OX6-188: Refactor txstatus endpoints (status, base and forward)

application/controllers/admin/fcpayone_log.php

@@ -82,12 +82,20 @@ public function render()
     public function getStatus($oOrder) 
     {
         if(!$this->_aStatus) {
-            $oDb = $this->_oFcpoHelper->fcpoGetDb();
-            $aRows = $oDb->getAll("SELECT oxid FROM fcpotransactionstatus WHERE fcpo_txid = '{$oOrder->oxorder__fcpotxid->value}' ORDER BY oxid ASC");
+            $oDb = $this->_oFcpoHelper->fcpoGetPdoDb();
+            $sQuery = "
+                SELECT oxid
+                FROM fcpotransactionstatus
+                WHERE fcpo_txid = :sTxid
+                ORDER BY oxid ASC";
+            $aRows = $oDb->fetchAllAssociative($sQuery, [
+                'sTxid' => $oOrder->oxorder__fcpotxid->value
+            ]);
+
             $aStatus = array();
             foreach ($aRows as $aRow) {
                 $oTransactionStatus = oxNew('fcpotransactionstatus');
-                $oTransactionStatus->load($aRow[0]);
+                $oTransactionStatus->load($aRow['oxid']);
                 $aStatus[] = $oTransactionStatus;
             }
             $this->_aStatus = $aStatus;

application/models/fcpotransactionstatus.php

@@ -215,7 +215,7 @@ public function fcpoGetForwardRedirects()
                 sfq.FCRESPONSEINFO
             FROM fcpostatusforwardqueue sfq
             LEFT JOIN fcpostatusforwarding sf ON (sfq.FCSTATUSFORWARDID = sf.OXID)
-            WHERE sfq.FCSTATUSMESSAGEID='{$sStatusmessageId}'  
+            WHERE sfq.FCSTATUSMESSAGEID= " . $this->_oFcpoDb->quote($sStatusmessageId) . "
         ";
 
         $aRows = $this->_oFcpoDb->GetAll($sQuery);
@@ -283,7 +283,7 @@ protected function _fcpoGetMapAction($sTxAction, $aMatchMap, $sDefault)
      */
     protected function _fcpoGetOrderByTxid($sTxid) 
     {
-        $sOxid = $this->_oFcpoDb->GetOne("SELECT oxid FROM oxorder WHERE fcpotxid = '{$sTxid}'");
+        $sOxid = $this->_oFcpoDb->GetOne("SELECT oxid FROM oxorder WHERE fcpotxid = " . $this->_oFcpoDb->quote($sTxid));
         $oOrder = $this->_oFcpoHelper->getFactoryObject('oxorder');
         $oOrder->load($sOxid);
 

extend/application/models/fcPayOneOrder.php

@@ -34,7 +34,7 @@ class fcPayOneOrder extends fcPayOneOrder_parent
     /**
      * Helper object for dealing with different shop versions
      *
-     * @var object
+     * @var fcpohelper
      */
     protected $_oFcpoHelper = null;
 
@@ -930,8 +930,12 @@ public function fcpoGetShadowBasket($blByOrderId=false) {
 
         $sSerializedShadowBasket = $oDb->GetOne($sQuery);
 
-        if ($sSerializedShadowBasket) {
-            $oShadowBasket = unserialize(base64_decode($sSerializedShadowBasket));
+        if (!empty($sSerializedShadowBasket)) {
+            try {
+                $oShadowBasket = unserialize(base64_decode($sSerializedShadowBasket), ['allowed_classes' => true]);
+            } catch (Exception $oEx) {
+                $oShadowBasket = false;
+            }
         }
 
         return $oShadowBasket;
@@ -976,8 +980,20 @@ protected function _fcpoFinishOrder($blRecalculatingOrder, $oUser, $oBasket, $oU
     protected function _fcpoSaveAfterRedirect($blSaveAfterRedirect)
     {
         if ($blSaveAfterRedirect === true && !empty($this->oxorder__fcpotxid->value)) {
-            $sQuery = "UPDATE fcpotransactionstatus SET fcpo_ordernr = '{$this->oxorder__oxordernr->value}' WHERE fcpo_txid = '".$this->oxorder__fcpotxid->value."'";
-            $this->_oFcpoDb->Execute($sQuery);
+
+            $oDb = $this->_oFcpoHelper->fcpoGetDb();
+            $sQuery = "
+                UPDATE
+                    fcpotransactionstatus
+                SET
+                    fcpo_ordernr = :iOrderNr
+                WHERE
+                    fcpo_txid = :sTxid
+            ";
+            $oDb->execute($sQuery, [
+                'iOrderNr' => $this->oxorder__oxordernr->value,
+                'sTxid' => $this->oxorder__fcpotxid->value
+            ]);
         }
     }
 
@@ -1070,7 +1086,11 @@ protected function _fcpoSaveOrderValues($sTxid, $iOrderNotChecked)
         if ($sWorkorderId) {
             $this->oxorder__fcpoworkorderid = new oxField($sWorkorderId, oxField::T_RAW);
         }
-        $this->_oFcpoDb->Execute("UPDATE fcporefnr SET fcpo_txid = '" . $sTxid . "' WHERE fcpo_refnr = '" . $this->_oFcpoHelper->fcpoGetRequestParameter('refnr') . "'");
+        $this->_oFcpoDb->Execute("
+            UPDATE fcporefnr
+            SET fcpo_txid = " . $this->_oFcpoDb->quote($sTxid) . "
+            WHERE fcpo_refnr = " . $this->_oFcpoDb->quote($this->_oFcpoHelper->fcpoGetRequestParameter('refnr')) . "
+        ");
         $this->_oFcpoHelper->fcpoDeleteSessionVariable('fcpoOrderNr');
         $this->_oFcpoHelper->fcpoDeleteSessionVariable('fcpoTxid');
         $this->_oFcpoHelper->fcpoDeleteSessionVariable('fcpoRefNr');
@@ -1180,7 +1200,17 @@ public function allowCapture()
         }
 
         if ($blReturn) {
-            $iCount = $this->_oFcpoDb->GetOne("SELECT COUNT(*) FROM fcpotransactionstatus WHERE fcpo_txid = '{$this->oxorder__fcpotxid->value}'");
+            $oDb = $this->_oFcpoHelper->fcpoGetPdoDb();
+
+            $sQuery = "
+                SELECT COUNT(*)
+                FROM fcpotransactionstatus
+                WHERE fcpo_txid = :sTxid
+            ";
+            $iCount = $oDb->fetchOne($sQuery, [
+                'sTxid' => $this->oxorder__fcpotxid->value
+            ]);
+
             $blReturn = ($iCount == 0) ? false : true;
         }
 
@@ -1199,17 +1229,21 @@ public function allowDebit() {
 
         if ($blIsAuthorization) return true;
 
+        $oDb = $this->_oFcpoHelper->fcpoGetPdoDb();
         $sQuery = "
-            SELECT 
-                COUNT(*) 
-            FROM 
-                fcpotransactionstatus 
-            WHERE 
-                fcpo_txid = '{$this->oxorder__fcpotxid->value}' AND 
-                fcpo_txaction = 'appointed'
+            SELECT
+                COUNT(*)
+            FROM
+                fcpotransactionstatus
+            WHERE
+                fcpo_txid = :sTxid
+            AND
+                fcpo_txaction = :sTxaction
         ";
-
-        $iCount = (int) $this->_oFcpoDb->GetOne($sQuery);
+        $iCount = (int) $oDb->fetchOne($sQuery, [
+            'sTxid' => $this->oxorder__fcpotxid->value,
+            'sTxaction' => 'appointed'
+        ]);
 
         $blReturn = ($iCount === 1);
 
@@ -1300,7 +1334,7 @@ public function isCancellationReasonNeeded()
      */
     public function getSequenceNumber() 
     {
-        $iCount = $this->_oFcpoDb->GetOne("SELECT MAX(fcpo_sequencenumber) FROM fcpotransactionstatus WHERE fcpo_txid = '{$this->oxorder__fcpotxid->value}'");
+        $iCount = $this->_oFcpoDb->GetOne("SELECT MAX(fcpo_sequencenumber) FROM fcpotransactionstatus WHERE fcpo_txid = " . $this->_oFcpoDb->quote($this->oxorder__fcpotxid->value));
 
         $iReturn = ($iCount === null) ? 0 : $iCount + 1;
 
@@ -1314,7 +1348,7 @@ public function getSequenceNumber()
      */
     public function getLastStatus() 
     {
-        $sOxid = $this->_oFcpoDb->GetOne("SELECT * FROM fcpotransactionstatus WHERE fcpo_txid = '{$this->oxorder__fcpotxid->value}' ORDER BY fcpo_sequencenumber DESC, oxtimestamp DESC");
+        $sOxid = $this->_oFcpoDb->GetOne("SELECT * FROM fcpotransactionstatus WHERE fcpo_txid = " . $this->_oFcpoDb->quote($this->oxorder__fcpotxid->value) . " ORDER BY fcpo_sequencenumber DESC, oxtimestamp DESC");
         if ($sOxid) {
             $oStatus = $this->_oFcpoHelper->getFactoryObject('fcpotransactionstatus');
             $oStatus->load($sOxid);
@@ -1361,7 +1395,7 @@ protected function getRequest($aAcceptedStatus = array('APPROVED'))
             $sSelect = "
                 SELECT oxid 
                 FROM fcporequestlog 
-                WHERE fcpo_refnr = '{$this->oxorder__fcporefnr->value}' 
+                WHERE fcpo_refnr = ". $this->_oFcpoDb->quote($this->oxorder__fcporefnr->value) . "
                 AND (
                     fcpo_requesttype = 'preauthorization' OR 
                     fcpo_requesttype = 'authorization'
@@ -1643,9 +1677,17 @@ public function fcGetArtStockInBasket($oBasket, $sArtId, $sExpiredArtId = null)
      */
     public function fcpoGetMandateFilename() 
     {
+        $oDb = $this->_oFcpoHelper->fcpoGetPdoDb();
+
         $sOxid = $this->getId();
-        $sQuery = "SELECT fcpo_filename FROM fcpopdfmandates WHERE oxorderid = '{$sOxid}'";
-        $sFile = $this->_oFcpoDb->GetOne($sQuery);
+        $sQuery = "
+            SELECT fcpo_filename
+            FROM fcpopdfmandates
+            WHERE oxorderid = :sOxid
+        ";
+        $sFile = $oDb->fetchOne($sQuery, [
+            'sOxid' => $sOxid
+        ]);
 
         return $sFile;
     }
@@ -1658,7 +1700,7 @@ public function fcpoGetMandateFilename()
      */
     public function fcpoGetStatus() 
     {
-        $sQuery = "SELECT oxid FROM fcpotransactionstatus WHERE fcpo_txid = '{$this->oxorder__fcpotxid->value}' ORDER BY fcpo_sequencenumber ASC";
+        $sQuery = "SELECT oxid FROM fcpotransactionstatus WHERE fcpo_txid = " . $this->_oFcpoDb->quote($this->oxorder__fcpotxid->value) . " ORDER BY fcpo_sequencenumber ASC";
         $aRows = $this->_oFcpoDb->getAll($sQuery);
 
         $aStatus = array();
@@ -2097,17 +2139,18 @@ protected function _fcpoWriteClearingInformation($sPaymentId, $aResponse)
             }
 
             if(!empty($aUpdatedFields)) {
+                $oDb = oxdb::getDb();
                 $sQuery = 'UPDATE oxorder SET ';
 
                 foreach ($aUpdatedFields as $sField => $sValue) {
-                    $sQuery .= " $sField = '$sValue',";
+                    $sQuery .= " $sField = " . $oDb->quote($sValue) . ",";
                 }
 
                 $sQuery = substr($sQuery, 0, strlen($sQuery)-1);
 
                 $sQuery .= " WHERE oxid='" . $this->oxorder__oxid . "'";
 
-                oxdb::getDb()->execute($sQuery);
+                $oDb->execute($sQuery);
             }
         }
     }

extend/application/models/fcPayOnePayment.php

@@ -332,11 +332,11 @@ public function fcpoGetUserPaymentId($sUserOxid, $sPaymentType)
      */
     public function isPaymentMethodAvailableToUser($sSubPaymentId, $sType, $sUserBillCountryId, $sUserDelCountryId) 
     {
-        $sBaseQuery = "SELECT COUNT(*) FROM fcpopayment2country WHERE fcpo_paymentid = '{$sSubPaymentId}' AND fcpo_type = '{$sType}'";
+        $sBaseQuery = "SELECT COUNT(*) FROM fcpopayment2country WHERE fcpo_paymentid = " . $this->_oFcpoDb->quote($sSubPaymentId) . " AND fcpo_type = " . $this->_oFcpoDb->quote($sType);
         if ($sUserDelCountryId !== false && $sUserBillCountryId != $sUserDelCountryId) {
-            $sWhereCountry = "AND (fcpo_countryid = '{$sUserBillCountryId}' || fcpo_countryid = '{$sUserDelCountryId}')";
+            $sWhereCountry = "AND (fcpo_countryid = " . $this->_oFcpoDb->quote($sUserBillCountryId) . " || fcpo_countryid = " . $this->_oFcpoDb->quote($sUserDelCountryId) . ")";
         } else {
-            $sWhereCountry = "AND fcpo_countryid = '{$sUserBillCountryId}'";
+            $sWhereCountry = "AND fcpo_countryid = " . $this->_oFcpoDb->quote($sUserBillCountryId);
         }
         $sQuery = "SELECT IF(({$sBaseQuery} LIMIT 1) > 0,IF(({$sBaseQuery} {$sWhereCountry} LIMIT 1) > 0,1,0),1)";
 
@@ -412,7 +412,7 @@ protected function _fcGetCountries($sCampaignId)
     {
         $aCountries = array();
 
-        $sQuery = "SELECT fcpo_countryid FROM fcpopayment2country WHERE fcpo_paymentid = 'KLR_{$sCampaignId}'";
+        $sQuery = "SELECT fcpo_countryid FROM fcpopayment2country WHERE fcpo_paymentid = " . $this->_oFcpoDb->quote('KLR_' .$sCampaignId);
         $aRows = $this->_oFcpoDb->getAll($sQuery);
         foreach ($aRows as $aRow) {
             $aCountries[] = $aRow[0];

lib/fcpohelper.php

@@ -686,4 +686,14 @@ public function fcpoUpdateRefNr($sRefNr, $blIncludesPrefix = true)
             return -1;
         }
     }
+
+    /**
+     * @return \Doctrine\DBAL\Connection
+     */
+    public function fcpoGetPdoDb()
+    {
+        $oContainer = \OxidEsales\EshopCommunity\Internal\Container\ContainerFactory::getInstance()->getContainer();
+
+        return $oContainer->get('fcpayone.db_connection');
+    }
 }

lib/fcporequest.php

@@ -964,8 +964,16 @@ public function addProductInfo($oOrder, $aPositions = false, $blDebit = false)
             }
         }
 
-        $sQuery = "SELECT IF(SUM(fcpocapturedamount) = 0, 1, 0) AS b FROM oxorderarticles WHERE oxorderid = '{$oOrder->getId()}' GROUP BY oxorderid";
-        $blFirstCapture = (bool) oxDb::getDb()->GetOne($sQuery);
+        $oDb = $this->_oFcpoHelper->fcpoGetPdoDb();
+        $sQuery = "
+            SELECT IF(SUM(fcpocapturedamount) = 0, 1, 0) AS b
+            FROM oxorderarticles
+            WHERE oxorderid = :sOxid
+            GROUP BY oxorderid
+        ";
+        $blFirstCapture = (bool) $oDb->fetchOne($sQuery, [
+            'sOxid' => $oOrder->getId()
+        ]);
 
         if ($aPositions === false || $blFirstCapture === true || $blDebit === true) {
             $oLang = $this->_oFcpoHelper->fcpoGetLang();
@@ -2803,8 +2811,8 @@ protected function _getCurlCliResponse($aUrlArray, $sCurlPath)
     {
         $aResponse = array();
 
-        $sPostUrl = $aUrlArray['scheme'] . "://" . $aUrlArray['host'] . $aUrlArray['path'];
-        $sPostData = $aUrlArray['query'];
+        $sPostUrl =  escapeshellarg($aUrlArray['scheme'] . "://" . $aUrlArray['host'] . $aUrlArray['path']);
+        $sPostData = escapeshellarg($aUrlArray['query']);
 
         $sCommand = $sCurlPath . " -m 45 -k -d \"" . $sPostData . "\" " . $sPostUrl;
         $iSysOut = -1;
@@ -2958,29 +2966,30 @@ protected function _logRequest($sResponse, $sStatus = '')
         $sQuery = " INSERT INTO fcporequestlog (
                         FCPO_REFNR, FCPO_REQUESTTYPE, FCPO_RESPONSESTATUS, FCPO_REQUEST, FCPO_RESPONSE, FCPO_PORTALID, FCPO_AID
                     ) VALUES (
-                        '{$this->getParameter('reference')}', 
-                        '{$this->getParameter('request')}', 
-                        '{$sStatus}', 
+                        " . $oDb->quote($this->getParameter('reference')) . ",
+                        " . $oDb->quote($this->getParameter('request')) . ",
+                        " . $oDb->quote($sStatus) . ",
                         " . $oDb->quote($sRequest) . ", 
                         " . $oDb->quote($sResponse) . ", 
-                        '{$oConfig->getConfigParam('sFCPOPortalID')}', 
-                        '{$oConfig->getConfigParam('sFCPOSubAccountID')}'
+                        " . $oDb->quote($oConfig->getConfigParam('sFCPOPortalID')) . ",
+                        " . $oDb->quote($oConfig->getConfigParam('sFCPOSubAccountID')) . "
                     )";
         $oDb->Execute($sQuery);
     }
 
     protected function _getPayoneUserIdByCustNr($sCustNr)
     {
+        $oDb = oxDb::getDb();
         $sQuery = " SELECT 
                         fcpo_userid 
                     FROM 
                         fcpotransactionstatus 
                     WHERE 
-                        fcpo_customerid = '{$sCustNr}' 
+                        fcpo_customerid = " . $oDb->quote($sCustNr) . "
                     ORDER BY 
                         oxtimestamp DESC 
                     LIMIT 1";
-        $sPayOneUserId = oxDb::getDb()->GetOne($sQuery);
+        $sPayOneUserId = $oDb->GetOne($sQuery);
         return $sPayOneUserId;
     }
 
@@ -3191,7 +3200,7 @@ public function getRefNr($oOrder = false, $blAddPrefixToSession = false)
             $sQuery = "SELECT MAX(fcpo_refnr) FROM fcporefnr WHERE fcpo_refprefix = {$sPrefix}";
             $iMaxRefNr = $oDb->GetOne($sQuery);
             $sRefNr = (int) $iMaxRefNr + 1;
-            $sQuery = "INSERT INTO fcporefnr (fcpo_refnr, fcpo_txid, fcpo_refprefix)  VALUES ('{$sRefNr}', '', {$sPrefix})";
+            $sQuery = "INSERT INTO fcporefnr (fcpo_refnr, fcpo_txid, fcpo_refprefix)  VALUES (" . $oDb->quote($sRefNr) . ", '', " . $sPrefix . ")";
 
             $oDb->Execute($sQuery);
         }

services.yaml

@@ -0,0 +1,4 @@
+services:
+  fcpayone.db_connection:
+    alias: 'Doctrine\DBAL\Connection'
+    public: true