Issues in subscriptions.php (release-2.1) - Issues in release-2.1 - SimpleMachines/SMF2.1 - Measure and Improve Code Quality continuously with Scrutinizer

Issues (1014)

subscriptions.php (2 issues)

Labels

Best Practice 1

Severity

<?php

/**
 * This file is the file which all subscription gateways should call
 * when a payment has been received - it sorts out the user status.
 *
 * Simple Machines Forum (SMF)
 *
 * @package SMF
 * @author Simple Machines https://www.simplemachines.org
 * @copyright 2022 Simple Machines and individual contributors
 * @license https://www.simplemachines.org/about/smf/license.php BSD
 *
 * @version 2.1.2
 */

// Set this to true to always log $_POST info received from payment gateways.
$paid_debug = false;

// Start things rolling by getting SMF alive...
$ssi_guest_access = true;
if (!file_exists(dirname(__FILE__) . '/SSI.php'))
	die('Cannot find SSI.php');

require_once(dirname(__FILE__) . '/SSI.php');
require_once($sourcedir . '/ManagePaid.php');

// For any admin emailing.
require_once($sourcedir . '/Subs-Admin.php');

// Ensure we don't trip over disabled internal functions
if (version_compare(PHP_VERSION, '8.0.0', '>='))
	require_once($sourcedir . '/Subs-Compat.php');

loadLanguage('ManagePaid');

// If there's literally nothing coming in, let's take flight!
if (empty($_POST))
{
	header('content-type: text/html; charset=' . (empty($modSettings['global_character_set']) ? (empty($txt['lang_character_set']) ? 'ISO-8859-1' : $txt['lang_character_set']) : $modSettings['global_character_set']));
	die($txt['paid_no_data']);
}

// I assume we're even active?
if (empty($modSettings['paid_enabled']))
	exit;

// If we have some custom people who find out about problems load them here.
$notify_users = array();
if (!empty($modSettings['paid_email_to']))
{
	foreach (explode(',', $modSettings['paid_email_to']) as $email)
		$notify_users[] = array(
			'email' => $email,
			'name' => $txt['who_member'],
			'id' => 0,
		);
}

// We need to see whether we can find the correct payment gateway,
// we'll going to go through all our gateway scripts and find out
// if they are happy with what we have.
$txnType = '';
$gatewayHandles = loadPaymentGateways();
foreach ($gatewayHandles as $gateway)
{
	$gatewayClass = new $gateway['payment_class']();
	if ($gatewayClass->isValid())
	{
		$txnType = $gateway['code'];
		break;
	}
}

if (empty($txnType))
	generateSubscriptionError($txt['paid_unknown_transaction_type']);

// Get the subscription and member ID, amongst others...
@list($subscription_id, $member_id) = $gatewayClass->precheck();

// Integer these just in case.
$subscription_id = (int) $subscription_id;
$member_id = (int) $member_id;

// This would be bad...
if (empty($member_id))
	generateSubscriptionError($txt['paid_empty_member']);

// Verify the member.
$request = $smcFunc['db_query']('', '
	SELECT id_member, member_name, real_name, email_address
	FROM {db_prefix}members
	WHERE id_member = {int:current_member}',
	array(
		'current_member' => $member_id,
	)
);
// Didn't find them?
if ($smcFunc['db_num_rows']($request) === 0)
	generateSubscriptionError(sprintf($txt['paid_could_not_find_member'], $member_id));
$member_info = $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);

// Get the subscription details.
$request = $smcFunc['db_query']('', '
	SELECT cost, length, name
	FROM {db_prefix}subscriptions
	WHERE id_subscribe = {int:current_subscription}',
	array(
		'current_subscription' => $subscription_id,
	)
);

// Didn't find it?
if ($smcFunc['db_num_rows']($request) === 0)
	generateSubscriptionError(sprintf($txt['paid_count_not_find_subscription'], $member_id, $subscription_id));

$subscription_info = $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);

// We wish to check the pending payments to make sure we are expecting this.
$request = $smcFunc['db_query']('', '
	SELECT id_sublog, payments_pending, pending_details, end_time
	FROM {db_prefix}log_subscribed
	WHERE id_subscribe = {int:current_subscription}
		AND id_member = {int:current_member}
	LIMIT 1',
	array(
		'current_subscription' => $subscription_id,
		'current_member' => $member_id,
	)
);
if ($smcFunc['db_num_rows']($request) === 0)
	generateSubscriptionError(sprintf($txt['paid_count_not_find_subscription_log'], $member_id, $subscription_id));
$subscription_info += $smcFunc['db_fetch_assoc']($request);
$smcFunc['db_free_result']($request);

// Is this a refund etc?
if ($gatewayClass->isRefund())
{
	// If the end time subtracted by current time, is not greater
	// than the duration (ie length of subscription), then we close it.
	if ($subscription_info['end_time'] - time() < $subscription_info['length'])
	{
		// Delete user subscription.
		removeSubscription($subscription_id, $member_id);
		$subscription_act = time();
		$status = 0;
	}
	else
	{
		loadSubscriptions();
		$subscription_act = $subscription_info['end_time'] - $context['subscriptions'][$subscription_id]['num_length'];
		$status = 1;
	}

	// Mark it as complete so we have a record.
	$smcFunc['db_query']('', '
		UPDATE {db_prefix}log_subscribed
		SET end_time = {int:current_time}
		WHERE id_subscribe = {int:current_subscription}
			AND id_member = {int:current_member}
			AND status = {int:status}',
		array(
			'current_time' => $subscription_act,
			'current_subscription' => $subscription_id,
			'current_member' => $member_id,
			'status' => $status,
		)
	);

	// Receipt?
	if (!empty($modSettings['paid_email']) && $modSettings['paid_email'] == 2)
	{
		$replacements = array(
			'NAME' => $subscription_info['name'],
			'REFUNDNAME' => $member_info['member_name'],
			'REFUNDUSER' => $member_info['real_name'],
			'PROFILELINK' => $scripturl . '?action=profile;u=' . $member_id,
			'DATE' => timeformat(time(), false),
		);

		emailAdmins('paid_subscription_refund', $replacements, $notify_users);
	}

}
// Otherwise is it what we want, a purchase?
elseif ($gatewayClass->isPayment() || $gatewayClass->isSubscription())
{
	$cost = $smcFunc['json_decode']($subscription_info['cost'], true);
	$total_cost = $gatewayClass->getCost();
	$notify = false;

	// For one off's we want to only capture them once!
	if (!$gatewayClass->isSubscription())
	{
		$real_details = $smcFunc['json_decode']($subscription_info['pending_details'], true);
		if (empty($real_details))
			generateSubscriptionError(sprintf($txt['paid_count_not_find_outstanding_payment'], $member_id, $subscription_id));

		// Now we just try to find anything pending.
		// We don't really care which it is as security happens later.
		foreach ($real_details as $id => $detail)
		{
			unset($real_details[$id]);
			if ($detail[3] == 'payback' && $subscription_info['payments_pending'])
				$subscription_info['payments_pending']--;
			break;
		}

		$subscription_info['pending_details'] = empty($real_details) ? '' : $smcFunc['json_encode']($real_details);

		$smcFunc['db_query']('', '
			UPDATE {db_prefix}log_subscribed
			SET payments_pending = {int:payments_pending}, pending_details = {string:pending_details}
			WHERE id_sublog = {int:current_subscription_item}',
			array(
				'payments_pending' => $subscription_info['payments_pending'],
				'current_subscription_item' => $subscription_info['id_sublog'],
				'pending_details' => $subscription_info['pending_details'],
			)
		);
	}

	// Is this flexible?
	if ($subscription_info['length'] == 'F')
	{
		$found_duration = 0;

		// This is a little harder, can we find the right duration?
		foreach ($cost as $duration => $value)
		{
			if ($duration == 'fixed')
				continue;
			elseif ((float) $value == (float) $total_cost)
				$found_duration = strtoupper(substr($duration, 0, 1));
		}

		// If we have the duration then we're done.
		if ($found_duration !== 0)
		{
			$notify = true;
			addSubscription($subscription_id, $member_id, $found_duration);
		}
	}
	else
	{
		$actual_cost = $cost['fixed'];

		// It must be at least the right amount.
		if ($total_cost != 0 && $total_cost >= $actual_cost)
		{
			// Add the subscription.
			$notify = true;
			addSubscription($subscription_id, $member_id);
		}
	}

	// Send a receipt?
	if (!empty($modSettings['paid_email']) && $modSettings['paid_email'] == 2 && $notify)
	{
		$replacements = array(
			'NAME' => $subscription_info['name'],
			'SUBNAME' => $member_info['member_name'],
			'SUBUSER' => $member_info['real_name'],
			'SUBEMAIL' => $member_info['email_address'],
			'PRICE' => sprintf($modSettings['paid_currency_symbol'], $total_cost),
			'PROFILELINK' => $scripturl . '?action=profile;u=' . $member_id,
			'DATE' => timeformat(time(), false),
		);

		emailAdmins('paid_subscription_new', $replacements, $notify_users);
	}
}
// Maybe they're cancelling. Some subscriptions may require actively doing something, but PayPal doesn't, for example.
elseif ($gatewayClass->isCancellation())
{
	if (method_exists($gatewayClass, 'performCancel'))
		$gatewayClass->performCancel($subscription_id, $member_id, $subscription_info);
}
else
{
	// Some other "valid" transaction such as:
	//
	// subscr_signup: This IPN response (txn_type) is sent only the first time the user signs up for a subscription.
	// It then does not fire in any event later. This response is received somewhere before or after the first payment of
	// subscription is received (txn_type=subscr_payment) which is what we do process
	//
	// Should we log any of these ...
}

// In case we have anything specific to do.
$gatewayClass->close();

// Hidden setting to log the IPN info for debugging purposes.
if ($paid_debug === true)

	generateSubscriptionError($txt['subscription'], true);

/**
 * Log an error then exit
 *
 * @param string $text The error to log
 * @param bool $debug If true, won't send an email if $modSettings['paid_email'] isn't set
 * @return void
 */
function generateSubscriptionError($text, $debug = false)
{
	global $modSettings, $notify_users, $smcFunc;

	// Send an email?
	if (!empty($modSettings['paid_email']) && !$debug)
	{
		$replacements = array(
			'ERROR' => $text,
		);

		emailAdmins('paid_subscription_error', $replacements, $notify_users);
	}

	// Maybe we can try to give them the post data?
	if (!empty($_POST))
	{
		foreach ($_POST as $key => $val)
			$text .= '<br>' . $smcFunc['htmlspecialchars']($key) . ': ' . $smcFunc['htmlspecialchars']($val);
	}

	// Then just log and die.
	log_error($text, 'paidsubs');

	exit;

}

?>

1			<?php
2
3			/**
4			* This file is the file which all subscription gateways should call
5			* when a payment has been received - it sorts out the user status.
6			*
7			* Simple Machines Forum (SMF)
8			*
9			* @package SMF
10			* @author Simple Machines https://www.simplemachines.org
11			* @copyright 2022 Simple Machines and individual contributors
12			* @license https://www.simplemachines.org/about/smf/license.php BSD
13			*
14			* @version 2.1.2
15			*/
16
17			// Set this to true to always log $_POST info received from payment gateways.
18			$paid_debug = false;
19
20			// Start things rolling by getting SMF alive...
21			$ssi_guest_access = true;
22			if (!file_exists(dirname(__FILE__) . '/SSI.php'))
23			die('Cannot find SSI.php');
24
25			require_once(dirname(__FILE__) . '/SSI.php');
26			require_once($sourcedir . '/ManagePaid.php');
27
28			// For any admin emailing.
29			require_once($sourcedir . '/Subs-Admin.php');
30
31			// Ensure we don't trip over disabled internal functions
32			if (version_compare(PHP_VERSION, '8.0.0', '>='))
33			require_once($sourcedir . '/Subs-Compat.php');
34
35			loadLanguage('ManagePaid');
36
37			// If there's literally nothing coming in, let's take flight!
38			if (empty($_POST))
39			{
40			header('content-type: text/html; charset=' . (empty($modSettings['global_character_set']) ? (empty($txt['lang_character_set']) ? 'ISO-8859-1' : $txt['lang_character_set']) : $modSettings['global_character_set']));
41			die($txt['paid_no_data']);
42			}
43
44			// I assume we're even active?
45			if (empty($modSettings['paid_enabled']))
46			exit;
47
48			// If we have some custom people who find out about problems load them here.
49			$notify_users = array();
50			if (!empty($modSettings['paid_email_to']))
51			{
52			foreach (explode(',', $modSettings['paid_email_to']) as $email)
53			$notify_users[] = array(
54			'email' => $email,
55			'name' => $txt['who_member'],
56			'id' => 0,
57			);
58			}
59
60			// We need to see whether we can find the correct payment gateway,
61			// we'll going to go through all our gateway scripts and find out
62			// if they are happy with what we have.
63			$txnType = '';
64			$gatewayHandles = loadPaymentGateways();
65			foreach ($gatewayHandles as $gateway)
66			{
67			$gatewayClass = new $gateway['payment_class']();
68			if ($gatewayClass->isValid())
69			{
70			$txnType = $gateway['code'];
71			break;
72			}
73			}
74
75			if (empty($txnType))
76			generateSubscriptionError($txt['paid_unknown_transaction_type']);
77
78			// Get the subscription and member ID, amongst others...
79			@list($subscription_id, $member_id) = $gatewayClass->precheck();
80
81			// Integer these just in case.
82			$subscription_id = (int) $subscription_id;
83			$member_id = (int) $member_id;
84
85			// This would be bad...
86			if (empty($member_id))
87			generateSubscriptionError($txt['paid_empty_member']);
88
89			// Verify the member.
90			$request = $smcFunc['db_query']('', '
91			SELECT id_member, member_name, real_name, email_address
92			FROM {db_prefix}members
93			WHERE id_member = {int:current_member}',
94			array(
95			'current_member' => $member_id,
96			)
97			);
98			// Didn't find them?
99			if ($smcFunc['db_num_rows']($request) === 0)
100			generateSubscriptionError(sprintf($txt['paid_could_not_find_member'], $member_id));
101			$member_info = $smcFunc['db_fetch_assoc']($request);
102			$smcFunc['db_free_result']($request);
103
104			// Get the subscription details.
105			$request = $smcFunc['db_query']('', '
106			SELECT cost, length, name
107			FROM {db_prefix}subscriptions
108			WHERE id_subscribe = {int:current_subscription}',
109			array(
110			'current_subscription' => $subscription_id,
111			)
112			);
113
114			// Didn't find it?
115			if ($smcFunc['db_num_rows']($request) === 0)
116			generateSubscriptionError(sprintf($txt['paid_count_not_find_subscription'], $member_id, $subscription_id));
117
118			$subscription_info = $smcFunc['db_fetch_assoc']($request);
119			$smcFunc['db_free_result']($request);
120
121			// We wish to check the pending payments to make sure we are expecting this.
122			$request = $smcFunc['db_query']('', '
123			SELECT id_sublog, payments_pending, pending_details, end_time
124			FROM {db_prefix}log_subscribed
125			WHERE id_subscribe = {int:current_subscription}
126			AND id_member = {int:current_member}
127			LIMIT 1',
128			array(
129			'current_subscription' => $subscription_id,
130			'current_member' => $member_id,
131			)
132			);
133			if ($smcFunc['db_num_rows']($request) === 0)
134			generateSubscriptionError(sprintf($txt['paid_count_not_find_subscription_log'], $member_id, $subscription_id));
135			$subscription_info += $smcFunc['db_fetch_assoc']($request);
136			$smcFunc['db_free_result']($request);
137
138			// Is this a refund etc?
139			if ($gatewayClass->isRefund())
140			{
141			// If the end time subtracted by current time, is not greater
142			// than the duration (ie length of subscription), then we close it.
143			if ($subscription_info['end_time'] - time() < $subscription_info['length'])
144			{
145			// Delete user subscription.
146			removeSubscription($subscription_id, $member_id);
147			$subscription_act = time();
148			$status = 0;
149			}
150			else
151			{
152			loadSubscriptions();
153			$subscription_act = $subscription_info['end_time'] - $context['subscriptions'][$subscription_id]['num_length'];
154			$status = 1;
155			}
156
157			// Mark it as complete so we have a record.
158			$smcFunc['db_query']('', '
159			UPDATE {db_prefix}log_subscribed
160			SET end_time = {int:current_time}
161			WHERE id_subscribe = {int:current_subscription}
162			AND id_member = {int:current_member}
163			AND status = {int:status}',
164			array(
165			'current_time' => $subscription_act,
166			'current_subscription' => $subscription_id,
167			'current_member' => $member_id,
168			'status' => $status,
169			)
170			);
171
172			// Receipt?
173			if (!empty($modSettings['paid_email']) && $modSettings['paid_email'] == 2)
174			{
175			$replacements = array(
176			'NAME' => $subscription_info['name'],
177			'REFUNDNAME' => $member_info['member_name'],
178			'REFUNDUSER' => $member_info['real_name'],
179			'PROFILELINK' => $scripturl . '?action=profile;u=' . $member_id,
180			'DATE' => timeformat(time(), false),
181			);
182
183			emailAdmins('paid_subscription_refund', $replacements, $notify_users);
184			}
185
186			}
187			// Otherwise is it what we want, a purchase?
188			elseif ($gatewayClass->isPayment() \|\| $gatewayClass->isSubscription())
189			{
190			$cost = $smcFunc['json_decode']($subscription_info['cost'], true);
191			$total_cost = $gatewayClass->getCost();
192			$notify = false;
193
194			// For one off's we want to only capture them once!
195			if (!$gatewayClass->isSubscription())
196			{
197			$real_details = $smcFunc['json_decode']($subscription_info['pending_details'], true);
198			if (empty($real_details))
199			generateSubscriptionError(sprintf($txt['paid_count_not_find_outstanding_payment'], $member_id, $subscription_id));
200
201			// Now we just try to find anything pending.
202			// We don't really care which it is as security happens later.
203			foreach ($real_details as $id => $detail)
204			{
205			unset($real_details[$id]);
206			if ($detail[3] == 'payback' && $subscription_info['payments_pending'])
207			$subscription_info['payments_pending']--;
208			break;
209			}
210
211			$subscription_info['pending_details'] = empty($real_details) ? '' : $smcFunc['json_encode']($real_details);
212
213			$smcFunc['db_query']('', '
214			UPDATE {db_prefix}log_subscribed
215			SET payments_pending = {int:payments_pending}, pending_details = {string:pending_details}
216			WHERE id_sublog = {int:current_subscription_item}',
217			array(
218			'payments_pending' => $subscription_info['payments_pending'],
219			'current_subscription_item' => $subscription_info['id_sublog'],
220			'pending_details' => $subscription_info['pending_details'],
221			)
222			);
223			}
224
225			// Is this flexible?
226			if ($subscription_info['length'] == 'F')
227			{
228			$found_duration = 0;
229
230			// This is a little harder, can we find the right duration?
231			foreach ($cost as $duration => $value)
232			{
233			if ($duration == 'fixed')
234			continue;
235			elseif ((float) $value == (float) $total_cost)
236			$found_duration = strtoupper(substr($duration, 0, 1));
237			}
238
239			// If we have the duration then we're done.
240			if ($found_duration !== 0)
241			{
242			$notify = true;
243			addSubscription($subscription_id, $member_id, $found_duration);
244			}
245			}
246			else
247			{
248			$actual_cost = $cost['fixed'];
249
250			// It must be at least the right amount.
251			if ($total_cost != 0 && $total_cost >= $actual_cost)
252			{
253			// Add the subscription.
254			$notify = true;
255			addSubscription($subscription_id, $member_id);
256			}
257			}
258
259			// Send a receipt?
260			if (!empty($modSettings['paid_email']) && $modSettings['paid_email'] == 2 && $notify)
261			{
262			$replacements = array(
263			'NAME' => $subscription_info['name'],
264			'SUBNAME' => $member_info['member_name'],
265			'SUBUSER' => $member_info['real_name'],
266			'SUBEMAIL' => $member_info['email_address'],
267			'PRICE' => sprintf($modSettings['paid_currency_symbol'], $total_cost),
268			'PROFILELINK' => $scripturl . '?action=profile;u=' . $member_id,
269			'DATE' => timeformat(time(), false),
270			);
271
272			emailAdmins('paid_subscription_new', $replacements, $notify_users);
273			}
274			}
275			// Maybe they're cancelling. Some subscriptions may require actively doing something, but PayPal doesn't, for example.
276			elseif ($gatewayClass->isCancellation())
277			{
278			if (method_exists($gatewayClass, 'performCancel'))
279			$gatewayClass->performCancel($subscription_id, $member_id, $subscription_info);
280			}
281			else
282			{
283			// Some other "valid" transaction such as:
284			//
285			// subscr_signup: This IPN response (txn_type) is sent only the first time the user signs up for a subscription.
286			// It then does not fire in any event later. This response is received somewhere before or after the first payment of
287			// subscription is received (txn_type=subscr_payment) which is what we do process
288			//
289			// Should we log any of these ...
290			}
291
292			// In case we have anything specific to do.
293			$gatewayClass->close();
294
295			// Hidden setting to log the IPN info for debugging purposes.
296			if ($paid_debug === true)
			0 ignored issues – show introduced 2019-09-07 23:16 UTC by Report Bug Copy Issue Report Show Similar Issues like this The condition `$paid_debug === true` is always `false`. Loading history...
297			generateSubscriptionError($txt['subscription'], true);
298
299			/**
300			* Log an error then exit
301			*
302			* @param string $text The error to log
303			* @param bool $debug If true, won't send an email if $modSettings['paid_email'] isn't set
304			* @return void
305			*/
306			function generateSubscriptionError($text, $debug = false)
307			{
308			global $modSettings, $notify_users, $smcFunc;
309
310			// Send an email?
311			if (!empty($modSettings['paid_email']) && !$debug)
312			{
313			$replacements = array(
314			'ERROR' => $text,
315			);
316
317			emailAdmins('paid_subscription_error', $replacements, $notify_users);
318			}
319
320			// Maybe we can try to give them the post data?
321			if (!empty($_POST))
322			{
323			foreach ($_POST as $key => $val)
324			$text .= '<br>' . $smcFunc['htmlspecialchars']($key) . ': ' . $smcFunc['htmlspecialchars']($val);
325			}
326
327			// Then just log and die.
328			log_error($text, 'paidsubs');
329
330			exit;
			0 ignored issues – show Best Practice introduced 2018-10-21 22:13 UTC by Report Bug Copy Issue Report Show Similar Issues like this Using `exit` here is not recommended. In general, usage of exit should be done with care and only when running in a scripting context like a CLI script. Loading history...
331			}
332
333			?>

SimpleMachines / SMF2.1

Issues (1014)

subscriptions.php (2 issues)

Labels

Severity

Introduced By

Duplication Side-by-Side

Filter issues like