
//get plugin data
|
30 |
-
$plugin = isset($_REQUEST['pmpro_deny_network_activation']) ? $_REQUEST['pmpro_deny_network_activation'] : '';
|
31 |
$plugin_path = WP_PLUGIN_DIR . '/' . urldecode($plugin);
|
32 |
$plugin_data = get_plugin_data($plugin_path);
|
33 |
|
@@ -49,7 +49,7 @@ class PMPro_Deny_Network_Activation {
|
|
49 |
return;
|
50 |
}
|
51 |
|
52 |
-
$plugin = isset($_REQUEST['plugin']) ? $_REQUEST['plugin'] : '';
|
53 |
|
54 |
deactivate_plugins( $plugin, true, true );
|
55 |
if ( ! isset( $_REQUEST['pmpro_deny_network_activation']) ) {
|
27 |
global $current_screen;
|
28 |
if ( !empty($_REQUEST['pmpro_deny_network_activation']) && ( 'sites-network' === $current_screen->id || 'plugins-network' === $current_screen->id ) ) {
|
29 |
//get plugin data
|
30 |
+
$plugin = isset($_REQUEST['pmpro_deny_network_activation']) ? sanitize_file_name($_REQUEST['pmpro_deny_network_activation']) : '';
|
31 |
$plugin_path = WP_PLUGIN_DIR . '/' . urldecode($plugin);
|
32 |
$plugin_data = get_plugin_data($plugin_path);
|
33 |
|
49 |
return;
|
50 |
}
|
51 |
|
52 |
+
$plugin = isset($_REQUEST['plugin']) ? sanitize_file_name($_REQUEST['plugin']) : '';
|
53 |
|
54 |
deactivate_plugins( $plugin, true, true );
|
55 |
if ( ! isset( $_REQUEST['pmpro_deny_network_activation']) ) {
|
classes/class.memberorder.php
CHANGED
@@ -478,8 +478,8 @@
|
|
478 |
else {
|
479 |
$total = (float)$amount + (float)$tax;
|
480 |
$this->total = $total;
|
481 |
-
}
|
482 |
-
|
483 |
//these fix some warnings/notices
|
484 |
if(empty($this->billing))
|
485 |
{
|
@@ -508,6 +508,10 @@
|
|
508 |
$this->accountnumber = "";
|
509 |
if(empty($this->cardtype))
|
510 |
$this->cardtype = "";
|
|
|
|
|
|
|
|
|
511 |
if(empty($this->ExpirationDate))
|
512 |
$this->ExpirationDate = "";
|
513 |
if (empty($this->status))
|
@@ -583,6 +587,13 @@
|
|
583 |
//set up actions
|
584 |
$before_action = "pmpro_add_order";
|
585 |
$after_action = "pmpro_added_order";
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
586 |
//insert
|
587 |
$this->sqlQuery = "INSERT INTO $wpdb->pmpro_membership_orders
|
588 |
(`code`, `session_id`, `user_id`, `membership_id`, `paypal_token`, `billing_name`, `billing_street`, `billing_city`, `billing_state`, `billing_zip`, `billing_country`, `billing_phone`, `subtotal`, `tax`, `couponamount`, `certificate_id`, `certificateamount`, `total`, `payment_type`, `cardtype`, `accountnumber`, `expirationmonth`, `expirationyear`, `status`, `gateway`, `gateway_environment`, `payment_transaction_id`, `subscription_transaction_id`, `timestamp`, `affiliate_id`, `affiliate_subid`, `notes`, `checkout_id`)
|
@@ -607,8 +618,8 @@
|
|
607 |
'" . $this->payment_type . "',
|
608 |
'" . $this->cardtype . "',
|
609 |
'" . hideCardNumber($this->accountnumber, false) . "',
|
610 |
-
'" .
|
611 |
-
'" .
|
612 |
'" . esc_sql($this->status) . "',
|
613 |
'" . $this->gateway . "',
|
614 |
'" . $this->gateway_environment . "',
|
478 |
else {
|
479 |
$total = (float)$amount + (float)$tax;
|
480 |
$this->total = $total;
|
481 |
+
}
|
482 |
+
|
483 |
//these fix some warnings/notices
|
484 |
if(empty($this->billing))
|
485 |
{
|
508 |
$this->accountnumber = "";
|
509 |
if(empty($this->cardtype))
|
510 |
$this->cardtype = "";
|
511 |
+
if(empty($this->expirationmonth))
|
512 |
+
$this->expirationmonth = "";
|
513 |
+
if(empty($this->expirationyear))
|
514 |
+
$this->expirationyear = "";
|
515 |
if(empty($this->ExpirationDate))
|
516 |
$this->ExpirationDate = "";
|
517 |
if (empty($this->status))
|
587 |
//set up actions
|
588 |
$before_action = "pmpro_add_order";
|
589 |
$after_action = "pmpro_added_order";
|
590 |
+
|
591 |
+
//only on inserts, we might want to set the expirationmonth and expirationyear from ExpirationDate
|
592 |
+
if( (empty($this->expirationmonth) || empty($this->expirationyear)) && !empty($this->ExpirationDate)) {
|
593 |
+
$this->expirationmonth = substr($this->ExpirationDate, 0, 2);
|
594 |
+
$this->expirationyear = substr($this->ExpirationDate, 2, 4);
|
595 |
+
}
|
596 |
+
|
597 |
//insert
|
598 |
$this->sqlQuery = "INSERT INTO $wpdb->pmpro_membership_orders
|
599 |
(`code`, `session_id`, `user_id`, `membership_id`, `paypal_token`, `billing_name`, `billing_street`, `billing_city`, `billing_state`, `billing_zip`, `billing_country`, `billing_phone`, `subtotal`, `tax`, `couponamount`, `certificate_id`, `certificateamount`, `total`, `payment_type`, `cardtype`, `accountnumber`, `expirationmonth`, `expirationyear`, `status`, `gateway`, `gateway_environment`, `payment_transaction_id`, `subscription_transaction_id`, `timestamp`, `affiliate_id`, `affiliate_subid`, `notes`, `checkout_id`)
|
618 |
'" . $this->payment_type . "',
|
619 |
'" . $this->cardtype . "',
|
620 |
'" . hideCardNumber($this->accountnumber, false) . "',
|
621 |
+
'" . $this->expirationmonth . "',
|
622 |
+
'" . $this->expirationyear . "',
|
623 |
'" . esc_sql($this->status) . "',
|
624 |
'" . $this->gateway . "',
|
625 |
'" . $this->gateway_environment . "',
|
classes/gateways/class.pmprogateway.php
CHANGED
@@ -90,7 +90,7 @@
|
|
90 |
else
|
91 |
{
|
92 |
//add a period to the start date to account for the initial payment
|
93 |
-
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $
|
94 |
}
|
95 |
|
96 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
90 |
else
|
91 |
{
|
92 |
//add a period to the start date to account for the initial payment
|
93 |
+
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
|
94 |
}
|
95 |
|
96 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
classes/gateways/class.pmprogateway_braintree.php
CHANGED
@@ -286,17 +286,17 @@
|
|
286 |
{
|
287 |
//load up values
|
288 |
if(isset($_REQUEST['number']))
|
289 |
-
$braintree_number = $_REQUEST['number'];
|
290 |
else
|
291 |
$braintree_number = "";
|
292 |
|
293 |
if(isset($_REQUEST['expiration_date']))
|
294 |
-
$braintree_expiration_date = $_REQUEST['expiration_date'];
|
295 |
else
|
296 |
$braintree_expiration_date = "";
|
297 |
|
298 |
if(isset($_REQUEST['cvv']))
|
299 |
-
$braintree_cvv = $_REQUEST['cvv'];
|
300 |
else
|
301 |
$braintree_cvv = "";
|
302 |
|
@@ -453,7 +453,7 @@
|
|
453 |
?>
|
454 |
<div class="pmpro_payment-cvv">
|
455 |
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
|
456 |
-
<input class="input" id="CVV" name="cvv" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr($_REQUEST['CVV']); }?>" class=" <?php echo pmpro_getClassForField("CVV");?>" data-encrypted-name="cvv" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
|
457 |
</div>
|
458 |
<?php
|
459 |
}
|
286 |
{
|
287 |
//load up values
|
288 |
if(isset($_REQUEST['number']))
|
289 |
+
$braintree_number = sanitize_text_field($_REQUEST['number']);
|
290 |
else
|
291 |
$braintree_number = "";
|
292 |
|
293 |
if(isset($_REQUEST['expiration_date']))
|
294 |
+
$braintree_expiration_date = sanitize_text_field($_REQUEST['expiration_date']);
|
295 |
else
|
296 |
$braintree_expiration_date = "";
|
297 |
|
298 |
if(isset($_REQUEST['cvv']))
|
299 |
+
$braintree_cvv = sanitize_text_field($_REQUEST['cvv']);
|
300 |
else
|
301 |
$braintree_cvv = "";
|
302 |
|
453 |
?>
|
454 |
<div class="pmpro_payment-cvv">
|
455 |
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
|
456 |
+
<input class="input" id="CVV" name="cvv" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr(sanitize_text_field($_REQUEST['CVV'])); }?>" class=" <?php echo pmpro_getClassForField("CVV");?>" data-encrypted-name="cvv" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
|
457 |
</div>
|
458 |
<?php
|
459 |
}
|
classes/gateways/class.pmprogateway_check.php
CHANGED
@@ -245,7 +245,7 @@
|
|
245 |
else
|
246 |
{
|
247 |
//add a period to the start date to account for the initial payment
|
248 |
-
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $
|
249 |
}
|
250 |
|
251 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
245 |
else
|
246 |
{
|
247 |
//add a period to the start date to account for the initial payment
|
248 |
+
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
|
249 |
}
|
250 |
|
251 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
classes/gateways/class.pmprogateway_cybersource.php
CHANGED
@@ -206,7 +206,7 @@
|
|
206 |
else
|
207 |
{
|
208 |
//add a period to the start date to account for the initial payment
|
209 |
-
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $
|
210 |
}
|
211 |
|
212 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
206 |
else
|
207 |
{
|
208 |
//add a period to the start date to account for the initial payment
|
209 |
+
$order->ProfileStartDate = date_i18n("Y-m-d", strtotime("+ " . $order->BillingFrequency . " " . $order->BillingPeriod, current_time("timestamp"))) . "T0:0:0";
|
210 |
}
|
211 |
|
212 |
$order->ProfileStartDate = apply_filters("pmpro_profile_start_date", $order->ProfileStartDate, $order);
|
classes/gateways/class.pmprogateway_paypalexpress.php
CHANGED
@@ -238,15 +238,15 @@
|
|
238 |
{
|
239 |
//get values from post
|
240 |
if(isset($_REQUEST['username']))
|
241 |
-
$username = trim($_REQUEST['username']);
|
242 |
else
|
243 |
$username = "";
|
244 |
if(isset($_REQUEST['password']))
|
245 |
-
$password = $_REQUEST['password'];
|
246 |
else
|
247 |
$password = "";
|
248 |
if(isset($_REQUEST['bemail']))
|
249 |
-
$bemail = $_REQUEST['bemail'];
|
250 |
else
|
251 |
$bemail = "";
|
252 |
|
@@ -273,16 +273,16 @@
|
|
273 |
if(!empty($_REQUEST['review']))
|
274 |
{
|
275 |
if(!empty($_REQUEST['PayerID']))
|
276 |
-
$_SESSION['payer_id'] = $_REQUEST['PayerID'];
|
277 |
if(!empty($_REQUEST['paymentAmount']))
|
278 |
-
$_SESSION['paymentAmount'] = $_REQUEST['paymentAmount'];
|
279 |
if(!empty($_REQUEST['currencyCodeType']))
|
280 |
-
$_SESSION['currCodeType'] = $_REQUEST['currencyCodeType'];
|
281 |
if(!empty($_REQUEST['paymentType']))
|
282 |
-
$_SESSION['paymentType'] = $_REQUEST['paymentType'];
|
283 |
|
284 |
$morder = new MemberOrder();
|
285 |
-
$morder->getMemberOrderByPayPalToken($_REQUEST['token']);
|
286 |
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
|
287 |
if($morder->Token)
|
288 |
{
|
@@ -309,7 +309,7 @@
|
|
309 |
)
|
310 |
{
|
311 |
$morder = new MemberOrder();
|
312 |
-
$morder->getMemberOrderByPayPalToken($_REQUEST['token']);
|
313 |
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
|
314 |
if($morder->Token)
|
315 |
{
|
238 |
{
|
239 |
//get values from post
|
240 |
if(isset($_REQUEST['username']))
|
241 |
+
$username = trim(sanitize_text_field($_REQUEST['username']));
|
242 |
else
|
243 |
$username = "";
|
244 |
if(isset($_REQUEST['password']))
|
245 |
+
$password = sanitize_text_field($_REQUEST['password']);
|
246 |
else
|
247 |
$password = "";
|
248 |
if(isset($_REQUEST['bemail']))
|
249 |
+
$bemail = sanitize_email($_REQUEST['bemail']);
|
250 |
else
|
251 |
$bemail = "";
|
252 |
|
273 |
if(!empty($_REQUEST['review']))
|
274 |
{
|
275 |
if(!empty($_REQUEST['PayerID']))
|
276 |
+
$_SESSION['payer_id'] = sanitize_text_field($_REQUEST['PayerID']);
|
277 |
if(!empty($_REQUEST['paymentAmount']))
|
278 |
+
$_SESSION['paymentAmount'] = sanitize_text_field($_REQUEST['paymentAmount']);
|
279 |
if(!empty($_REQUEST['currencyCodeType']))
|
280 |
+
$_SESSION['currCodeType'] = sanitize_text_field($_REQUEST['currencyCodeType']);
|
281 |
if(!empty($_REQUEST['paymentType']))
|
282 |
+
$_SESSION['paymentType'] = sanitize_text_field($_REQUEST['paymentType']);
|
283 |
|
284 |
$morder = new MemberOrder();
|
285 |
+
$morder->getMemberOrderByPayPalToken(sanitize_text_field($_REQUEST['token']));
|
286 |
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
|
287 |
if($morder->Token)
|
288 |
{
|
309 |
)
|
310 |
{
|
311 |
$morder = new MemberOrder();
|
312 |
+
$morder->getMemberOrderByPayPalToken(sanitize_text_field($_REQUEST['token']));
|
313 |
$morder->Token = $morder->paypal_token; $pmpro_paypal_token = $morder->paypal_token;
|
314 |
if($morder->Token)
|
315 |
{
|
classes/gateways/class.pmprogateway_stripe.php
CHANGED
@@ -444,7 +444,7 @@
|
|
444 |
foreach($_REQUEST as $key => $param) {
|
445 |
if(preg_match('/stripeToken(\d+)/', $key, $matches)) {
|
446 |
if(intval($matches[1])>$tokennum) {
|
447 |
-
$thetoken = $param;
|
448 |
$tokennum = intval($matches[1]);
|
449 |
}
|
450 |
}
|
@@ -464,8 +464,8 @@
|
|
464 |
}
|
465 |
elseif(!empty($_REQUEST['first_name']) && !empty($_REQUEST['last_name']))
|
466 |
{
|
467 |
-
$morder->FirstName = $_REQUEST['first_name'];
|
468 |
-
$morder->LastName = $_REQUEST['last_name'];
|
469 |
}
|
470 |
}
|
471 |
|
@@ -627,7 +627,7 @@
|
|
627 |
?>
|
628 |
<div class="pmpro_payment-cvv">
|
629 |
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
|
630 |
-
<input id="CVV" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr($_REQUEST['CVV']); }?>" class="input <?php echo pmpro_getClassForField("CVV");?>" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
|
631 |
</div>
|
632 |
<?php
|
633 |
}
|
@@ -870,17 +870,17 @@
|
|
870 |
$update = array();
|
871 |
|
872 |
//all updates have these values
|
873 |
-
$update['when'] = $_POST['updates_when'][$i];
|
874 |
-
$update['billing_amount'] = $_POST['updates_billing_amount'][$i];
|
875 |
-
$update['cycle_number'] = $_POST['updates_cycle_number'][$i];
|
876 |
-
$update['cycle_period'] = $_POST['updates_cycle_period'][$i];
|
877 |
|
878 |
//these values only for on date updates
|
879 |
if($_POST['updates_when'][$i] == "date")
|
880 |
{
|
881 |
-
$update['date_month'] = str_pad($_POST['updates_date_month'][$i], 2, "0", STR_PAD_LEFT);
|
882 |
-
$update['date_day'] = str_pad($_POST['updates_date_day'][$i], 2, "0", STR_PAD_LEFT);
|
883 |
-
$update['date_year'] = $_POST['updates_date_year'][$i];
|
884 |
}
|
885 |
|
886 |
//make sure the update is valid
|
444 |
foreach($_REQUEST as $key => $param) {
|
445 |
if(preg_match('/stripeToken(\d+)/', $key, $matches)) {
|
446 |
if(intval($matches[1])>$tokennum) {
|
447 |
+
$thetoken = sanitize_text_field($param);
|
448 |
$tokennum = intval($matches[1]);
|
449 |
}
|
450 |
}
|
464 |
}
|
465 |
elseif(!empty($_REQUEST['first_name']) && !empty($_REQUEST['last_name']))
|
466 |
{
|
467 |
+
$morder->FirstName = sanitize_text_field($_REQUEST['first_name']);
|
468 |
+
$morder->LastName = sanitize_text_field($_REQUEST['last_name']);
|
469 |
}
|
470 |
}
|
471 |
|
627 |
?>
|
628 |
<div class="pmpro_payment-cvv">
|
629 |
<label for="CVV"><?php _e('CVV', 'paid-memberships-pro' );?></label>
|
630 |
+
<input id="CVV" type="text" size="4" value="<?php if(!empty($_REQUEST['CVV'])) { echo esc_attr(sanitize_text_field($_REQUEST['CVV'])); }?>" class="input <?php echo pmpro_getClassForField("CVV");?>" /> <small>(<a href="javascript:void(0);" onclick="javascript:window.open('<?php echo pmpro_https_filter(PMPRO_URL)?>/pages/popup-cvv.html','cvv','toolbar=no, location=no, directories=no, status=no, menubar=no, scrollbars=yes, resizable=yes, width=600, height=475');"><?php _e("what's this?", 'paid-memberships-pro' );?></a>)</small>
|
631 |
</div>
|
632 |
<?php
|
633 |
}
|
870 |
$update = array();
|
871 |
|
872 |
//all updates have these values
|
873 |
+
$update['when'] = pmpro_sanitize_with_safelist($_POST['updates_when'][$i], array('now', 'payment', 'date'));
|
874 |
+
$update['billing_amount'] = sanitize_text_field($_POST['updates_billing_amount'][$i]);
|
875 |
+
$update['cycle_number'] = intval($_POST['updates_cycle_number'][$i]);
|
876 |
+
$update['cycle_period'] = sanitize_text_field($_POST['updates_cycle_period'][$i]);
|
877 |
|
878 |
//these values only for on date updates
|
879 |
if($_POST['updates_when'][$i] == "date")
|
880 |
{
|
881 |
+
$update['date_month'] = str_pad(intval($_POST['updates_date_month'][$i]), 2, "0", STR_PAD_LEFT);
|
882 |
+
$update['date_day'] = str_pad(intval($_POST['updates_date_day'][$i]), 2, "0", STR_PAD_LEFT);
|
883 |
+
$update['date_year'] = intval($_POST['updates_date_year'][$i]);
|
884 |
}
|
885 |
|
886 |
//make sure the update is valid
|
includes/addons.php
CHANGED
@@ -269,7 +269,7 @@ function pmpro_admin_init_updating_plugins() {
|
|
269 |
unset($plugin);
|
270 |
|
271 |
//if Plus addons found, check license key
|
272 |
-
if(!empty($plus_plugins) && !pmpro_license_isValid()) {
|
273 |
//show error
|
274 |
$msg = __('You must have a <a href="https://www.paidmembershipspro.com/pricing/?utm_source=wp-admin&utm_pluginlink=bulkupdate">valid PMPro Plus License Key</a> to update PMPro Plus add ons. The following plugins will not be updated:', 'paid-memberships-pro');
|
275 |
echo '<div class="error"><p>' . $msg . ' <strong>' . implode(', ', $plus_addons) . '</strong></p></div>';
|
269 |
unset($plugin);
|
270 |
|
271 |
//if Plus addons found, check license key
|
272 |
+
if(!empty($plus_plugins) && !pmpro_license_isValid(NULL, 'plus')) {
|
273 |
//show error
|
274 |
$msg = __('You must have a <a href="https://www.paidmembershipspro.com/pricing/?utm_source=wp-admin&utm_pluginlink=bulkupdate">valid PMPro Plus License Key</a> to update PMPro Plus add ons. The following plugins will not be updated:', 'paid-memberships-pro');
|
275 |
echo '<div class="error"><p>' . $msg . ' <strong>' . implode(', ', $plus_addons) . '</strong></p></div>';
|
includes/functions.php
CHANGED
@@ -93,11 +93,11 @@ function pmpro_getOption($s, $force = false)
|
|
93 |
return "";
|
94 |
}
|
95 |
|
96 |
-
function pmpro_setOption($s, $v = NULL)
|
97 |
{
|
98 |
//no value is given, set v to the p var
|
99 |
if($v === NULL && isset($_POST[$s]))
|
100 |
-
$v = $_POST[$s];
|
101 |
|
102 |
if(is_array($v))
|
103 |
$v = implode(",", $v);
|
@@ -2238,22 +2238,22 @@ function pmpro_getClassForField($field)
|
|
2238 |
}
|
2239 |
|
2240 |
//get a var from $_GET or $_POST
|
2241 |
-
function pmpro_getParam($index, $method = "REQUEST", $default = "")
|
2242 |
{
|
2243 |
if($method == "REQUEST")
|
2244 |
{
|
2245 |
if(!empty($_REQUEST[$index]))
|
2246 |
-
return $_REQUEST[$index];
|
2247 |
}
|
2248 |
elseif($method == "POST")
|
2249 |
{
|
2250 |
if(!empty($_POST[$index]))
|
2251 |
-
return $_POST[$index];
|
2252 |
}
|
2253 |
elseif($method == "GET")
|
2254 |
{
|
2255 |
if(!empty($_GET[$index]))
|
2256 |
-
return $_GET[$index];
|
2257 |
}
|
2258 |
|
2259 |
return $default;
|
@@ -2618,3 +2618,38 @@ function pmpro_getMemberOrdersByCheckoutID($checkout_id) {
|
|
2618 |
|
2619 |
return $r;
|
2620 |
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
93 |
return "";
|
94 |
}
|
95 |
|
96 |
+
function pmpro_setOption($s, $v = NULL, $sanitize_function = 'sanitize_text_field')
|
97 |
{
|
98 |
//no value is given, set v to the p var
|
99 |
if($v === NULL && isset($_POST[$s]))
|
100 |
+
$v = call_user_func($sanitize_function, $_POST[$s]);
|
101 |
|
102 |
if(is_array($v))
|
103 |
$v = implode(",", $v);
|
2238 |
}
|
2239 |
|
2240 |
//get a var from $_GET or $_POST
|
2241 |
+
function pmpro_getParam($index, $method = "REQUEST", $default = "", $sanitize_function = 'sanitize_text_field')
|
2242 |
{
|
2243 |
if($method == "REQUEST")
|
2244 |
{
|
2245 |
if(!empty($_REQUEST[$index]))
|
2246 |
+
return call_user_func($sanitize_function, $_REQUEST[$index]);
|
2247 |
}
|
2248 |
elseif($method == "POST")
|
2249 |
{
|
2250 |
if(!empty($_POST[$index]))
|
2251 |
+
return call_user_func($sanitize_function, $_POST[$index]);
|
2252 |
}
|
2253 |
elseif($method == "GET")
|
2254 |
{
|
2255 |
if(!empty($_GET[$index]))
|
2256 |
+
return call_user_func($sanitize_function, $_GET[$index]);
|
2257 |
}
|
2258 |
|
2259 |
return $default;
|
2618 |
|
2619 |
return $r;
|
2620 |
}
|
2621 |
+
|
2622 |
+
/**
|
2623 |
+
* Check that the test value is a member of a specific array for sanitization purposes.
|
2624 |
+
*
|
2625 |
+
* @param mixed $needle Value to be tested.
|
2626 |
+
* @param array $safe Array of safelist values.
|
2627 |
+
* @since 1.9.3
|
2628 |
+
*/
|
2629 |
+
function pmpro_sanitize_with_safelist($needle, $safelist) {
|
2630 |
+
if(!in_array($needle, $safelist))
|
2631 |
+
return false;
|
2632 |
+
else
|
2633 |
+
return $needle;
|
2634 |
+
}
|
2635 |
+
|
2636 |
+
/**
|
2637 |
+
* Return an array of allowed order statuses
|
2638 |
+
*
|
2639 |
+
* @since 1.9.3
|
2640 |
+
*/
|
2641 |
+
function pmpro_getOrderStatuses($force = false) {
|
2642 |
+
global $pmpro_order_statuses;
|
2643 |
+
|
2644 |
+
if(!isset($pmpro_order_statuses) || $force) {
|
2645 |
+
global $wpdb;
|
2646 |
+
$statuses = array();
|
2647 |
+
$default_statuses = array( "", "success", "cancelled", "review", "token", "refunded" );
|
2648 |
+
$used_statuses = $wpdb->get_col( "SELECT DISTINCT(status) FROM $wpdb->pmpro_membership_orders" );
|
2649 |
+
$statuses = array_unique( array_merge( $default_statuses, $used_statuses ) );
|
2650 |
+
asort( $statuses );
|
2651 |
+
$statuses = apply_filters( "pmpro_order_statuses", $statuses );
|
2652 |
+
}
|
2653 |
+
|
2654 |
+
return $statuses;
|
2655 |
+
}
|
paid-memberships-pro.php
CHANGED
@@ -3,7 +3,7 @@
|
|
3 |
Plugin Name: Paid Memberships Pro
|
4 |
Plugin URI: http://www.paidmembershipspro.com
|
5 |
Description: Plugin to Handle Memberships
|
6 |
-
Version: 1.9.
|
7 |
Author: Stranger Studios
|
8 |
Author URI: http://www.strangerstudios.com
|
9 |
Text Domain: paid-memberships-pro
|
@@ -15,7 +15,7 @@ Domain Path: /languages
|
|
15 |
*/
|
16 |
|
17 |
// version constant
|
18 |
-
define( 'PMPRO_VERSION', '1.9.
|
19 |
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
|
20 |
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
|
21 |
|
3 |
Plugin Name: Paid Memberships Pro
|
4 |
Plugin URI: http://www.paidmembershipspro.com
|
5 |
Description: Plugin to Handle Memberships
|
6 |
+
Version: 1.9.3
|
7 |
Author: Stranger Studios
|
8 |
Author URI: http://www.strangerstudios.com
|
9 |
Text Domain: paid-memberships-pro
|
15 |
*/
|
16 |
|
17 |
// version constant
|
18 |
+
define( 'PMPRO_VERSION', '1.9.3' );
|
19 |
define( 'PMPRO_USER_AGENT', 'Paid Memberships Pro v' . PMPRO_VERSION . '; ' . site_url() );
|
20 |
define( 'PMPRO_MIN_PHP_VERSION', '5.6' );
|
21 |
|
preheaders/billing.php
CHANGED
@@ -36,12 +36,12 @@ wp_enqueue_script( 'jquery.creditCardValidator', plugins_url( '/js/jquery.credit
|
|
36 |
|
37 |
//_x stuff in case they clicked on the image button with their mouse
|
38 |
if (isset($_REQUEST['update-billing']))
|
39 |
-
$submit =
|
40 |
else
|
41 |
$submit = false;
|
42 |
|
43 |
if (!$submit && isset($_REQUEST['update-billing_x']))
|
44 |
-
$submit =
|
45 |
|
46 |
if ($submit === "0")
|
47 |
$submit = true;
|
@@ -50,39 +50,39 @@ if ($submit === "0")
|
|
50 |
if ($submit) {
|
51 |
//load em up (other fields)
|
52 |
if (isset($_REQUEST['bfirstname']))
|
53 |
-
$bfirstname = trim(
|
54 |
if (isset($_REQUEST['blastname']))
|
55 |
-
$blastname = trim(
|
56 |
if (isset($_REQUEST['fullname']))
|
57 |
-
$fullname = $_REQUEST['fullname']; //honeypot for spammers
|
58 |
if (isset($_REQUEST['baddress1']))
|
59 |
-
$baddress1 = trim(
|
60 |
if (isset($_REQUEST['baddress2']))
|
61 |
-
$baddress2 = trim(
|
62 |
if (isset($_REQUEST['bcity']))
|
63 |
-
$bcity = trim(
|
64 |
if (isset($_REQUEST['bstate']))
|
65 |
-
$bstate = trim(
|
66 |
if (isset($_REQUEST['bzipcode']))
|
67 |
-
$bzipcode = trim(
|
68 |
if (isset($_REQUEST['bcountry']))
|
69 |
-
$bcountry = trim(
|
70 |
if (isset($_REQUEST['bphone']))
|
71 |
-
$bphone = trim(
|
72 |
if (isset($_REQUEST['bemail']))
|
73 |
-
$bemail = trim(
|
74 |
if (isset($_REQUEST['bconfirmemail']))
|
75 |
-
$bconfirmemail = trim(
|
76 |
if (isset($_REQUEST['CardType']))
|
77 |
-
$CardType = $_REQUEST['CardType'];
|
78 |
if (isset($_REQUEST['AccountNumber']))
|
79 |
-
$AccountNumber = trim($_REQUEST['AccountNumber']);
|
80 |
if (isset($_REQUEST['ExpirationMonth']))
|
81 |
-
$ExpirationMonth = $_REQUEST['ExpirationMonth'];
|
82 |
if (isset($_REQUEST['ExpirationYear']))
|
83 |
-
$ExpirationYear = $_REQUEST['ExpirationYear'];
|
84 |
if (isset($_REQUEST['CVV']))
|
85 |
-
$CVV = trim($_REQUEST['CVV']);
|
86 |
|
87 |
//avoid warnings for the required fields
|
88 |
if (!isset($bfirstname))
|
36 |
|
37 |
//_x stuff in case they clicked on the image button with their mouse
|
38 |
if (isset($_REQUEST['update-billing']))
|
39 |
+
$submit = true;
|
40 |
else
|
41 |
$submit = false;
|
42 |
|
43 |
if (!$submit && isset($_REQUEST['update-billing_x']))
|
44 |
+
$submit = true;
|
45 |
|
46 |
if ($submit === "0")
|
47 |
$submit = true;
|
50 |
if ($submit) {
|
51 |
//load em up (other fields)
|
52 |
if (isset($_REQUEST['bfirstname']))
|
53 |
+
$bfirstname = trim(sanitize_text_field($_REQUEST['bfirstname']));
|
54 |
if (isset($_REQUEST['blastname']))
|
55 |
+
$blastname = trim(sanitize_text_field($_REQUEST['blastname']));
|
56 |
if (isset($_REQUEST['fullname']))
|
57 |
+
$fullname = sanitize_text_field($_REQUEST['fullname']); //honeypot for spammers
|
58 |
if (isset($_REQUEST['baddress1']))
|
59 |
+
$baddress1 = trim(sanitize_text_field($_REQUEST['baddress1']));
|
60 |
if (isset($_REQUEST['baddress2']))
|
61 |
+
$baddress2 = trim(sanitize_text_field($_REQUEST['baddress2']));
|
62 |
if (isset($_REQUEST['bcity']))
|
63 |
+
$bcity = trim(sanitize_text_field($_REQUEST['bcity']));
|
64 |
if (isset($_REQUEST['bstate']))
|
65 |
+
$bstate = trim(sanitize_text_field($_REQUEST['bstate']));
|
66 |
if (isset($_REQUEST['bzipcode']))
|
67 |
+
$bzipcode = trim(sanitize_text_field($_REQUEST['bzipcode']));
|
68 |
if (isset($_REQUEST['bcountry']))
|
69 |
+
$bcountry = trim(sanitize_text_field($_REQUEST['bcountry']));
|
70 |
if (isset($_REQUEST['bphone']))
|
71 |
+
$bphone = trim(sanitize_text_field($_REQUEST['bphone']));
|
72 |
if (isset($_REQUEST['bemail']))
|
73 |
+
$bemail = trim(sanitize_email($_REQUEST['bemail']));
|
74 |
if (isset($_REQUEST['bconfirmemail']))
|
75 |
+
$bconfirmemail = trim(sanitize_email($_REQUEST['bconfirmemail']));
|
76 |
if (isset($_REQUEST['CardType']))
|
77 |
+
$CardType = sanitize_text_field($_REQUEST['CardType']);
|
78 |
if (isset($_REQUEST['AccountNumber']))
|
79 |
+
$AccountNumber = trim(sanitize_text_field($_REQUEST['AccountNumber']));
|
80 |
if (isset($_REQUEST['ExpirationMonth']))
|
81 |
+
$ExpirationMonth = sanitize_text_field($_REQUEST['ExpirationMonth']);
|
82 |
if (isset($_REQUEST['ExpirationYear']))
|
83 |
+
$ExpirationYear = sanitize_text_field($_REQUEST['ExpirationYear']);
|
84 |
if (isset($_REQUEST['CVV']))
|
85 |
+
$CVV = trim(sanitize_text_field($_REQUEST['CVV']));
|
86 |
|
87 |
//avoid warnings for the required fields
|
88 |
if (!isset($bfirstname))
|
preheaders/cancel.php
CHANGED
@@ -39,7 +39,7 @@
|
|
39 |
|
40 |
//are we confirming a cancellation?
|
41 |
if(isset($_REQUEST['confirm']))
|
42 |
-
$pmpro_confirm = $_REQUEST['confirm'];
|
43 |
else
|
44 |
$pmpro_confirm = false;
|
45 |
|
39 |
|
40 |
//are we confirming a cancellation?
|
41 |
if(isset($_REQUEST['confirm']))
|
42 |
+
$pmpro_confirm = boolval($_REQUEST['confirm']);
|
43 |
else
|
44 |
$pmpro_confirm = false;
|
45 |
|
preheaders/checkout.php
CHANGED
@@ -15,7 +15,7 @@ $pmpro_required_user_fields = array();
|
|
15 |
|
16 |
//was a gateway passed?
|
17 |
if ( ! empty( $_REQUEST['gateway'] ) ) {
|
18 |
-
$gateway = $_REQUEST['gateway'];
|
19 |
} elseif ( ! empty( $_REQUEST['review'] ) ) {
|
20 |
$gateway = "paypalexpress";
|
21 |
} else {
|
@@ -221,14 +221,14 @@ if ( isset( $_REQUEST['username'] ) ) {
|
|
221 |
$username = "";
|
222 |
}
|
223 |
if ( isset( $_REQUEST['password'] ) ) {
|
224 |
-
$password = $_REQUEST['password'];
|
225 |
} else {
|
226 |
$password = "";
|
227 |
}
|
228 |
if ( isset( $_REQUEST['password2_copy'] ) ) {
|
229 |
$password2 = $password;
|
230 |
} elseif ( isset( $_REQUEST['password2'] ) ) {
|
231 |
-
$password2 = $_REQUEST['password2'];
|
232 |
} else {
|
233 |
$password2 = "";
|
234 |
}
|
@@ -240,10 +240,10 @@ if ( isset( $_REQUEST['tos'] ) ) {
|
|
240 |
|
241 |
//_x stuff in case they clicked on the image button with their mouse
|
242 |
if ( isset( $_REQUEST['submit-checkout'] ) ) {
|
243 |
-
$submit =
|
244 |
}
|
245 |
if ( empty( $submit ) && isset( $_REQUEST['submit-checkout_x'] ) ) {
|
246 |
-
$submit =
|
247 |
}
|
248 |
if ( isset( $submit ) && $submit === "0" ) {
|
249 |
$submit = true;
|
15 |
|
16 |
//was a gateway passed?
|
17 |
if ( ! empty( $_REQUEST['gateway'] ) ) {
|
18 |
+
$gateway = sanitize_text_field($_REQUEST['gateway']);
|
19 |
} elseif ( ! empty( $_REQUEST['review'] ) ) {
|
20 |
$gateway = "paypalexpress";
|
21 |
} else {
|
221 |
$username = "";
|
222 |
}
|
223 |
if ( isset( $_REQUEST['password'] ) ) {
|
224 |
+
$password = sanitize_text_field($_REQUEST['password']);
|
225 |
} else {
|
226 |
$password = "";
|
227 |
}
|
228 |
if ( isset( $_REQUEST['password2_copy'] ) ) {
|
229 |
$password2 = $password;
|
230 |
} elseif ( isset( $_REQUEST['password2'] ) ) {
|
231 |
+
$password2 = sanitize_text_field($_REQUEST['password2']);
|
232 |
} else {
|
233 |
$password2 = "";
|
234 |
}
|
240 |
|
241 |
//_x stuff in case they clicked on the image button with their mouse
|
242 |
if ( isset( $_REQUEST['submit-checkout'] ) ) {
|
243 |
+
$submit = true;
|
244 |
}
|
245 |
if ( empty( $submit ) && isset( $_REQUEST['submit-checkout_x'] ) ) {
|
246 |
+
$submit = true;
|
247 |
}
|
248 |
if ( isset( $submit ) && $submit === "0" ) {
|
249 |
$submit = true;
|
preheaders/invoice.php
CHANGED
@@ -12,7 +12,7 @@ if (!is_user_logged_in()) {
|
|
12 |
|
13 |
//get invoice from DB
|
14 |
if (!empty($_REQUEST['invoice']))
|
15 |
-
$invoice_code = $_REQUEST['invoice'];
|
16 |
else
|
17 |
$invoice_code = NULL;
|
18 |
|
12 |
|
13 |
//get invoice from DB
|
14 |
if (!empty($_REQUEST['invoice']))
|
15 |
+
$invoice_code = sanitize_text_field($_REQUEST['invoice']);
|
16 |
else
|
17 |
$invoice_code = NULL;
|
18 |
|
readme.txt
CHANGED
@@ -3,7 +3,7 @@ Contributors: strangerstudios
|
|
3 |
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
|
4 |
Requires at least: 4
|
5 |
Tested up to: 4.8
|
6 |
-
Stable tag: 1.9.
|
7 |
|
8 |
A revenue-generating machine for membership sites. Unlimited levels with recurring payment, protected content and member management.
|
9 |
|
@@ -116,6 +116,15 @@ Not sure? You can find out by doing a bit a research.
|
|
116 |
|
117 |
== Changelog ==
|
118 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
119 |
= 1.9.2.2 =
|
120 |
* BUG FIX: Fixed warnings on the Network Dashboard's sites page.
|
121 |
* BUG FIX: Skipping update scripts that require the Stripe library if the system doesn't support the minimum requirements for the Stripe API. This avoids warnings and errors during upgrade.
|
3 |
Tags: memberships, membership, authorize.net, ecommerce, paypal, stripe, braintree, restrict access, restrict content, directory site, payflow
|
4 |
Requires at least: 4
|
5 |
Tested up to: 4.8
|
6 |
+
Stable tag: 1.9.3
|
7 |
|
8 |
A revenue-generating machine for membership sites. Unlimited levels with recurring payment, protected content and member management.
|
9 |
|
116 |
|
117 |
== Changelog ==
|
118 |
|
119 |
+
= 1.9.3 =
|
120 |
+
* SECURITY: Fixed sanitization of inputs and added nonces in several places to protect against XSS attacks.
|
121 |
+
* BUG FIX: Showing correct error message when trying to update a PMPro Plus add on with a Core license installed.
|
122 |
+
* BUG FIX: Fixed issue where subscription and payment transaction IDs were not being saved correctly when copying an order in the dashboard. (Thanks, Pippin Williamson)
|
123 |
+
* BUG FIX: Fixed fatal errors that occurred in certain PHP versions.
|
124 |
+
* BUG FIX: Fixed issue where ProfileStartDate was being calculated incorrectly in the test, check, and Cybersource gateways.(Thanks, David Parker)
|
125 |
+
* ENHANCEMENT: Added a pmpro_sanitize_with_safelist() function that is used to sanitize inputs that have a limited number of exact options.
|
126 |
+
* ENHANCEMENT: Updated the pmpro_setOption() and pmpro_getParam() functions to take a new last parameter $sanitize_function, which defaults to 'sanitize_text_field'.
|
127 |
+
|
128 |
= 1.9.2.2 =
|
129 |
* BUG FIX: Fixed warnings on the Network Dashboard's sites page.
|
130 |
* BUG FIX: Skipping update scripts that require the Stripe library if the system doesn't support the minimum requirements for the Stripe API. This avoids warnings and errors during upgrade.
|
services/authnet-silent-post.php
CHANGED
@@ -23,7 +23,7 @@
|
|
23 |
foreach($_REQUEST as $name => $value)
|
24 |
{
|
25 |
// Create our associative array
|
26 |
-
$fields[$name] = $value;
|
27 |
|
28 |
// If we see a special field flag this as an ARB transaction
|
29 |
if($name == 'x_subscription_id')
|
23 |
foreach($_REQUEST as $name => $value)
|
24 |
{
|
25 |
// Create our associative array
|
26 |
+
$fields[$name] = sanitize_text_field($value);
|
27 |
|
28 |
// If we see a special field flag this as an ARB transaction
|
29 |
if($name == 'x_subscription_id')
|
services/braintree-webhook.php
CHANGED
@@ -33,7 +33,7 @@
|
|
33 |
|
34 |
//verify
|
35 |
if(!empty($_REQUEST['bt_challenge']))
|
36 |
-
echo Braintree_WebhookNotification::verify($_REQUEST['bt_challenge']);
|
37 |
else
|
38 |
$logstr .= "Guessing you are just testing the URL out. Check that the timestamp updates on refresh to make sure this isn't being cached.";
|
39 |
|
@@ -45,13 +45,13 @@
|
|
45 |
try
|
46 |
{
|
47 |
$webhookNotification = Braintree_WebhookNotification::parse(
|
48 |
-
$_REQUEST['bt_signature'], $_REQUEST['bt_payload']
|
49 |
);
|
50 |
}
|
51 |
catch ( Exception $e )
|
52 |
{
|
53 |
{
|
54 |
-
$logstr .= "Couldn't get notification with payload " . $_REQUEST['bt_payload'] . ". " . $e->getMessage();
|
55 |
pmpro_braintreeWebhookExit();
|
56 |
}
|
57 |
}
|
33 |
|
34 |
//verify
|
35 |
if(!empty($_REQUEST['bt_challenge']))
|
36 |
+
echo Braintree_WebhookNotification::verify(sanitize_text_field($_REQUEST['bt_challenge']));
|
37 |
else
|
38 |
$logstr .= "Guessing you are just testing the URL out. Check that the timestamp updates on refresh to make sure this isn't being cached.";
|
39 |
|
45 |
try
|
46 |
{
|
47 |
$webhookNotification = Braintree_WebhookNotification::parse(
|
48 |
+
sanitize_text_field($_REQUEST['bt_signature']), sanitize_text_field($_REQUEST['bt_payload'])
|
49 |
);
|
50 |
}
|
51 |
catch ( Exception $e )
|
52 |
{
|
53 |
{
|
54 |
+
$logstr .= "Couldn't get notification with payload " . sanitize_text_field($_REQUEST['bt_payload']) . ". " . $e->getMessage();
|
55 |
pmpro_braintreeWebhookExit();
|
56 |
}
|
57 |
}
|
services/ipnhandler.php
CHANGED
@@ -31,9 +31,9 @@ $initial_payment_status = pmpro_getParam( "initial_payment_status", "POST" );
|
|
31 |
$payment_status = pmpro_getParam( "payment_status", "POST" );
|
32 |
$payment_amount = pmpro_getParam( "payment_amount", "POST" );
|
33 |
$payment_currency = pmpro_getParam( "payment_currency", "POST" );
|
34 |
-
$receiver_email = pmpro_getParam( "receiver_email", "POST" );
|
35 |
-
$business_email = pmpro_getParam( "business", "POST" );
|
36 |
-
$payer_email = pmpro_getParam( "payer_email", "POST" );
|
37 |
$recurring_payment_id = pmpro_getParam( "recurring_payment_id", "POST" );
|
38 |
$profile_status = strtolower( pmpro_getParam( "profile_status", "POST" ) );
|
39 |
|
31 |
$payment_status = pmpro_getParam( "payment_status", "POST" );
|
32 |
$payment_amount = pmpro_getParam( "payment_amount", "POST" );
|
33 |
$payment_currency = pmpro_getParam( "payment_currency", "POST" );
|
34 |
+
$receiver_email = pmpro_getParam( "receiver_email", "POST", '', 'sanitize_email' );
|
35 |
+
$business_email = pmpro_getParam( "business", "POST", '', 'sanitize_email' );
|
36 |
+
$payer_email = pmpro_getParam( "payer_email", "POST", '', 'sanitize_email' );
|
37 |
$recurring_payment_id = pmpro_getParam( "recurring_payment_id", "POST" );
|
38 |
$profile_status = strtolower( pmpro_getParam( "profile_status", "POST" ) );
|
39 |
|
services/stripe-webhook.php
CHANGED
@@ -44,11 +44,11 @@
|
|
44 |
|
45 |
//get the id
|
46 |
if(!empty($post_event))
|
47 |
-
$event_id = $post_event->id;
|
48 |
}
|
49 |
else
|
50 |
{
|
51 |
-
$event_id = $_REQUEST['event_id'];
|
52 |
}
|
53 |
|
54 |
//get the event through the API now
|
44 |
|
45 |
//get the id
|
46 |
if(!empty($post_event))
|
47 |
+
$event_id = sanitize_text_field($post_event->id);
|
48 |
}
|
49 |
else
|
50 |
{
|
51 |
+
$event_id = sanitize_text_field($_REQUEST['event_id']);
|
52 |
}
|
53 |
|
54 |
//get the event through the API now
|
services/twocheckout-ins.php
CHANGED
@@ -35,6 +35,7 @@
|
|
35 |
$txn_id = pmpro_getParam( 'sale_id', 'REQUEST' );
|
36 |
$recurring = pmpro_getParam( 'recurring', 'REQUEST' );
|
37 |
$order_id = pmpro_getParam( 'merchant_order_id', 'REQUEST' );
|
|
|
38 |
if(empty($order_id))
|
39 |
$order_id = pmpro_getParam( 'vendor_order_id', 'REQUEST' );
|
40 |
$product_id = pmpro_getParam( 'item_id_1', 'REQUEST' ); // Should be item 0 or 1?
|
@@ -43,7 +44,7 @@
|
|
43 |
$invoice_status = pmpro_getParam( 'invoice_status', 'REQUEST' ); // On single we need to check for deposited
|
44 |
$fraud_status = pmpro_getParam( 'fraud_status', 'REQUEST' ); // Check fraud status?
|
45 |
$invoice_list_amount = pmpro_getParam( 'invoice_list_amount', 'REQUEST' ); // Price paid by customer in seller currency code
|
46 |
-
$customer_email = pmpro_getParam( 'customer_email', 'REQUEST' );
|
47 |
|
48 |
// No message = return processing
|
49 |
if( empty($message_type) ) {
|
@@ -58,7 +59,7 @@
|
|
58 |
if( ! empty ( $morder ) && ! empty ( $morder->status ) && $morder->status === 'success' ) {
|
59 |
inslog( "Checkout was already processed (" . $morder->code . "). Ignoring this request." );
|
60 |
}
|
61 |
-
elseif (pmpro_insChangeMembershipLevel( $
|
62 |
inslog( "Checkout processed (" . $morder->code . ") success!" );
|
63 |
}
|
64 |
else {
|
35 |
$txn_id = pmpro_getParam( 'sale_id', 'REQUEST' );
|
36 |
$recurring = pmpro_getParam( 'recurring', 'REQUEST' );
|
37 |
$order_id = pmpro_getParam( 'merchant_order_id', 'REQUEST' );
|
38 |
+
$order_number = pmpro_getParam( 'order_number', 'REQUEST' );
|
39 |
if(empty($order_id))
|
40 |
$order_id = pmpro_getParam( 'vendor_order_id', 'REQUEST' );
|
41 |
$product_id = pmpro_getParam( 'item_id_1', 'REQUEST' ); // Should be item 0 or 1?
|
44 |
$invoice_status = pmpro_getParam( 'invoice_status', 'REQUEST' ); // On single we need to check for deposited
|
45 |
$fraud_status = pmpro_getParam( 'fraud_status', 'REQUEST' ); // Check fraud status?
|
46 |
$invoice_list_amount = pmpro_getParam( 'invoice_list_amount', 'REQUEST' ); // Price paid by customer in seller currency code
|
47 |
+
$customer_email = pmpro_getParam( 'customer_email', 'REQUEST', '', 'sanitize_email' );
|
48 |
|
49 |
// No message = return processing
|
50 |
if( empty($message_type) ) {
|
59 |
if( ! empty ( $morder ) && ! empty ( $morder->status ) && $morder->status === 'success' ) {
|
60 |
inslog( "Checkout was already processed (" . $morder->code . "). Ignoring this request." );
|
61 |
}
|
62 |
+
elseif (pmpro_insChangeMembershipLevel( $order_number, $morder ) ) {
|
63 |
inslog( "Checkout processed (" . $morder->code . ") success!" );
|
64 |
}
|
65 |
else {
|