WP eCommerce - Version 3.8.6.1

Version Description

Fix: Security vulnerability in chronopay.

Release Info

Developer	garyc40
Plugin	WP eCommerce
Version	3.8.6.1
Comparing to
See all releases

Code changes from version 3.8.6 to 3.8.6.1

Files changed (4) hide show

readme.txt +6 -2
wp-shopping-cart.php +7 -7
wpsc-core/wpsc-constants.php +4 -4
wpsc-merchants/chronopay.php +75 -74

readme.txt CHANGED Viewed

	@@ -4,7 +4,7 @@ Donate link: http://getshopped.org
4	Tags: e-commerce, wp-e-commerce, shop, cart, paypal, authorize, stock control, ecommerce, shipping, tax
5	Requires at least: 3.0
6	Tested up to: 3.2
7	- Stable tag: 3.8.6
8
9	WP e-Commerce is a free WordPress Shopping Cart Plugin that lets customers buy your products, services and digital downloads online.
10
	@@ -64,7 +64,7 @@ Features:
64	* Integrates with Google Base
65	* Integrates with Campaign Monitor for advanced email marketing
66	* Integrates with Intense Debate for shared comments
67	- * Mail Chimp integration coming soon
68
69	= Search Engine Optimization =
70	* 100% Search Engine Friendly
	@@ -156,6 +156,9 @@ After upgrading from earlier versions look for link "Update Store". This will up
156
157
158	== Changelog ==



159	= 3.8.6 =
160	* New: Filter for 'wpsc_display_product_multicurrency'.
161	* New: Additional filters for compatibility with WPML.
	@@ -184,6 +187,7 @@ After upgrading from earlier versions look for link "Update Store". This will up
184	* Fix: Checking (or unchecking) Stock checkbox when editing product causes variation table columns to break.
185	* Fix: jQuery 1.6 incompatibility with attr( 'className' ).
186

187	= 3.8.5 =
188	* New: Added hooks to support WPML.
189	* New: Links to WP e-Commerce documentation for individual payment gateways.


4	Tags: e-commerce, wp-e-commerce, shop, cart, paypal, authorize, stock control, ecommerce, shipping, tax
5	Requires at least: 3.0
6	Tested up to: 3.2
7	+ Stable tag: 3.8.6.1
8
9	WP e-Commerce is a free WordPress Shopping Cart Plugin that lets customers buy your products, services and digital downloads online.
10

64	* Integrates with Google Base
65	* Integrates with Campaign Monitor for advanced email marketing
66	* Integrates with Intense Debate for shared comments
67	+ * Mail Chimp integration coming soon
68
69	= Search Engine Optimization =
70	* 100% Search Engine Friendly

156
157
158	== Changelog ==
159	+ = 3.8.6.1 =
160	+ Fix: Security vulnerability in chronopay.
161	+
162	= 3.8.6 =
163	* New: Filter for 'wpsc_display_product_multicurrency'.
164	* New: Additional filters for compatibility with WPML.

187	* Fix: Checking (or unchecking) Stock checkbox when editing product causes variation table columns to break.
188	* Fix: jQuery 1.6 incompatibility with attr( 'className' ).
189
190	+
191	= 3.8.5 =
192	* New: Added hooks to support WPML.
193	* New: Links to WP e-Commerce documentation for individual payment gateways.

wp-shopping-cart.php CHANGED Viewed

	@@ -3,7 +3,7 @@
3	* Plugin Name: WP e-Commerce
4	* Plugin URI: http://getshopped.org/
5	* Description: A plugin that provides a WordPress Shopping Cart. See also: <a href="http://getshopped.org" target="_blank">GetShopped.org</a> \| <a href="http://getshopped.org/forums/" target="_blank">Support Forum</a> \| <a href="http://docs.getshopped.org/" target="_blank">Documentation</a>
6	- * Version: 3.8.6
7	* Author: Instinct Entertainment
8	* Author URI: http://getshopped.org/
9	**/
	@@ -12,7 +12,7 @@
12	* WP_eCommerce
13	*
14	* Main WPEC Plugin Class
15	- *
16	* @package wp-e-commerce
17	*/
18	class WP_eCommerce {
	@@ -54,7 +54,7 @@ class WP_eCommerce {
54	// Define the URL to the plugin folder
55	define( 'WPSC_FOLDER', dirname( plugin_basename( __FILE__ ) ) );
56	define( 'WPSC_URL', plugins_url( '', __FILE__ ) );
57	-
58	//load text domain
59	if( !load_plugin_textdomain( 'wpsc', false, '../languages/' ) )
60	load_plugin_textdomain( 'wpsc', false, dirname( plugin_basename( __FILE__ ) ) . '/wpsc-languages/' );
	@@ -99,7 +99,7 @@ class WP_eCommerce {
99	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-functions.php' );
100	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-installer.php' );
101	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-includes.php' );
102	-
103	// Any additional file includes can hook in here
104	do_action( 'wpsc_includes' );
105	}
	@@ -125,10 +125,10 @@ class WP_eCommerce {
125
126	// Load the purchase log statuses
127	wpsc_core_load_purchase_log_statuses();
128	-
129	// Load unique names and checout form types
130	wpsc_core_load_checkout_data();
131	-
132	// Load the gateways
133	wpsc_core_load_gateways();
134
	@@ -156,7 +156,7 @@ class WP_eCommerce {
156	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-installer.php' );
157	$this->constants();
158	wpsc_install();
159	-
160	}
161	}
162


3	* Plugin Name: WP e-Commerce
4	* Plugin URI: http://getshopped.org/
5	* Description: A plugin that provides a WordPress Shopping Cart. See also: <a href="http://getshopped.org" target="_blank">GetShopped.org</a> \| <a href="http://getshopped.org/forums/" target="_blank">Support Forum</a> \| <a href="http://docs.getshopped.org/" target="_blank">Documentation</a>
6	+ * Version: 3.8.6.1
7	* Author: Instinct Entertainment
8	* Author URI: http://getshopped.org/
9	**/

12	* WP_eCommerce
13	*
14	* Main WPEC Plugin Class
15	+ *
16	* @package wp-e-commerce
17	*/
18	class WP_eCommerce {

54	// Define the URL to the plugin folder
55	define( 'WPSC_FOLDER', dirname( plugin_basename( __FILE__ ) ) );
56	define( 'WPSC_URL', plugins_url( '', __FILE__ ) );
57	+
58	//load text domain
59	if( !load_plugin_textdomain( 'wpsc', false, '../languages/' ) )
60	load_plugin_textdomain( 'wpsc', false, dirname( plugin_basename( __FILE__ ) ) . '/wpsc-languages/' );

99	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-functions.php' );
100	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-installer.php' );
101	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-includes.php' );
102	+
103	// Any additional file includes can hook in here
104	do_action( 'wpsc_includes' );
105	}

125
126	// Load the purchase log statuses
127	wpsc_core_load_purchase_log_statuses();
128	+
129	// Load unique names and checout form types
130	wpsc_core_load_checkout_data();
131	+
132	// Load the gateways
133	wpsc_core_load_gateways();
134

156	require_once( WPSC_FILE_PATH . '/wpsc-core/wpsc-installer.php' );
157	$this->constants();
158	wpsc_install();
159	+
160	}
161	}
162

wpsc-core/wpsc-constants.php CHANGED Viewed

	@@ -26,9 +26,9 @@ function wpsc_core_constants() {
26	if(!defined('WPSC_URL'))
27	define( 'WPSC_URL', plugins_url( '', __FILE__ ) );
28	// Define Plugin version
29	- define( 'WPSC_VERSION', '3.8.6' );
30	- define( 'WPSC_MINOR_VERSION', '~~419073~~' );
31	- define( 'WPSC_PRESENTABLE_VERSION', '3.8.6' );
32
33	// Define Debug Variables for developers
34	define( 'WPSC_DEBUG', false );
	@@ -304,7 +304,7 @@ function wpsc_core_setup_globals() {
304
305	// Include a file named after the current theme, if one exists
306	if ( !empty( $selected_theme ) && file_exists( WPSC_THEMES_PATH . $selected_theme . '/' . $selected_theme . '.php' ) )
307	- include_once( WPSC_THEMES_PATH . $selected_theme . '/' . $selected_theme . '.php' );
308	require_once( WPSC_FILE_PATH . '/wpsc-includes/shipping.helper.php');
309	$wpec_ash = new ASH();
310	}


26	if(!defined('WPSC_URL'))
27	define( 'WPSC_URL', plugins_url( '', __FILE__ ) );
28	// Define Plugin version
29	+ define( 'WPSC_VERSION', '3.8.6.1' );
30	+ define( 'WPSC_MINOR_VERSION', '438283' );
31	+ define( 'WPSC_PRESENTABLE_VERSION', '3.8.6.1' );
32
33	// Define Debug Variables for developers
34	define( 'WPSC_DEBUG', false );

304
305	// Include a file named after the current theme, if one exists
306	if ( !empty( $selected_theme ) && file_exists( WPSC_THEMES_PATH . $selected_theme . '/' . $selected_theme . '.php' ) )
307	+ include_once( WPSC_THEMES_PATH . $selected_theme . '/' . $selected_theme . '.php' );
308	require_once( WPSC_FILE_PATH . '/wpsc-includes/shipping.helper.php');
309	$wpec_ash = new ASH();
310	}

wpsc-merchants/chronopay.php CHANGED Viewed

	@@ -15,11 +15,11 @@ function gateway_chronopay($separator, $sessionid)
15	$purchase_log = $wpdb->get_results($purchase_log_sql,ARRAY_A) ;
16
17	$cart_sql = "SELECT * FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid`='".$purchase_log[0]['id']."'";
18	- $cart = $wpdb->get_results($cart_sql,ARRAY_A) ;
19	-
20	// ChronoPay post variables
21	$chronopay_url = get_option('chronopay_url');
22	-
23	$data['product_id'] = get_option('chronopay_product_id');
24	$data['product_name'] = get_option('chronopay_product_name');
25	$data['product_price_currency'] = get_option('chronopay_curcode');
	@@ -30,31 +30,31 @@ function gateway_chronopay($separator, $sessionid)
30	$data['cs1'] = $sessionid;
31	$data['cs2'] = 'chronopay';
32	$salt = get_option('chronopay_salt');
33	- $data['cs3'] = md5($salt . md5($sessionid . $salt)); // placed in here for security so that the return call can be validated as 'real'
34	-
35	- // User details
36	if($_POST['collected_data'][get_option('chronopay_form_first_name')] != '')
37	- {
38	$data['f_name'] = $_POST['collected_data'][get_option('chronopay_form_first_name')];
39	}
40	if($_POST['collected_data'][get_option('chronopay_form_last_name')] != "")
41	- {
42	$data['s_name'] = $_POST['collected_data'][get_option('chronopay_form_last_name')];
43	}
44	if($_POST['collected_data'][get_option('chronopay_form_address')] != '')
45	- {
46	- $data['street'] = str_replace("\n",', ', $_POST['collected_data'][get_option('chronopay_form_address')]);
47	}
48	if($_POST['collected_data'][get_option('chronopay_form_city')] != '')
49	{
50	- $data['city'] = $_POST['collected_data'][get_option('chronopay_form_city')];
51	}
52	if(preg_match("/^[a-zA-Z]{2}$/",$_SESSION['selected_country']))
53	- {
54	$data['country'] = $_SESSION['selected_country'];
55	- }
56
57	- // Change suggested by waxfeet@gmail.com, if email to be sent is not there, dont send an email address
58	$email_data = $wpdb->get_results("SELECT `id`,`type` FROM `".WPSC_TABLE_CHECKOUT_FORMS."` WHERE `type` IN ('email') AND `active` = '1'",ARRAY_A);
59	foreach((array)$email_data as $email)
60	{
	@@ -64,30 +64,30 @@ function gateway_chronopay($separator, $sessionid)
64	{
65	$data['email'] = $_POST['collected_data'][get_option('email_form_field')];
66	}
67	-
68	-
69	// Get Currency details abd price
70	$currency_code = $wpdb->get_results("SELECT `code` FROM `".WPSC_TABLE_CURRENCY_LIST."` WHERE `id`='".get_option('currency_type')."' LIMIT 1",ARRAY_A);
71	$local_currency_code = $currency_code[0]['code'];
72	$chronopay_currency_code = get_option('chronopay_curcode');
73	-
74	- // ChronoPay only processes in the set currency. This is USD or EUR dependent on what the Chornopay account is set up with.
75	// This must match the ChronoPay settings set up in wordpress. Convert to the chronopay currency and calculate total.
76	$curr=new CURRENCYCONVERTER();
77	$decimal_places = 2;
78	$total_price = 0;
79	-
80	$i = 1;
81	-
82	$all_donations = true;
83	$all_no_shipping = true;
84	-
85	foreach($cart as $item)
86	{
87	$product_data = $wpdb->get_results("SELECT * FROM `" . $wpdb->posts . "` WHERE `id`='".$item['prodid']."' LIMIT 1",ARRAY_A);
88	$product_data = $product_data[0];
89	$variation_count = count($product_variations);
90	-
91	$variation_sql = "SELECT * FROM `".WPSC_TABLE_CART_ITEM_VARIATIONS."` WHERE `cart_id`='".$item['id']."'";
92	$variation_data = $wpdb->get_results($variation_sql,ARRAY_A);
93	$variation_count = count($variation_data);
	@@ -104,7 +104,7 @@ function gateway_chronopay($separator, $sessionid)
104	}
105	$value_id = $variation['venue_id'];
106	$value_data = $wpdb->get_results("SELECT * FROM `".WPSC_TABLE_VARIATION_VALUES."` WHERE `id`='".$value_id."' LIMIT 1",ARRAY_A);
107	- $variation_list .= $value_data[0]['name'];
108	$j++;
109	}
110	$variation_list .= ")";
	@@ -159,8 +159,8 @@ function gateway_chronopay($separator, $sessionid)
159	}
160
161	$data['product_price'] = $total_price;
162	-
163	-
164	if(WPSC_GATEWAY_DEBUG == true ) {
165	exit("<pre>".print_r($data,true)."</pre>");
166	}
	@@ -169,25 +169,25 @@ function gateway_chronopay($separator, $sessionid)
169	// Create Form to post to ChronoPay
170	$output = "
171	<form id=\"chronopay_form\" name=\"chronopay_form\" method=\"post\" action=\"$chronopay_url\">\n";
172	-
173	foreach($data as $n=>$v) {
174	$output .= " <input type=\"hidden\" name=\"$n\" value=\"$v\" />\n";
175	}
176	-
177	$output .= " <input type=\"submit\" value=\"Continue to ChronoPay\" />
178	</form>
179	";
180
181	- // echo form..
182	if( get_option('chronopay_debug') == 1)
183	{
184	echo ("DEBUG MODE ON!!<br/>");
185	echo("The following form is created and would be posted to ChronoPay for processing. Press submit to continue:<br/>");
186	echo("<pre>".htmlspecialchars($output)."</pre>");
187	}
188	-
189	echo($output);
190	-
191	if(get_option('chronopay_debug') == 0)
192	{
193	echo "<script language=\"javascript\" type=\"text/javascript\">document.getElementById('chronopay_form').submit();</script>";
	@@ -195,7 +195,7 @@ function gateway_chronopay($separator, $sessionid)
195
196	exit();
197	}
198	-
199	function nzshpcrt_chronopay_callback()
200	{
201	global $wpdb;
	@@ -206,14 +206,14 @@ function nzshpcrt_chronopay_callback()
206	// This is a call from chronopay. validate that it is from a chronopay server in the and process.
207	// validate cs3 variable to see if it makes sense for security
208	$salt = get_option('chronopay_salt');
209	- $gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
210	-
211	if($gen_hash == $_POST['cs3'])
212	{
213	// Added in to fake a TX number for testing. ChronoPay dev accounts do not return a trans_id.
214	//if($_POST['transaction_id'] == '')
215	// $_POST['transaction_id'] = 'testid123123';
216	-
217	// process response.
218	$sessionid = trim(stripslashes($_POST['cs1']));
219	$transaction_id = trim(stripslashes($_POST['transaction_id']));
	@@ -225,41 +225,42 @@ function nzshpcrt_chronopay_callback()
225	case 'onetime': // All successful processing statuses.
226	case 'initial':
227	case 'rebill':
228	- $~~wpdb->query("UPDATE~~ ~~`".WPSC_TABLE_PURCHASE_LOGS."`~~ ~~SET~~
229	- `processed` ~~= '~~2',
230	- `transactid` = ~~'".$transaction_id."'~~,
231	- `date` ~~= '".~~time()~~."'~~
232	- ~~WHERE `sessionid` = ".$sessionid." LIMIT 1"~~);
233	-


234	transaction_results($sessionid, false, $transaction_id);
235	- break;
236	-
237	case 'decline': // if it fails, delete it
238	- $log_id = $wpdb->get_var("SELECT `id` FROM `".WPSC_TABLE_PURCHASE_LOGS."` WHERE `sessionid~~`='$sessionid'~~ LIMIT 1");
239	- $delete_log_form_sql = "SELECT * FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid~~`='~~$log_id'";
240	$cart_content = $wpdb->get_results($delete_log_form_sql,ARRAY_A);
241	foreach((array)$cart_content as $cart_item)
242	{
243	- $cart_item_variations = $wpdb->query("DELETE FROM `".WPSC_TABLE_CART_ITEM_VARIATIONS."` WHERE `cart_id` = '".$cart_item['id']~~."'"~~, ARRAY_A);
244	}
245	- $wpdb->query("DELETE FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid~~`='~~$log_id'");
246	- $wpdb->query("DELETE FROM `".WPSC_TABLE_SUBMITED_FORM_DATA."` WHERE `log_id` IN ('$log_id')");
247	- $wpdb->query("DELETE FROM `".WPSC_TABLE_PURCHASE_LOGS."` WHERE `id~~`='$log_id'~~ LIMIT 1");
248	break;
249	-
250	case 'Pending': // need to wait for "Completed" before processing
251	- $~~sql~~ ~~= "UPDATE `".~~WPSC_TABLE_PURCHASE_LOGS~~."`~~ ~~SET~~ `transactid` = ~~'".$~~transaction_id~~."'~~, `date` = ~~'".~~time()."' ~~WHERE `~~sessionid` = ~~".$~~sessionid." ~~LIMIT~~ 1";
252	- $wpdb->query($sql) ;
253	break;
254	-
255	default: // if nothing, do nothing, safest course of action here.
256	break;
257	-
258	}
259	}
260	else
261	{
262	- // Security Hash failed!!.. notify someone..
263	$message = "This message has been sent because a call to your ChronoPay function was made by a server that did not have the correct security key. This could mean someone is trying to hack your payment site. The details of the call are below.\n\r\n\r";
264	$message .= "OUR_POST:\n\r".print_r($header . $req,true)."\n\r\n\r";
265	$message .= "THEIR_POST:\n\r".print_r($_POST,true)."\n\r\n\r";
	@@ -267,7 +268,7 @@ function nzshpcrt_chronopay_callback()
267	$message .= "SERVER:\n\r".print_r($_SERVER,true)."\n\r\n\r";
268	mail(get_option('purch_log_email'), "ChronoPay Security Key Failed!", $message);
269	}
270	-
271	// If in debug, email details
272	if(get_option('chronopay_debug') == 1)
273	{
	@@ -278,7 +279,7 @@ function nzshpcrt_chronopay_callback()
278	$message .= "SERVER:\n\r".print_r($_SERVER,true)."\n\r\n\r";
279	mail(get_option('purch_log_email'), "ChronoPay Data", $message);
280	}
281	- }
282	}
283
284	function nzshpcrt_chronopay_results()
	@@ -291,27 +292,27 @@ function nzshpcrt_chronopay_results()
291	}
292
293	function submit_chronopay()
294	- {
295	if(isset($_POST['chronopay_product_id']))
296	{
297	update_option('chronopay_product_id', $_POST['chronopay_product_id']);
298	}
299	-
300	if(isset($_POST['chronopay_product_name']))
301	{
302	update_option('chronopay_product_name', $_POST['chronopay_product_name']);
303	}
304	-
305	if(isset($_POST['chronopay_curcode']))
306	{
307	update_option('chronopay_curcode', $_POST['chronopay_curcode']);
308	}
309	-
310	if(isset($_POST['chronopay_language']))
311	{
312	update_option('chronopay_language', $_POST['chronopay_language']);
313	}
314	-
315	if(isset($_POST['chronopay_url']))
316	{
317	update_option('chronopay_url', $_POST['chronopay_url']);
	@@ -326,7 +327,7 @@ function submit_chronopay()
326	{
327	update_option('chronopay_debug', $_POST['chronopay_debug']);
328	}
329	-
330	if (!isset($_POST['chronopay_form'])) $_POST['chronopay_form'] = array();
331	foreach((array)$_POST['chronopay_form'] as $form => $value)
332	{
	@@ -336,12 +337,12 @@ function submit_chronopay()
336	}
337
338	function form_chronopay()
339	- {
340	$select_currency[get_option('chronopay_curcode')] = "selected='selected'";
341	$select_language[get_option('chronopay_language')] = "selected='selected'";
342	$chronopay_url = ( get_option('chronopay_url')=='' ? 'https://secure.chronopay.com/index_shop.cgi' : get_option('chronopay_url') );
343	$chronopay_salt = ( get_option('chronopay_salt')=='' ? 'changeme' : get_option('chronopay_salt') );
344	-
345	$chronopay_debug = get_option('chronopay_debug');
346	$chronopay_debug1 = "";
347	$chronopay_debug2 = "";
	@@ -354,14 +355,14 @@ function form_chronopay()
354	$chronopay_debug1 = "checked ='checked'";
355	break;
356	}
357	-
358	- if (!isset($select_currency['USD'])) $select_currency['USD'] = '';
359	- if (!isset($select_currency['EUR'])) $select_currency['EUR'] = '';
360	if (!isset($select_language['EN'])) $select_language['EN'] = '';
361	if (!isset($select_language['ES'])) $select_language['ES'] = '';
362	if (!isset($select_language['NL'])) $select_language['NL'] = '';
363	if (!isset($select_language['RU'])) $select_language['RU'] = '';
364	-
365	$output = "
366	<tr>
367	<td>Product ID</td>
	@@ -385,7 +386,7 @@ function form_chronopay()
385	<td><select name='chronopay_curcode'>
386	<option ".$select_currency['USD']." value='USD'>USD - U.S. Dollar</option>
387	<option ".$select_currency['EUR']." value='EUR'>EUR - Euros</option>
388	- </select>
389	</td>
390	</tr>
391	<tr>
	@@ -399,7 +400,7 @@ function form_chronopay()
399	<option ".$select_language['ES']." value='ES'>Spanish</option>
400	<option ".$select_language['NL']." value='NL'>Dutch</option>
401	<option ".$select_language['RU']." value='RU'>Russian</option>
402	- </select>
403	</td>
404	</tr>
405	<tr>
	@@ -441,8 +442,8 @@ function form_chronopay()
441	<td> </td>
442	<td><small>Debug mode is used to write HTTP communications between the ChronoPay server and your host to a log file. This should only be activated for testing!</small></td>
443	</tr>
444	-
445	-
446	<tr class='update_gateway' >
447	<td colspan='2'>
448	<div class='submit'>
	@@ -450,13 +451,13 @@ function form_chronopay()
450	</div>
451	</td>
452	</tr>
453	-
454	<tr class='firstrowth'>
455	<td style='border-bottom: medium none;' colspan='2'>
456	<strong class='form_group'>Forms Sent to Gateway</strong>
457	</td>
458	</tr>
459	-
460	<tr>
461	<td>First Name Field</td>
462	<td><select name='chronopay_form[first_name]'>


15	$purchase_log = $wpdb->get_results($purchase_log_sql,ARRAY_A) ;
16
17	$cart_sql = "SELECT * FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid`='".$purchase_log[0]['id']."'";
18	+ $cart = $wpdb->get_results($cart_sql,ARRAY_A) ;
19	+
20	// ChronoPay post variables
21	$chronopay_url = get_option('chronopay_url');
22	+
23	$data['product_id'] = get_option('chronopay_product_id');
24	$data['product_name'] = get_option('chronopay_product_name');
25	$data['product_price_currency'] = get_option('chronopay_curcode');

30	$data['cs1'] = $sessionid;
31	$data['cs2'] = 'chronopay';
32	$salt = get_option('chronopay_salt');
33	+ $data['cs3'] = md5($salt . md5($sessionid . $salt)); // placed in here for security so that the return call can be validated as 'real'
34	+
35	+ // User details
36	if($_POST['collected_data'][get_option('chronopay_form_first_name')] != '')
37	+ {
38	$data['f_name'] = $_POST['collected_data'][get_option('chronopay_form_first_name')];
39	}
40	if($_POST['collected_data'][get_option('chronopay_form_last_name')] != "")
41	+ {
42	$data['s_name'] = $_POST['collected_data'][get_option('chronopay_form_last_name')];
43	}
44	if($_POST['collected_data'][get_option('chronopay_form_address')] != '')
45	+ {
46	+ $data['street'] = str_replace("\n",', ', $_POST['collected_data'][get_option('chronopay_form_address')]);
47	}
48	if($_POST['collected_data'][get_option('chronopay_form_city')] != '')
49	{
50	+ $data['city'] = $_POST['collected_data'][get_option('chronopay_form_city')];
51	}
52	if(preg_match("/^[a-zA-Z]{2}$/",$_SESSION['selected_country']))
53	+ {
54	$data['country'] = $_SESSION['selected_country'];
55	+ }
56
57	+ // Change suggested by waxfeet@gmail.com, if email to be sent is not there, dont send an email address
58	$email_data = $wpdb->get_results("SELECT `id`,`type` FROM `".WPSC_TABLE_CHECKOUT_FORMS."` WHERE `type` IN ('email') AND `active` = '1'",ARRAY_A);
59	foreach((array)$email_data as $email)
60	{

64	{
65	$data['email'] = $_POST['collected_data'][get_option('email_form_field')];
66	}
67	+
68	+
69	// Get Currency details abd price
70	$currency_code = $wpdb->get_results("SELECT `code` FROM `".WPSC_TABLE_CURRENCY_LIST."` WHERE `id`='".get_option('currency_type')."' LIMIT 1",ARRAY_A);
71	$local_currency_code = $currency_code[0]['code'];
72	$chronopay_currency_code = get_option('chronopay_curcode');
73	+
74	+ // ChronoPay only processes in the set currency. This is USD or EUR dependent on what the Chornopay account is set up with.
75	// This must match the ChronoPay settings set up in wordpress. Convert to the chronopay currency and calculate total.
76	$curr=new CURRENCYCONVERTER();
77	$decimal_places = 2;
78	$total_price = 0;
79	+
80	$i = 1;
81	+
82	$all_donations = true;
83	$all_no_shipping = true;
84	+
85	foreach($cart as $item)
86	{
87	$product_data = $wpdb->get_results("SELECT * FROM `" . $wpdb->posts . "` WHERE `id`='".$item['prodid']."' LIMIT 1",ARRAY_A);
88	$product_data = $product_data[0];
89	$variation_count = count($product_variations);
90	+
91	$variation_sql = "SELECT * FROM `".WPSC_TABLE_CART_ITEM_VARIATIONS."` WHERE `cart_id`='".$item['id']."'";
92	$variation_data = $wpdb->get_results($variation_sql,ARRAY_A);
93	$variation_count = count($variation_data);

104	}
105	$value_id = $variation['venue_id'];
106	$value_data = $wpdb->get_results("SELECT * FROM `".WPSC_TABLE_VARIATION_VALUES."` WHERE `id`='".$value_id."' LIMIT 1",ARRAY_A);
107	+ $variation_list .= $value_data[0]['name'];
108	$j++;
109	}
110	$variation_list .= ")";

159	}
160
161	$data['product_price'] = $total_price;
162	+
163	+
164	if(WPSC_GATEWAY_DEBUG == true ) {
165	exit("<pre>".print_r($data,true)."</pre>");
166	}

169	// Create Form to post to ChronoPay
170	$output = "
171	<form id=\"chronopay_form\" name=\"chronopay_form\" method=\"post\" action=\"$chronopay_url\">\n";
172	+
173	foreach($data as $n=>$v) {
174	$output .= " <input type=\"hidden\" name=\"$n\" value=\"$v\" />\n";
175	}
176	+
177	$output .= " <input type=\"submit\" value=\"Continue to ChronoPay\" />
178	</form>
179	";
180
181	+ // echo form..
182	if( get_option('chronopay_debug') == 1)
183	{
184	echo ("DEBUG MODE ON!!<br/>");
185	echo("The following form is created and would be posted to ChronoPay for processing. Press submit to continue:<br/>");
186	echo("<pre>".htmlspecialchars($output)."</pre>");
187	}
188	+
189	echo($output);
190	+
191	if(get_option('chronopay_debug') == 0)
192	{
193	echo "<script language=\"javascript\" type=\"text/javascript\">document.getElementById('chronopay_form').submit();</script>";

195
196	exit();
197	}
198	+
199	function nzshpcrt_chronopay_callback()
200	{
201	global $wpdb;

206	// This is a call from chronopay. validate that it is from a chronopay server in the and process.
207	// validate cs3 variable to see if it makes sense for security
208	$salt = get_option('chronopay_salt');
209	+ $gen_hash = md5($salt . md5($_POST['cs1'] . $salt));
210	+
211	if($gen_hash == $_POST['cs3'])
212	{
213	// Added in to fake a TX number for testing. ChronoPay dev accounts do not return a trans_id.
214	//if($_POST['transaction_id'] == '')
215	// $_POST['transaction_id'] = 'testid123123';
216	+
217	// process response.
218	$sessionid = trim(stripslashes($_POST['cs1']));
219	$transaction_id = trim(stripslashes($_POST['transaction_id']));

225	case 'onetime': // All successful processing statuses.
226	case 'initial':
227	case 'rebill':
228	+ $data = array(
229	+ 'processed' => 2,
230	+ 'transactid' => $transact_id,
231	+ 'date' => time(),
232	+ );
233	+ $where = array( 'sessionid' => $sessionid );
234	+ $format = array( '%d', '%s', '%s' );
235	+ $wpdb->update( WPSC_TABLE_PURCHASE_LOGS, $data, $where, $format );
236	transaction_results($sessionid, false, $transaction_id);
237	+ break;
238	+
239	case 'decline': // if it fails, delete it
240	+ $log_id = $wpdb->get_var( $wpdb->prepare( "SELECT `id` FROM `".WPSC_TABLE_PURCHASE_LOGS."` WHERE `sessionid`=%s LIMIT 1", $sessionid ) );
241	+ $delete_log_form_sql = $wpdb->prepare( "SELECT * FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid`=%d", $log_id );
242	$cart_content = $wpdb->get_results($delete_log_form_sql,ARRAY_A);
243	foreach((array)$cart_content as $cart_item)
244	{
245	+ $cart_item_variations = $wpdb->query( $wpdb->prepare( "DELETE FROM `".WPSC_TABLE_CART_ITEM_VARIATIONS."` WHERE `cart_id` = %d", $cart_item['id'] ), ARRAY_A);
246	}
247	+ $wpdb->query( $wpdb->prepare( "DELETE FROM `".WPSC_TABLE_CART_CONTENTS."` WHERE `purchaseid`=%d", $log_id ) );
248	+ $wpdb->query( $wpdb->prepare( "DELETE FROM `".WPSC_TABLE_SUBMITED_FORM_DATA."` WHERE `log_id` IN ( %d )", $log_id ) );
249	+ $wpdb->query( $wpdb->prepare( "DELETE FROM `".WPSC_TABLE_PURCHASE_LOGS."` WHERE `id`=%d LIMIT 1", $log_id ) );
250	break;
251	+
252	case 'Pending': // need to wait for "Completed" before processing
253	+ $wpdb->update( WPSC_TABLE_PURCHASE_LOGS, array( 'transactid' => $transaction_id, 'date' => time() ), array( 'sessionid' => $sessionid ), array( '%d', '%s' ) );

254	break;
255	+
256	default: // if nothing, do nothing, safest course of action here.
257	break;
258	+
259	}
260	}
261	else
262	{
263	+ // Security Hash failed!!.. notify someone..
264	$message = "This message has been sent because a call to your ChronoPay function was made by a server that did not have the correct security key. This could mean someone is trying to hack your payment site. The details of the call are below.\n\r\n\r";
265	$message .= "OUR_POST:\n\r".print_r($header . $req,true)."\n\r\n\r";
266	$message .= "THEIR_POST:\n\r".print_r($_POST,true)."\n\r\n\r";

268	$message .= "SERVER:\n\r".print_r($_SERVER,true)."\n\r\n\r";
269	mail(get_option('purch_log_email'), "ChronoPay Security Key Failed!", $message);
270	}
271	+
272	// If in debug, email details
273	if(get_option('chronopay_debug') == 1)
274	{

279	$message .= "SERVER:\n\r".print_r($_SERVER,true)."\n\r\n\r";
280	mail(get_option('purch_log_email'), "ChronoPay Data", $message);
281	}
282	+ }
283	}
284
285	function nzshpcrt_chronopay_results()

292	}
293
294	function submit_chronopay()
295	+ {
296	if(isset($_POST['chronopay_product_id']))
297	{
298	update_option('chronopay_product_id', $_POST['chronopay_product_id']);
299	}
300	+
301	if(isset($_POST['chronopay_product_name']))
302	{
303	update_option('chronopay_product_name', $_POST['chronopay_product_name']);
304	}
305	+
306	if(isset($_POST['chronopay_curcode']))
307	{
308	update_option('chronopay_curcode', $_POST['chronopay_curcode']);
309	}
310	+
311	if(isset($_POST['chronopay_language']))
312	{
313	update_option('chronopay_language', $_POST['chronopay_language']);
314	}
315	+
316	if(isset($_POST['chronopay_url']))
317	{
318	update_option('chronopay_url', $_POST['chronopay_url']);

327	{
328	update_option('chronopay_debug', $_POST['chronopay_debug']);
329	}
330	+
331	if (!isset($_POST['chronopay_form'])) $_POST['chronopay_form'] = array();
332	foreach((array)$_POST['chronopay_form'] as $form => $value)
333	{

337	}
338
339	function form_chronopay()
340	+ {
341	$select_currency[get_option('chronopay_curcode')] = "selected='selected'";
342	$select_language[get_option('chronopay_language')] = "selected='selected'";
343	$chronopay_url = ( get_option('chronopay_url')=='' ? 'https://secure.chronopay.com/index_shop.cgi' : get_option('chronopay_url') );
344	$chronopay_salt = ( get_option('chronopay_salt')=='' ? 'changeme' : get_option('chronopay_salt') );
345	+
346	$chronopay_debug = get_option('chronopay_debug');
347	$chronopay_debug1 = "";
348	$chronopay_debug2 = "";

355	$chronopay_debug1 = "checked ='checked'";
356	break;
357	}
358	+
359	+ if (!isset($select_currency['USD'])) $select_currency['USD'] = '';
360	+ if (!isset($select_currency['EUR'])) $select_currency['EUR'] = '';
361	if (!isset($select_language['EN'])) $select_language['EN'] = '';
362	if (!isset($select_language['ES'])) $select_language['ES'] = '';
363	if (!isset($select_language['NL'])) $select_language['NL'] = '';
364	if (!isset($select_language['RU'])) $select_language['RU'] = '';
365	+
366	$output = "
367	<tr>
368	<td>Product ID</td>

386	<td><select name='chronopay_curcode'>
387	<option ".$select_currency['USD']." value='USD'>USD - U.S. Dollar</option>
388	<option ".$select_currency['EUR']." value='EUR'>EUR - Euros</option>
389	+ </select>
390	</td>
391	</tr>
392	<tr>

400	<option ".$select_language['ES']." value='ES'>Spanish</option>
401	<option ".$select_language['NL']." value='NL'>Dutch</option>
402	<option ".$select_language['RU']." value='RU'>Russian</option>
403	+ </select>
404	</td>
405	</tr>
406	<tr>

442	<td> </td>
443	<td><small>Debug mode is used to write HTTP communications between the ChronoPay server and your host to a log file. This should only be activated for testing!</small></td>
444	</tr>
445	+
446	+
447	<tr class='update_gateway' >
448	<td colspan='2'>
449	<div class='submit'>

451	</div>
452	</td>
453	</tr>
454	+
455	<tr class='firstrowth'>
456	<td style='border-bottom: medium none;' colspan='2'>
457	<strong class='form_group'>Forms Sent to Gateway</strong>
458	</td>
459	</tr>
460	+
461	<tr>
462	<td>First Name Field</td>
463	<td><select name='chronopay_form[first_name]'>