<%@ Language=VBScript %> <% '************************************************************************* ' DO NOT MODIFY THIS SCRIPT IF YOU WANT UPDATES TO WORK! ' Function : Gateway between HTTP and HTTPS sessions. ' : This script must always be run under an HTTP session. It ' : will redirect to the target environment as required. ' Product : CandyPress Store Frontend ' Version : 6.2 ' Modified : May 2007 ' Copyright: Copyright (C) 2010 Cavallo Communications, LLC. ' See "license.txt" for this product for details regarding ' licensing, usage, disclaimers, distribution and general ' copyright requirements. If you don't have a copy of this ' file, you may request one at http://www.candypress.com '************************************************************************* ' Date Description ' 01/13/06 Add test for language code in random key ' 02/20/06 Add code so that 2.5 orders will get default currency / language ' 08/24/06 Fixed security issue. ' 05/22/09 Changed HTTPS 2 HTTP to include user role '************************************************************************* Option explicit Response.Buffer = true %> <% 'Work dim action dim randomKey dim deletedItems dim currencyCode dim languageCode dim orderStatus dim errMsg 'Database dim mySQL dim conntemp dim rstemp dim rstemp2 'Session dim idOrder dim idCust dim role '************************************************************************* 'Open Database Connection call openDb() 'Store Configuration if loadConfig() = false then call errorDB(LangText("ErrConfig",""),"") end if 'Check Action Indicator action = lCase(validHTML(Request.QueryString("action"))) if action <> "logon" _ and action <> "logonaff" _ and action <> "checkout" _ and action <> "save" _ and action <> "logoff" _ and action <> "setid" _ and action <> "retrieve" _ and action <> "list" _ and action <> "afflist" then errMsg = LangText("ErrAction","") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode(errMsg) end if '******************************** '* HTTP -> HTTPS (10_logon.asp) * '******************************** if action = "logon" _ or action = "logonaff" _ or action = "checkout" _ or action = "save" then 'Get idOrder from Session idOrder = sessionCart() 'Create Random Key to ensure order number is not tampered with currencyCode = Request.cookies("CurrencyCode") languageCode = Request.cookies("language") if IsNull(currencyCode) or len(currencyCode) = 0 or IsNumeric(currencyCode) then currencyCode = currencyDefault end if if IsNull(languageCode) or len(languageCode) = 0 or IsNumeric(languageCode) then languageCode = languageDefault end if randomKey = currencyCode & languageCode & rndKey(99999999) 'If active shopping cart exists, save random key to order if not isNull(idOrder) then mySQL = "UPDATE " & tablePrefix & "cartHead " _ & "SET randomKey = '" & validSQL(randomKey,"A") & "' " _ & "WHERE idOrder = " & validSQL(idOrder,"I") set rsTemp = openRSexecute(mySQL) call closeRS(rsTemp) end if 'Close DB Connection call closeDB() 'Redirect to "10_logon.asp" call closeDB() Response.Redirect urlSSL & "10_Logon.asp?action=" & action & "&idOrder=" & idOrder & "&randomKey=" & randomKey '**************************** '* HTTPS -> HTTP (cart.asp) * '**************************** elseif action = "retrieve" then 'Validate Order Number passed via QueryString idOrder = validHTML(Request.QueryString("idOrder")) if not isNumeric(idOrder) then errMsg = LangText("ErrInvOrder","") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode() end if 'Validate Random Key passed via QueryString randomKey = validHTML(Request.QueryString("randomKey")) if not isNumeric(mid(randomKey,6)) then errMsg = LangText("ErrInvRandKey","") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode(errMsg) end if 'Validate Order/Random Key/Status combination on DB mySQL = "SELECT idOrder, randomKey, orderStatus " _ & "FROM " & tablePrefix & "cartHead " _ & "WHERE idOrder = " & validSQL(idOrder,"I") & " " _ & "AND randomKey = '" & validSQL(randomKey,"A") & "' " _ & "AND (orderStatus = '" & genStatUnfinal & "' OR orderStatus = '" & genStatSaved & "' OR orderStatus = '" & genStatPending & "') " set rsTemp = openRSexecute(mySQL) if rstemp.eof then errMsg = LangText("ErrInvOrder","") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode() end if orderStatus = rsTemp("orderStatus") call closeRS(rsTemp) 'Set Session Value session(storeID & "idOrder") = idOrder mySQL = "SELECT Code " _ & "FROM [" & tablePrefix & "currency] " _ & "WHERE code = '" & mid(randomKey,1,3) & "';" set rsTemp2 = openRSexecute(mySQL) if Not rsTemp2.eof then Response.cookies("currencyCode") = mid(randomKey,1,3) session("currencyCode") = mid(randomKey,1,3) else Response.cookies("CurrencyCode") = currencyDefault session("currencyCode") = currencyDefault end if closeRS(rsTemp2) mySQL = "SELECT idLang " _ & "FROM " & tablePrefix & "languages_known " _ & "WHERE idLang = '" & mid(randomKey,4,2) & "';" set rsTemp2 = openRSexecute(mySQL) if Not rsTemp2.eof then Response.cookies("language") = mid(randomKey,4,2) session("language") = mid(randomKey,4,2) else Response.cookies("language") = languageDefault session("language") = languageDefault end if closeRS(rsTemp2) 'Check quantity against available stock if stock level checking 'is enabled. if pHideAddStockLevel <> -1 then 'See if quantities of the product are still available mySQL = "SELECT idproduct,description,sku,quantity " _ & "FROM " & tablePrefix & "cartRows " _ & "WHERE idOrder = " & validSQL(idOrder,"I") & " " set rsTemp2 = openRSexecute(mySQL) do while not rsTemp2.eof mySQL = "SELECT stock " _ & "FROM " & tablePrefix & "products " _ & "WHERE idProduct = " & validSQL(rsTemp2("idProduct"),"I") & "; " set rsTemp = openRSexecute(mySQL) if rsTemp2("quantity") > rsTemp("stock") then deletedItems = deletedItems & rsTemp2("description") & " (" & rsTemp2("sku") & ") " & LangText("ErrOutStock","Prior quantity exceeded available stock - quantity reduce to zero.") & "
" closeRS(rsTemp) mySQL = "UPDATE " & tablePrefix & "cartrows " _ & "SET quantity = 0 " _ & "WHERE idOrder = " & validSQL(idOrder,"I") & " " _ & "AND idProduct = " & validSQL(rsTemp2("idProduct"),"I") & ";" set rsTemp = openRSexecute(mySQL) closeRS(rsTemp) end if rsTemp2.movenext loop end if 'Close DB Connection call closeDB() 'Redirect to "cart.asp" Response.Redirect urlNonSSL & "cart.asp?action=retrieve&deletedItems=" & server.URLEncode(deletedItems) elseif action = "logoff" then Response.cookies(storeID & "idCust") = "" session(storeID & "idCust") = null errMsg = LangText("GenLogoffMsg","") call closeDB() Response.Redirect "sysMsg.asp?msg=" & server.URLEncode(errMsg) elseif action = "list" or action = "afflist" then 'Validate Order Number passed via QueryString idCust = Request.QueryString("key") idCust = trim(EnDeCrypt(Hex2Ascii(idCust),rc4Key)) idCust = mid(idCust,Instr(idCust,"-")+1) if not isNumeric(idCust) then errMsg = LangText("ErrInvCust","Invalid input") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode(errMsg) end if 'Validate Order/Random Key/Status combination on DB mySQL = "SELECT role FROM " & tablePrefix & "customer WHERE idCust = " & validSQL(idCust,"I") set rsTemp = openRSexecute(mySQL) if rsTemp.eof then errMsg = LangText("ErrInvCust","Invalid input") call closeDB() Response.redirect "sysMsg.asp?errMsg=" & server.URLEncode(errMsg) end if role = rsTemp("role") call closeRS(rsTemp) 'Set Session Value session(storeID & "userroles") = role session(storeID & "idCust") = idCust ' Go to customer order list Response.redirect "custlistorders.asp" end if %>