From 3f7c17d9b1e1a6d3a5628e159d36fe868d8a7781 Mon Sep 17 00:00:00 2001 From: Ibnu Maksum Date: Sun, 11 Aug 2024 19:54:33 +0700 Subject: [PATCH] case sensitive voucher check --- radius.php | 6 ++++-- system/controllers/login.php | 8 ++++---- system/controllers/plan.php | 8 ++++---- system/controllers/voucher.php | 17 ++++++++--------- 4 files changed, 20 insertions(+), 19 deletions(-) diff --git a/radius.php b/radius.php index 2c6d9c1..a8d3d92 100644 --- a/radius.php +++ b/radius.php @@ -64,7 +64,8 @@ try { } } if ($username == $password) { - $d = ORM::for_table('tbl_voucher')->where('code', $username)->find_one(); + $username = Text::alphanumeric($username, "-_.,"); + $d = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '$username'")->find_one(); } else { $d = ORM::for_table('tbl_customers')->where('username', $username)->find_one(); if ($d['password'] != $password) { @@ -127,7 +128,8 @@ try { process_radiust_rest($tur, $code); } else { if ($isVoucher) { - $v = ORM::for_table('tbl_voucher')->where('code', $username)->where('routers', 'radius')->find_one(); + $username = Text::alphanumeric($username, "-_.,"); + $v = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '$username'")->where('routers', 'radius')->find_one(); if ($v) { if ($v['status'] == 0) { if (Package::rechargeUser(0, $v['routers'], $v['id_plan'], "Voucher", $username)) { diff --git a/system/controllers/login.php b/system/controllers/login.php index eba9f39..e44da6d 100644 --- a/system/controllers/login.php +++ b/system/controllers/login.php @@ -57,7 +57,7 @@ switch ($do) { case 'activation': if (!empty(_post('voucher_only'))) { - $voucher = _post('voucher_only'); + $voucher = Text::alphanumeric(_post('voucher_only'), "-_.,"); $tur = ORM::for_table('tbl_user_recharges') ->where('username', $voucher) ->where('customer_id', '0') // Voucher Only will make customer ID as 0 @@ -101,7 +101,7 @@ switch ($do) { _alert(Lang::T('Internet Plan Expired'), 'danger', "login"); } } else { - $v = ORM::for_table('tbl_voucher')->where('code', $voucher)->find_one(); + $v = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '$voucher'")->find_one(); if (!$v) { _alert(Lang::T('Voucher invalid'), 'danger', "login"); } @@ -156,9 +156,9 @@ switch ($do) { } } } else { - $voucher = _post('voucher'); + $voucher = Text::alphanumeric(_post('voucher'), "-_.,"); $username = _post('username'); - $v1 = ORM::for_table('tbl_voucher')->where('code', $voucher)->find_one(); + $v1 = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '$voucher'")->find_one(); if ($v1) { // voucher exists, check customer exists or not $user = ORM::for_table('tbl_customers')->where('username', $username)->find_one(); diff --git a/system/controllers/plan.php b/system/controllers/plan.php index adffeba..d898d16 100644 --- a/system/controllers/plan.php +++ b/system/controllers/plan.php @@ -482,8 +482,8 @@ switch ($action) { } $time3months = strtotime('-3 months'); $d = ORM::for_table('tbl_voucher')->where_equal('status', '1') - ->where_raw("UNIX_TIMESTAMP(used_date) < $time3months") - ->findMany(); + ->where_raw("UNIX_TIMESTAMP(used_date) < $time3months") + ->findMany(); if ($d) { $jml = 0; foreach ($d as $v) { @@ -756,9 +756,9 @@ switch ($action) { if (!in_array($admin['user_type'], ['SuperAdmin', 'Admin', 'Agent', 'Sales'])) { _alert(Lang::T('You do not have permission to access this page'), 'danger', "dashboard"); } - $code = _post('code'); + $code = Text::alphanumeric(_post('code'), "-_.,"); $user = ORM::for_table('tbl_customers')->where('id', _post('id_customer'))->find_one(); - $v1 = ORM::for_table('tbl_voucher')->where('code', $code)->where('status', 0)->find_one(); + $v1 = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '?'", [$code])->where('status', 0)->find_one(); run_hook('refill_customer'); #HOOK if ($v1) { diff --git a/system/controllers/voucher.php b/system/controllers/voucher.php index 5147ece..d4b1ddc 100644 --- a/system/controllers/voucher.php +++ b/system/controllers/voucher.php @@ -1,4 +1,5 @@ assign('_user', $user); -require_once 'system/autoload/PEAR2/Autoload.php'; - switch ($action) { case 'activation': run_hook('view_activate_voucher'); #HOOK - $ui->assign('code', alphanumeric(_get('code'),"-")); + $ui->assign('code', alphanumeric(_get('code'), "-_.,")); $ui->display('user-activation.tpl'); break; case 'activation-post': - $code = _post('code'); - $v1 = ORM::for_table('tbl_voucher')->where('code', $code)->where('status', 0)->find_one(); + $code = alphanumeric(_post('code'), "-_.,"); + $v1 = ORM::for_table('tbl_voucher')->whereRaw("BINARY `code` = '$code'")->where('status', 0)->find_one(); run_hook('customer_activate_voucher'); #HOOK if ($v1) { if (Package::rechargeUser($user['id'], $v1['routers'], $v1['id_plan'], "Voucher", $code)) { @@ -52,15 +51,15 @@ switch ($action) { break; case 'invoice': $id = $routes[2]; - if(empty($id)){ + if (empty($id)) { $in = ORM::for_table('tbl_transactions')->where('username', $user['username'])->order_by_desc('id')->find_one(); - }else{ + } else { $in = ORM::for_table('tbl_transactions')->where('username', $user['username'])->where('id', $id)->find_one(); } - if($in){ + if ($in) { Package::createInvoice($in); $ui->display('invoice-customer.tpl'); - }else{ + } else { r2(U . 'voucher/list-activated', 'e', Lang::T('Not Found')); } break;