shell bypass 403
UnknownSec Shell
:
/
home
/
innovagencyco
/
www
/
statxpress
/
wp-content
/
plugins
/
wpforms-lite
/
src
/
Db
/
Payments
/ [
drwxr-xr-x
]
upload
mass deface
mass delete
console
info server
name :
Payment.php
<?php namespace WPForms\Db\Payments; use WPForms_DB; /** * Class for the Payments database table. * * @since 1.8.2 */ class Payment extends WPForms_DB { /** * Primary class constructor. * * @since 1.8.2 */ public function __construct() { parent::__construct(); $this->table_name = self::get_table_name(); $this->primary_key = 'id'; $this->type = 'payment'; } /** * Get the table name. * * @since 1.8.2 * * @return string */ public static function get_table_name() { global $wpdb; return $wpdb->prefix . 'wpforms_payments'; } /** * Get table columns. * * @since 1.8.2 * * @return array */ public function get_columns() { return [ 'id' => '%d', 'form_id' => '%d', 'status' => '%s', 'subtotal_amount' => '%f', 'discount_amount' => '%f', 'total_amount' => '%f', 'currency' => '%s', 'entry_id' => '%d', 'gateway' => '%s', 'type' => '%s', 'mode' => '%s', 'transaction_id' => '%s', 'customer_id' => '%s', 'subscription_id' => '%s', 'subscription_status' => '%s', 'title' => '%s', 'date_created_gmt' => '%s', 'date_updated_gmt' => '%s', 'is_published' => '%d', ]; } /** * Default column values. * * @since 1.8.2 * * @return array */ public function get_column_defaults() { $date = gmdate( 'Y-m-d H:i:s' ); return [ 'form_id' => 0, 'status' => '', 'subtotal_amount' => 0, 'discount_amount' => 0, 'total_amount' => 0, 'currency' => '', 'entry_id' => 0, 'gateway' => '', 'type' => '', 'mode' => '', 'transaction_id' => '', 'customer_id' => '', 'subscription_id' => '', 'subscription_status' => '', 'title' => '', 'date_created_gmt' => $date, 'date_updated_gmt' => $date, 'is_published' => 1, ]; } /** * Insert a new payment into the database. * * @since 1.8.2 * * @param array $data Column data. * @param string $type Optional. Data type context. * * @return int ID for the newly inserted payment. Zero otherwise. */ public function add( $data, $type = '' ) { // Return early if the status is not allowed. // TODO: consider validating other properties as well or get rid of it. if ( isset( $data['status'] ) && ! ValueValidator::is_valid( $data['status'], 'status' ) ) { return 0; } // Use database type identifier if a context is empty. $type = empty( $type ) ? $this->type : $type; return parent::add( $data, $type ); } /** * Retrieve a payment from the database based on a given payment ID. * * @since 1.8.2 * * @param int $payment_id Payment ID. * @param array $args Additional arguments. * * @return object|null */ public function get( $payment_id, $args = [] ) { if ( ! $this->current_user_can( $payment_id, $args ) && wpforms()->obj( 'access' )->init_allowed() ) { return null; } $payment = parent::get( $payment_id ); return $payment ? $this->cast_amounts_to_float( $payment ) : null; } /** * Retrieve a row based on column value. * * @since 1.8.7 * * @param string $column Column name. * @param int|string $value Column value. * * @return object|null Database query result, object or null on failure. */ public function get_by( $column, $value ) { $payment = parent::get_by( $column, $value ); return $payment ? $this->cast_amounts_to_float( $payment ) : null; } /** * Cast amounts to float in the given payment data object. * * @since 1.8.7 * * @param object $payment Payment ID. * * @return object */ private function cast_amounts_to_float( $payment ) { if ( empty( $payment ) || ! is_object( $payment ) ) { return $payment; } // Amounts is stored in DB as decimal(26,8), but appear here as strings. // Therefore, they should be cast to float to avoid further multi-time currency conversion. $payment->subtotal_amount = $payment->subtotal_amount ? (float) $payment->subtotal_amount : 0; $payment->discount_amount = $payment->discount_amount ? (float) $payment->discount_amount : 0; $payment->total_amount = $payment->total_amount ? (float) $payment->total_amount : 0; return $payment; } /** * Update an existing payment in the database. * * @since 1.8.2 * * @param string $payment_id Payment ID. * @param array $data Array of columns and associated data to update. * @param string $where Column to match against in the WHERE clause. If empty, $primary_key will be used. * @param string $type Data type context. * @param array $args Additional arguments. * * @return bool */ public function update( $payment_id, $data = [], $where = '', $type = '', $args = [] ) { if ( ! $this->current_user_can( $payment_id, $args ) ) { return false; } // TODO: consider validating other properties as well or get rid of it. if ( isset( $data['status'] ) && ! ValueValidator::is_valid( $data['status'], 'status' ) ) { return false; } // Use database type identifier if a context is empty. $type = empty( $type ) ? $this->type : $type; return parent::update( $payment_id, $data, $where, $type ); } /** * Delete a payment from the database, also removes payment meta. * * @since 1.8.2 * * @param int $payment_id Payment ID. * @param array $args Additional arguments. * * @return bool False if the payment and meta could not be deleted, true otherwise. */ public function delete( $payment_id = 0, $args = [] ): bool { if ( ! $this->current_user_can( $payment_id, $args ) ) { return false; } $is_payment_deleted = parent::delete( $payment_id ); $is_meta_deleted = wpforms()->obj( 'payment_meta' )->delete_by( 'payment_id', $payment_id ); return $is_payment_deleted && $is_meta_deleted; } /** * Retrieve a list of payments. * * @since 1.8.2 * * @param array $args Arguments. * * @return array */ public function get_payments( $args = [] ) { global $wpdb; $args = $this->sanitize_get_payments_args( $args ); if ( ! $this->current_user_can( 0, $args ) ) { return []; } // Prepare query. $query[] = "SELECT p.* FROM {$this->table_name} as p"; /** * Filter the query for get_payments method before the WHERE clause. * * @since 1.8.2 * * @param string $where Before the WHERE clause in DB query. * @param array $args Query arguments. * * @return string */ $query[] = apply_filters( 'wpforms_db_payments_payment_get_payments_query_before_where', '', $args ); $query[] = 'WHERE 1=1'; $query[] = $this->add_columns_where_conditions( $args ); $query[] = $this->add_secondary_where_conditions( $args ); /** * Extend the query for the get_payments method after the WHERE clause. * * This hook provides the flexibility to modify the SQL query by appending custom conditions * right after the WHERE clause. * * @since 1.8.4 * * @param string $where After the WHERE clause in the database query. * @param array $args Query arguments. * * @return string */ $query[] = apply_filters( 'wpforms_db_payments_payment_get_payments_query_after_where', '', $args ); // Order. $query[] = sprintf( 'ORDER BY %s', sanitize_sql_orderby( "{$args['orderby']} {$args['order']}" ) ); // Limit. $query[] = $wpdb->prepare( 'LIMIT %d, %d', $args['offset'], $args['number'] ); // phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared $result = $wpdb->get_results( implode( ' ', $query ), ARRAY_A ); // Get results. return ! $result ? [] : $result; } /** * Create the table. * * @since 1.8.2 */ public function create_table() { global $wpdb; $charset_collate = $wpdb->get_charset_collate(); /** * To avoid any possible issues during migration from entries to payments' table, * all data types are preserved. * * Note: there must be two spaces between the words PRIMARY KEY and the definition of primary key. * * @link https://codex.wordpress.org/Creating_Tables_with_Plugins#Creating_or_Updating_the_Table */ $query = "CREATE TABLE $this->table_name ( id bigint(20) NOT NULL AUTO_INCREMENT, form_id bigint(20) NOT NULL, status varchar(10) NOT NULL DEFAULT '', subtotal_amount decimal(26,8) NOT NULL DEFAULT 0, discount_amount decimal(26,8) NOT NULL DEFAULT 0, total_amount decimal(26,8) NOT NULL DEFAULT 0, currency varchar(3) NOT NULL DEFAULT '', entry_id bigint(20) NOT NULL DEFAULT 0, gateway varchar(20) NOT NULL DEFAULT '', type varchar(12) NOT NULL DEFAULT '', mode varchar(4) NOT NULL DEFAULT '', transaction_id varchar(40) NOT NULL DEFAULT '', customer_id varchar(40) NOT NULL DEFAULT '', subscription_id varchar(40) NOT NULL DEFAULT '', subscription_status varchar(10) NOT NULL DEFAULT '', title varchar(255) NOT NULL DEFAULT '', date_created_gmt datetime NOT NULL, date_updated_gmt datetime NOT NULL, is_published tinyint(1) NOT NULL DEFAULT 1, PRIMARY KEY (id), KEY form_id (form_id), KEY status (status(8)), KEY total_amount (total_amount), KEY type (type(8)), KEY transaction_id (transaction_id(32)), KEY customer_id (customer_id(32)), KEY subscription_id (subscription_id(32)), KEY subscription_status (subscription_status(8)), KEY title (title(64)) ) $charset_collate;"; require_once ABSPATH . 'wp-admin/includes/upgrade.php'; dbDelta( $query ); } /** * Check if the current user has capabilities to manage payments. * * @since 1.8.2 * * @param int $payment_id Payment ID. * @param array $args Additional arguments. * * @return bool * @noinspection IfReturnReturnSimplificationInspection */ private function current_user_can( $payment_id, $args = [] ) { $manage_cap = wpforms_get_capability_manage_options(); if ( ! isset( $args['cap'] ) ) { $args['cap'] = $manage_cap; } if ( ! empty( $args['cap'] ) && ! wpforms_current_user_can( $args['cap'], $payment_id ) ) { return false; } return true; } /** * Construct where clauses for selected columns. * * @since 1.8.4 * * @param array $args Query arguments. * * @return string */ public function add_columns_where_conditions( $args = [] ) { // Allowed columns for filtering. $allowed_cols = [ 'form_id', 'entry_id', 'status', 'subscription_status', 'type', 'gateway', ]; $where = ''; // Determine if this is a table query. $is_table_query = ! empty( $args['table_query'] ); $keys_to_validate = [ 'status', 'subscription_status', 'type', 'gateway' ]; foreach ( $args as $key => $value ) { if ( empty( $value ) || ! in_array( $key, $allowed_cols, true ) ) { continue; } // Explode values if needed. $values = explode( '|', $value ); // Run some keys through the "ValueValidator" class to make sure they are valid. if ( in_array( $key, $keys_to_validate, true ) ) { $values = array_filter( $values, static function ( $v ) use ( $key ) { return ValueValidator::is_valid( $v, $key ); } ); } // Skip if no valid values found. if ( empty( $values ) ) { continue; } // Merge "Partially Refunded" status with "Refunded" status. if ( $is_table_query && $key === 'status' && in_array( 'refunded', $values, true ) ) { $values[] = 'partrefund'; } $placeholders = wpforms_wpdb_prepare_in( $values ); // Prepare and add to WHERE clause. $where .= " AND {$key} IN ({$placeholders})"; } return $where; } /** * Construct secondary where clauses. * * @since 1.8.2 * * @param array $args Query arguments. * * @return string */ public function add_secondary_where_conditions( $args = [] ) { global $wpdb; /** * Filter arguments needed for all query. * * @since 1.8.2 * * @param array $args Query arguments. */ $args = (array) apply_filters( 'wpforms_db_payments_payment_add_secondary_where_conditions_args', $args ); $args = wp_parse_args( (array) $args, [ 'currency' => wpforms_get_currency(), 'mode' => 'live', 'is_published' => 1, ] ); $where = ''; // If it's a valid mode, add it to a WHERE clause. if ( ValueValidator::is_valid( $args['mode'], 'mode' ) ) { $where .= $wpdb->prepare( ' AND mode = %s', $args['mode'] ); } $where .= $wpdb->prepare( ' AND currency = %s', $args['currency'] ); $where .= $wpdb->prepare( ' AND is_published = %d', $args['is_published'] ); return $where; } /** * Sanitize query arguments for get_payments() method. * * @since 1.8.2 * * @param array $args Query arguments. * * @return array */ private function sanitize_get_payments_args( $args ) { $defaults = [ 'number' => 20, 'offset' => 0, 'orderby' => 'id', 'order' => 'DESC', ]; $args = wp_parse_args( (array) $args, $defaults ); // Sanitize. $args['number'] = absint( $args['number'] ); $args['offset'] = absint( $args['offset'] ); if ( $args['number'] === 0 ) { $args['number'] = $defaults['number']; } return $args; } }
© 2024 UnknownSec