Guest madmanbean Posted June 19, 2009 Share Posted June 19, 2009 Have a site using the otherwise excellent MCC Switch module but seem to have no verification of card numbers in as much that one can bypass entereing a number completly although the cvv number and issue date works! Below is the code for form.inc.php Not being an expert I cannot see where the problem is! Rather hoping someone far cleverer than me may see where the problem is Thanks Terry <?php require_once 'includes'.CC_DS.'enc.inc.php'; require_once 'includes'.CC_DS.'mcc_funcs.inc.php'; require_once 'protected'.CC_DS.'key.inc.php'; if($_GET['process']==1){ $firstName = $_POST["firstName"]; $lastName = $_POST["lastName"]; $amount = $_POST["amount"]; $cardType = $_POST["credit_type"]; $cardNumber = $_POST["cardNumber"]; $expM = $_POST["expirationMonth"]; $expY = $_POST["expirationYear"]; $cvv = $_POST["cvc2"]; $swM = $_POST["swM"]; $swY = $_POST["swY"]; $issue = $_POST["issue_no"]; $emailAddress = $_POST["emailAddress"]; $addr1 = $_POST["addr1"]; $addr2 = $_POST["addr2"]; $city = $_POST["city"]; $st = $_POST["state"]; $country = $_POST["country"]; $postalCode = $_POST["postalCode"]; If ($cardType == "Visa") { if (isVisa($cardNumber) != TRUE) { $error_credit = TRUE; } } If ($cardType == "Discover") { if (isDiscover($cardNumber) != TRUE) { $error_credit = TRUE; } } If ($cardType == "American Express") { if (isAmex($cardNumber) != TRUE) { $error_credit = TRUE; } } If ($cardType == "Isracard") { if (isIsracard($cardNumber) != TRUE) { $error_credit = TRUE; } } If ($cardType == "Mastercard") { if (isMC($cardNumber) == TRUE) { // Special handling for Australia Master Card if(!ereg("^5[1-5][0-9]{14}$", $cardNumber)) { $error_credit = TRUE; } } } If ($cardType == "Switch/Solo/Maestro") { If (($swM != "") || ($swY != "")) { If ((ereg("([0-9]{2})", $swM)) || (ereg("([0-9]{2})", $swY))) { If (($swM > 12) || ($swY > 12) || ($swM < 1) || ($swY < 1)) { $error_sw = TRUE; } } else { $error_sw = TRUE; } } If ($issue != "") { If (ereg("([0-9]{1,2})", $issue)) { If (($issue < 1) || ($issue > 12)) { $error_issue = TRUE; } } else { $error_issue = TRUE; } } } If (($expM == "") || ($expY == "")) { $error_exp = TRUE; } else { If ((!ereg("([0-9]{2})", $expY)) || (!ereg("([0-9]{2})", $expM)) || ($expM > 12) || ($expM < 1) || ($expY < date("y")) || ($expY > date("y")+4)) { $error_exp = TRUE; } } If ($cvv == "") { $error_cvv = TRUE; } else { If (!ereg("([0-9]{3,4})", $cvv)) { $error_cvv = TRUE; } } // Main Processing occurs here. If (($error_credit != TRUE) && ($error_tz != TRUE) && ($error_exp != TRUE) && ($error_cvv != TRUE) && ($error_sw != TRUE) && ($error_issue != TRUE)) { $crypt = new Encryption; $encrypted = $crypt->encrypt($kluch, $cardNumber, 23); if ($cardType == "Switch/Solo/Maestro") { $result=$db->misc("UPDATE ".$glob['dbprefix']."CubeCart_order_sum SET cardNumber='".$encrypted."',cardType='".$cardType."',cardExp='".$expM.$expY."',sw_start='".$swM.$swY."',issue_no='".$issue."',cvv='".$cvv."' WHERE cart_order_id='".$orderSum['cart_order_id']."'"); } else { $result=$db->misc("UPDATE ".$glob['dbprefix']."CubeCart_order_sum SET cardNumber='".$encrypted."',cardType='".$cardType."',cardExp='".$expM.$expY."',cvv='".$cvv."' WHERE cart_order_id='".$orderSum['cart_order_id']."'"); } If ($result == TRUE) { httpredir("index.php?_g=co&_a=confirmed&s=3"); } else { httpredir("index.php?_g=co&_a=confirmed&s=3&f=1"); } } } // Start the template here. $formTemplate = new XTemplate("modules".CC_DS."gateway".CC_DS.$_POST['gateway'].CC_DS."form.tpl", '', null, 'main', true, $skipPath = TRUE); $formTemplate->assign("CC_TITLE", $lang['gateway']['cc_info_title']); $formTemplate->assign("FIRST_NAME", $lang['gateway']['first_name']); $formTemplate->assign("LAST_NAME", $lang['gateway']['last_name']); $formTemplate->assign("CC_TYPE", $lang['gateway']['card_type']); $formTemplate->assign("CARD_NUMBER", $lang['gateway']['card_number']); $formTemplate->assign("EXPIRES", $lang['gateway']['expires']); $formTemplate->assign("SECURITY_CODE", $lang['gateway']['security_code']); $formTemplate->assign("SW_START", $lang['gateway']['issue_date']); $formTemplate->assign("ISSUE_NO", $lang['gateway']['issue_number']); $formTemplate->assign("MMYYYY", $lang['gateway']['mmyy']); $formTemplate->assign("CUSTOMER_INFO", $lang['gateway']['customer_info']); $formTemplate->assign("EMAIL", $lang['gateway']['email']); $formTemplate->assign("ADDRESS", $lang['gateway']['address']); $formTemplate->assign("CITY", $lang['gateway']['city']); $formTemplate->assign("STATE", $lang['gateway']['state']); $formTemplate->assign("ZIPCODE", $lang['gateway']['zipcode']); $formTemplate->assign("COUNTRY", $lang['gateway']['country']); $formTemplate->assign("OPTIONAL", $lang['gateway']['optional']); $formTemplate->assign("EXP_HELP", $lang['gateway']['exp_help']); $formTemplate->assign("CVV_HELP", $lang['gateway']['cvv_help']); $formTemplate->assign("SW_HELP", $lang['gateway']['sw_help']); $formTemplate->assign("ISSUE_HELP", $lang['gateway']['issue_help']); If ($error_credit == TRUE) { $formTemplate->assign("ERROR_CREDIT", "Credit number empty or incorrect."); //$lang['gateway']['error_credit']); } else { $formTemplate->assign("ERROR_CREDIT",""); } If ($error_exp == TRUE) { $formTemplate->assign("ERROR_EXP", "Please enter valid expiration date."); //$lang['gateway']['error_exp']); } else { $formTemplate->assign("ERROR_EXP", ""); } If ($error_cvv == TRUE) { $formTemplate->assign("ERROR_CVV", "Please enter CVV. If your card doesn't posess one, please enter 111"); //$lang['gateway']['error_cvv']); } else { $formTemplate->assign("ERROR_CVV", ""); } If ($error_sw == TRUE) { $formTemplate->assign("ERROR_SW", "Please enter valid start date."); //$lang['gateway']['error_sw']); } else { $formTemplate->assign("ERROR_SW", ""); } If ($error_issue == TRUE) { $formTemplate->assign("ERROR_ISSUE", "Please enter valid issue number."); //$lang['gateway']['error_issue']); } else { $formTemplate->assign("ERROR_ISSUE", ""); } $switchon = FALSE; $credit_type = $db->select("SELECT type FROM ".$glob['dbprefix']."CubeCart_credit_type WHERE enabled=1 ORDER BY type ASC"); if ($credit_type == TRUE) { for ($i=0; $i<count($credit_type); $i++){ if ($cardType == $credit_type[$i]['type']) { $formTemplate->assign("VAL_SELECTED", "selected=\"selected\""); } else { $formTemplate->assign("VAL_SELECTED", ""); } if ($credit_type[$i]['type'] == "Switch/Solo/Maestro") { $switchon = TRUE; } $formTemplate->assign("VAL_CREDIT_TYPE", $credit_type[$i]['type']); $formTemplate->parse("form.credit_type"); } } if ($switchon == TRUE) { $formTemplate->parse("form.switch"); } $formTemplate->assign("VAL_CREDIT_NUMBER", $cardNumber); $formTemplate->assign("VAL_EXP_M", $expM); $formTemplate->assign("VAL_EXP_Y", $expY); $formTemplate->assign("VAL_CVV", $cvv); $formTemplate->assign("VAL_SWM", $swM); $formTemplate->assign("VAL_SWY", $swY); $formTemplate->assign("VAL_ISSUE", $issue); $billingName = makeName($orderSum['name']); $formTemplate->assign("VAL_FIRST_NAME", $billingName[2]); $formTemplate->assign("VAL_LAST_NAME", $billingName[3]); $formTemplate->assign("VAL_EMAIL_ADDRESS", $orderSum['email']); $formTemplate->assign("VAL_ADD_1", $orderSum['add_1']); $formTemplate->assign("VAL_ADD_2", $orderSum['add_2']); $formTemplate->assign("VAL_CITY", $orderSum['town']); $formTemplate->assign("VAL_COUNTY", $orderSum['county']); $formTemplate->assign("VAL_POST_CODE", $orderSum['postcode']); $formTemplate->assign("VAL_CART_ORDER_ID", $orderSum['cart_order_id']); $formTemplate->assign("VAL_GRAND_TOTAL", $orderSum['prod_total']); $formTemplate->assign("VAL_COMMENTS", $_POST['customer_comments']); $formTemplate->parse("form"); $formTemplate = $formTemplate->text("form"); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.