Switch verification

[Guest madmanbean]

Have a site using the otherwise excellent MCC Switch module but seem to have no verification of card numbers in as much that one can bypass entereing a number completly although the cvv number and issue date works!

Below is the code for form.inc.php

Not being an expert I cannot see where the problem is!

Rather hoping someone far cleverer than me may see where the problem is

Thanks Terry

<?php

require_once 'includes'.CC_DS.'enc.inc.php';

require_once 'includes'.CC_DS.'mcc_funcs.inc.php';

require_once 'protected'.CC_DS.'key.inc.php';

if($_GET['process']==1){

$firstName = $_POST["firstName"];

$lastName = $_POST["lastName"];

$amount = $_POST["amount"];

$cardType = $_POST["credit_type"];

$cardNumber = $_POST["cardNumber"];

$expM = $_POST["expirationMonth"];

$expY = $_POST["expirationYear"];

$cvv = $_POST["cvc2"];

$swM = $_POST["swM"];

$swY = $_POST["swY"];

$issue = $_POST["issue_no"];

$emailAddress = $_POST["emailAddress"];

$addr1 = $_POST["addr1"];

$addr2 = $_POST["addr2"];

$city = $_POST["city"];

$st = $_POST["state"];

$country = $_POST["country"];

$postalCode = $_POST["postalCode"];

If ($cardType == "Visa") {

if (isVisa($cardNumber) != TRUE) {

$error_credit = TRUE;

}

}

If ($cardType == "Discover") {

if (isDiscover($cardNumber) != TRUE) {

$error_credit = TRUE;

}

}

If ($cardType == "American Express") {

if (isAmex($cardNumber) != TRUE) {

$error_credit = TRUE;

}

}

If ($cardType == "Isracard") {

if (isIsracard($cardNumber) != TRUE) {

$error_credit = TRUE;

}

}

If ($cardType == "Mastercard") {

if (isMC($cardNumber) == TRUE) {

// Special handling for Australia Master Card

if(!ereg("^5[1-5][0-9]{14}$", $cardNumber)) {

$error_credit = TRUE;

}

}

}

If ($cardType == "Switch/Solo/Maestro") {

If (($swM != "") || ($swY != "")) {

If ((ereg("([0-9]{2})", $swM)) || (ereg("([0-9]{2})", $swY))) {

If (($swM > 12) || ($swY > 12) || ($swM < 1) || ($swY < 1)) {

$error_sw = TRUE;

}

} else {

$error_sw = TRUE;

}

}

If ($issue != "") {

If (ereg("([0-9]{1,2})", $issue)) {

If (($issue < 1) || ($issue > 12)) {

$error_issue = TRUE;

}

} else {

$error_issue = TRUE;

}

}

}

If (($expM == "") || ($expY == ""))

{

$error_exp = TRUE;

} else {

If ((!ereg("([0-9]{2})", $expY)) || (!ereg("([0-9]{2})", $expM)) || ($expM > 12) || ($expM < 1) || ($expY < date("y")) || ($expY > date("y")+4)) {

$error_exp = TRUE;

}

}

If ($cvv == "")

{

$error_cvv = TRUE;

} else {

If (!ereg("([0-9]{3,4})", $cvv)) {

$error_cvv = TRUE;

}

}

// Main Processing occurs here.

If (($error_credit != TRUE) && ($error_tz != TRUE) && ($error_exp != TRUE) && ($error_cvv != TRUE) && ($error_sw != TRUE) && ($error_issue != TRUE))

{

$crypt = new Encryption;

$encrypted = $crypt->encrypt($kluch, $cardNumber, 23);

if ($cardType == "Switch/Solo/Maestro") {

$result=$db->misc("UPDATE ".$glob['dbprefix']."CubeCart_order_sum SET cardNumber='".$encrypted."',cardType='".$cardType."',cardExp='".$expM.$expY."',sw_start='".$swM.$swY."',issue_no='".$issue."',cvv='".$cvv."' WHERE cart_order_id='".$orderSum['cart_order_id']."'");

} else {

$result=$db->misc("UPDATE ".$glob['dbprefix']."CubeCart_order_sum SET cardNumber='".$encrypted."',cardType='".$cardType."',cardExp='".$expM.$expY."',cvv='".$cvv."' WHERE cart_order_id='".$orderSum['cart_order_id']."'");

}

If ($result == TRUE) {

httpredir("index.php?_g=co&_a=confirmed&s=3");

} else {

httpredir("index.php?_g=co&_a=confirmed&s=3&f=1");

}

}

}

// Start the template here.

$formTemplate = new XTemplate("modules".CC_DS."gateway".CC_DS.$_POST['gateway'].CC_DS."form.tpl", '', null, 'main', true, $skipPath = TRUE);

$formTemplate->assign("CC_TITLE", $lang['gateway']['cc_info_title']);

$formTemplate->assign("FIRST_NAME", $lang['gateway']['first_name']);

$formTemplate->assign("LAST_NAME", $lang['gateway']['last_name']);

$formTemplate->assign("CC_TYPE", $lang['gateway']['card_type']);

$formTemplate->assign("CARD_NUMBER", $lang['gateway']['card_number']);

$formTemplate->assign("EXPIRES", $lang['gateway']['expires']);

$formTemplate->assign("SECURITY_CODE", $lang['gateway']['security_code']);

$formTemplate->assign("SW_START", $lang['gateway']['issue_date']);

$formTemplate->assign("ISSUE_NO", $lang['gateway']['issue_number']);

$formTemplate->assign("MMYYYY", $lang['gateway']['mmyy']);

$formTemplate->assign("CUSTOMER_INFO", $lang['gateway']['customer_info']);

$formTemplate->assign("EMAIL", $lang['gateway']['email']);

$formTemplate->assign("ADDRESS", $lang['gateway']['address']);

$formTemplate->assign("CITY", $lang['gateway']['city']);

$formTemplate->assign("STATE", $lang['gateway']['state']);

$formTemplate->assign("ZIPCODE", $lang['gateway']['zipcode']);

$formTemplate->assign("COUNTRY", $lang['gateway']['country']);

$formTemplate->assign("OPTIONAL", $lang['gateway']['optional']);

$formTemplate->assign("EXP_HELP", $lang['gateway']['exp_help']);

$formTemplate->assign("CVV_HELP", $lang['gateway']['cvv_help']);

$formTemplate->assign("SW_HELP", $lang['gateway']['sw_help']);

$formTemplate->assign("ISSUE_HELP", $lang['gateway']['issue_help']);

If ($error_credit == TRUE) {

$formTemplate->assign("ERROR_CREDIT", "Credit number empty or incorrect."); //$lang['gateway']['error_credit']);

} else {

$formTemplate->assign("ERROR_CREDIT","");

}

If ($error_exp == TRUE) {

$formTemplate->assign("ERROR_EXP", "Please enter valid expiration date."); //$lang['gateway']['error_exp']);

} else {

$formTemplate->assign("ERROR_EXP", "");

}

If ($error_cvv == TRUE) {

$formTemplate->assign("ERROR_CVV", "Please enter CVV. If your card doesn't posess one, please enter 111"); //$lang['gateway']['error_cvv']);

} else {

$formTemplate->assign("ERROR_CVV", "");

}

If ($error_sw == TRUE) {

$formTemplate->assign("ERROR_SW", "Please enter valid start date."); //$lang['gateway']['error_sw']);

} else {

$formTemplate->assign("ERROR_SW", "");

}

If ($error_issue == TRUE) {

$formTemplate->assign("ERROR_ISSUE", "Please enter valid issue number."); //$lang['gateway']['error_issue']);

} else {

$formTemplate->assign("ERROR_ISSUE", "");

}

$switchon = FALSE;

$credit_type = $db->select("SELECT type FROM ".$glob['dbprefix']."CubeCart_credit_type WHERE enabled=1 ORDER BY type ASC");

if ($credit_type == TRUE) {

for ($i=0; $i<count($credit_type); $i++){

if ($cardType == $credit_type[$i]['type']) {

$formTemplate->assign("VAL_SELECTED", "selected=\"selected\"");

} else {

$formTemplate->assign("VAL_SELECTED", "");

}

if ($credit_type[$i]['type'] == "Switch/Solo/Maestro") {

$switchon = TRUE;

}

$formTemplate->assign("VAL_CREDIT_TYPE", $credit_type[$i]['type']);

$formTemplate->parse("form.credit_type");

}

}

if ($switchon == TRUE) {

$formTemplate->parse("form.switch");

}

$formTemplate->assign("VAL_CREDIT_NUMBER", $cardNumber);

$formTemplate->assign("VAL_EXP_M", $expM);

$formTemplate->assign("VAL_EXP_Y", $expY);

$formTemplate->assign("VAL_CVV", $cvv);

$formTemplate->assign("VAL_SWM", $swM);

$formTemplate->assign("VAL_SWY", $swY);

$formTemplate->assign("VAL_ISSUE", $issue);

$billingName = makeName($orderSum['name']);

$formTemplate->assign("VAL_FIRST_NAME", $billingName[2]);

$formTemplate->assign("VAL_LAST_NAME", $billingName[3]);

$formTemplate->assign("VAL_EMAIL_ADDRESS", $orderSum['email']);

$formTemplate->assign("VAL_ADD_1", $orderSum['add_1']);

$formTemplate->assign("VAL_ADD_2", $orderSum['add_2']);

$formTemplate->assign("VAL_CITY", $orderSum['town']);

$formTemplate->assign("VAL_COUNTY", $orderSum['county']);

$formTemplate->assign("VAL_POST_CODE", $orderSum['postcode']);

$formTemplate->assign("VAL_CART_ORDER_ID", $orderSum['cart_order_id']);

$formTemplate->assign("VAL_GRAND_TOTAL", $orderSum['prod_total']);

$formTemplate->assign("VAL_COMMENTS", $_POST['customer_comments']);

$formTemplate->parse("form");

$formTemplate = $formTemplate->text("form");

?>