Correct OrderStatus

1. <?php
2. require_once('./files/functions.php');
3.  
4. /* ACCOUNT REGISTRATION */
5.  
6. if(isset($_POST['action']) && $_POST['action'] == 'register') {
7. if(isset($_POST['first-name']) && isset($_POST['last-name']) && isset($_POST['email']) && isset($_POST['user-name']) && isset($_POST['password']) && isset($_POST['confirm-password']) &&
8. is_string($_POST['first-name']) && is_string($_POST['last-name']) && is_string($_POST['email']) && is_string($_POST['user-name']) && is_string($_POST['password']) && is_string($_POST['confirm-password']) &&
9. !empty($_POST['first-name']) && !empty($_POST['last-name']) && !empty($_POST['email']) && !empty($_POST['user-name']) && !empty($_POST['password']) && !empty($_POST['confirm-password'])) {
10. if(isset($_POST['tos'])) {
11. if($_POST['password'] == $_POST['confirm-password']) {
12. if(strlen($_POST['password']) < 32 && strlen($_POST['password']) > 3) {
13. if(strlen($_POST['user-name']) < 16 && strlen($_POST['user-name']) > 3) {
14. if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) {
15. $first_name = stripslashes(strip_tags($_POST['first-name']));
16. $last_name = stripslashes(strip_tags($_POST['last-name']));
17. $email = $_POST['email'];
18. $user_name = stripslashes(strip_tags($_POST['user-name']));
19. $password = md5($_POST['password']);
20.  
21. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
22. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email));
23.  
24. if($stmt->rowCount() != 0) {
25. $display->ReturnError('User with these credentials already exists.');
26. } else {
27. $stmt = $pdo->prepare('INSERT INTO users (UserName, UserEmail, UserPassword, UserFirstName, UserLastName, UserRegistrationDate, UserRegistrationAddress)
28. VALUES (:UserName, :UserEmail, :UserPassword, :UserFirstName, :UserLastName, :UserRegistrationDate, :UserRegistrationAddress)');
29.  
30. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email, ':UserPassword' => $password, ':UserFirstName' => $first_name, ':UserLastName' => $last_name, ':UserRegistrationDate' => time(), ':UserRegistrationAddress' => $_SERVER['REMOTE_ADDR']));
31.  
32. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName');
33. $stmt->bindParam(':UserName', $user_name);
34. $stmt->execute();
35.  
36. $row = $stmt->fetch();
37.  
38. $UserID = $row['UserID'];
39. $time = time();
40. $IPAddress = $_SERVER['REMOTE_ADDR'];
41.  
42. $_SESSION['auth'] = $UserID;
43.  
44. $stmt = $pdo->prepare('INSERT INTO logs (LogUserID, LogDate, LogIPAddress) VALUES (:LogUserID, :LogDate, :LogIPAddress)');
45. $stmt->execute(array(':LogUserID' => $UserID, ':LogDate' => $time, ':LogIPAddress' => $IPAddress));
46.  
47. $display->ReturnSuccess('Your account was successfully created.');
48.  
49. $settings->forceRedirect('index.php', 2);
50. }
51. } else {
52. $display->ReturnError('The provided e-mail address is invalid.');
53. }
54. } else {
55. $display->ReturnError('User name length have to be 4-16 characters.');
56. }
57. } else {
58. $display->ReturnError('Password length have to be 4-32 characters.');
59. }
60. } else {
61. $display->ReturnError('Password do not equals to confirmed password.');
62. }
63. } else {
64. $display->ReturnError('You have to agree with our TOS.');
65. }
66. } else {
67. $display->ReturnError('Fill all fields correctly.');
68. }
69. }
70.  
71. /* ACCOUNT LOGIN */
72.  
73. if(isset($_POST['action']) && $_POST['action'] == 'login') {
74. if(isset($_POST['username']) && isset($_POST['password']) &&
75. is_string($_POST['username']) && is_string($_POST['password']) &&
76. !empty($_POST['username']) && !empty($_POST['password'])) {
77. $username = stripslashes(strip_tags($_POST['username']));
78. $password = md5($_POST['password']);
79.  
80. if(!filter_var($username, FILTER_VALIDATE_EMAIL) === false) {
81. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserEmail = :UserEmail');
82. $stmt->bindParam(':UserEmail', $username);
83. } else {
84. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName');
85. $stmt->bindParam(':UserName', $username);
86. }
87.  
88. $stmt->execute();
89.  
90. if($stmt->rowCount() > 0) {
91. if(!filter_var($username, FILTER_VALIDATE_EMAIL) === false) {
92. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserEmail = :UserEmail AND UserPassword = :UserPassword');
93. $stmt->execute(array(':UserEmail' => $username, ':UserPassword' => $password));
94. } else {
95. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName AND UserPassword = :UserPassword');
96. $stmt->execute(array(':UserName' => $username, ':UserPassword' => $password));
97. }
98.  
99. if($stmt->rowCount() > 0) {
100. $row = $stmt->fetch();
101. $UserLevel = $row['UserLevel'];
102.  
103. if($UserLevel == 'banned') {
104. $display->ReturnError('Your account has been suspended.');
105. return false;
106. }
107. $UserID = $row['UserID'];
108. $time = time();
109. $IPAddress = $_SERVER['REMOTE_ADDR'];
110.  
111. $_SESSION['auth'] = $UserID;
112.  
113. $stmt = $pdo->prepare('INSERT INTO logs (LogUserID, LogDate, LogIPAddress) VALUES (:LogUserID, :LogDate, :LogIPAddress)');
114. $stmt->execute(array(':LogUserID' => $UserID, ':LogDate' => $time, ':LogIPAddress' => $IPAddress));
115.  
116. $display->ReturnSuccess('You were successfully logged in.');
117.  
118. $settings->forceRedirect('index.php', 2);
119. } else {
120. $display->ReturnError('Invalid user credentials.');
121. }
122. } else {
123. $display->ReturnError('User with these credentials does not exists.');
124. }
125. } else {
126. $display->ReturnError('Fill all fields correctly.');
127. }
128. }
129.  
130. /* RESET ACCOUNT PASSWORD */
131.  
132. if(isset($_POST['action']) && $_POST['action'] == 'reset') {
133. if(isset($_POST['username']) && isset($_POST['email'])
134. && is_string($_POST['username']) && is_string($_POST['email'])
135. && !empty($_POST['username']) && !empty($_POST['email'])) {
136.  
137. if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) {
138. $username = stripslashes(strip_tags($_POST['username']));
139. $email = $_POST['email'];
140.  
141. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
142. $stmt->execute(array(':UserName' => $username, ':UserEmail' => $email));
143.  
144. if($stmt->rowCount() > 0) {
145. $new_password = substr(md5(rand(1,100000)), 0, 8);
146.  
147. $stmt = $pdo->prepare('UPDATE users SET UserPassword = :UserPassword WHERE UserName = :UserName');
148. $stmt->execute(array(':UserPassword' => md5($new_password), ':UserName' => $username));
149.  
150. $subject = 'Password recovery';
151. $txt = 'Your account password has been reset.';
152. $txt .= 'Your new account password is: '.$new_password.'';
153. $headers = "From: ".$RecoveryEmail."" . "\r\n" .
154. "CC: ".$RecoveryEmail."";
155.  
156. mail($email,$subject,$txt,$headers);
157. } else {
158. echo('User with these credentials does not exists.');
159. }
160. } else {
161. echo('The entered E-mail is invalid.');
162. }
163. } else {
164. echo('Fill all fields correctly.');
165. }
166. }
167.  
168. /* SAVE MERCHANT */
169.  
170. if(isset($_POST['action']) && $_POST['action'] == 'save-merchant') {
171. $UserLevel = $user->GetData('UserLevel');
172.  
173. if($UserLevel == 'admin') {
174. if(isset($_POST['website-name']) && isset($_POST['recovery-email']) &&
175. is_string($_POST['website-name']) && is_string($_POST['recovery-email']) &&
176. !empty($_POST['website-name']) && !empty($_POST['recovery-email'])) {
177. if(!filter_var($_POST['recovery-email'], FILTER_VALIDATE_EMAIL) === false) {
178. $WebsiteName = $_POST['website-name'];
179. $RecoveryEmail = $_POST['recovery-email'];
180.  
181. $PaypalEmail = $_POST['paypal-email'];
182.  
183. $SkrillEmail = $_POST['skrill-email'];
184. $SkrillSecret = $_POST['skrill-secret'];
185.  
186. $stmt = $pdo->prepare('SELECT * FROM merchant');
187. $stmt->execute();
188. $row = $stmt->fetch(PDO::FETCH_ASSOC);
189.  
190. if(empty($row['MerchantWebsiteName'])) {
191. $stmt = $pdo->prepare('INSERT INTO merchant (MerchantWebsiteName, MerchantRecoveryEmail, MerchantPaypalEmail, MerchantSkrillEmail, MerchantSkrillSecret)
192. VALUES (:MerchantWebsiteName, :MerchantRecoveryEmail, :MerchantPaypalEmail, :MerchantSkrillEmail, :MerchantSkrillSecret)');
193.  
194. $stmt->execute(array(':MerchantWebsiteName' => $WebsiteName, ':MerchantRecoveryEmail' => $RecoveryEmail, ':MerchantPaypalEmail' => $PaypalEmail,
195. ':MerchantSkrillEmail' => $SkrillEmail, ':MerchantSkrillSecret' => $SkrillSecret));
196. } else {
197. $CurrentName = $row['MerchantWebsiteName'];
198.  
199. $stmt = $pdo->prepare('UPDATE merchant SET MerchantWebsiteName = :MerchantWebsiteName, MerchantRecoveryEmail = :MerchantRecoveryEmail,
200. MerchantPaypalEmail = :MerchantPaypalEmail, MerchantSkrillEmail = :MerchantSkrillEmail, MerchantSkrillSecret = :MerchantSkrillSecret WHERE MerchantWebsiteName = :MerchantWebsiteNameConfirm');
201.  
202. $stmt->execute(array(':MerchantWebsiteName' => $WebsiteName, ':MerchantRecoveryEmail' => $RecoveryEmail, ':MerchantPaypalEmail' => $PaypalEmail,
203. ':MerchantSkrillEmail' => $SkrillEmail, ':MerchantSkrillSecret' => $SkrillSecret, ':MerchantWebsiteNameConfirm' => $CurrentName));
204. }
205. } else {
206. echo('The provided recovery E-mail address is invalid.');
207. }
208. } else {
209. echo('Fill all fields correctly.');
210. }
211. } else {
212. echo('You don\'t have permissions to browse this page.');
213. }
214. }
215.  
216. /* CREATE USER FROM ADMINISTRATION PANEL */
217.  
218. if(isset($_POST['action']) && $_POST['action'] == 'create-user') {
219. $UserLevel = $user->GetData('UserLevel');
220.  
221. if($UserLevel == 'admin') {
222. if(isset($_POST['user-first-name']) && isset($_POST['user-last-name']) && isset($_POST['user-email']) && isset($_POST['user-name']) && isset($_POST['user-password']) && isset($_POST['user-level']) && isset($_POST['user-funds']) &&
223. is_string($_POST['user-first-name']) && is_string($_POST['user-last-name']) && is_string($_POST['user-email']) && is_string($_POST['user-name']) && is_string($_POST['user-password']) && is_string($_POST['user-level']) && ctype_digit($_POST['user-funds']) &&
224. !empty($_POST['user-first-name']) && !empty($_POST['user-last-name']) && !empty($_POST['user-email']) && !empty($_POST['user-name']) && !empty($_POST['user-password']) && !empty($_POST['user-level'])) {
225. if(strlen($_POST['user-password']) < 32 && strlen($_POST['user-password']) > 3) {
226. if(strlen($_POST['user-name']) < 16 && strlen($_POST['user-name']) > 3) {
227. if(!filter_var($_POST['user-email'], FILTER_VALIDATE_EMAIL) === false) {
228. $first_name = stripslashes(strip_tags($_POST['user-first-name']));
229. $last_name = stripslashes(strip_tags($_POST['user-last-name']));
230. $email = $_POST['user-email'];
231. $user_name = stripslashes(strip_tags($_POST['user-name']));
232. $password = md5($_POST['user-password']);
233. $level = stripslashes(strip_tags($_POST['user-level']));
234. $funds = stripslashes(strip_tags($_POST['user-funds']));
235.  
236. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
237. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email));
238.  
239. if($stmt->rowCount() == 0) {
240. $stmt = $pdo->prepare('INSERT INTO users (UserName, UserEmail, UserPassword, UserLevel, UserFirstName, UserLastName, UserRegistrationDate, UserRegistrationAddress, UserFunds)
241. VALUES (:UserName, :UserEmail, :UserPassword, :UserLevel, :UserFirstName, :UserLastName, :UserRegistrationDate, :UserRegistrationAddress, :UserFunds)');
242.  
243. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email, ':UserPassword' => $password, ':UserLevel' => $level, ':UserFirstName' => $first_name, ':UserLastName' => $last_name, ':UserRegistrationDate' => time(), ':UserRegistrationAddress' => '127.0.0.1', ':UserFunds' => $funds));
244. } else {
245. echo('User with these credentials already exists.');
246. return false;
247. }
248. } else {
249. echo('The provided e-mail address is invalid.');
250. }
251. } else {
252. echo('User name length have to be 4-16 characters.');
253. }
254. } else {
255. echo('Password length have to be 4-32 characters.');
256. }
257. } else {
258. echo('Fill all fields correctly.');
259. }
260. } else {
261. echo('You don\'t have permissions to browse this page.');
262. }
263. }
264.  
265. /* ADD NEW */
266.  
267. if(isset($_POST['action']) && $_POST['action'] == 'add-new') {
268. $UserLevel = $user->GetData('UserLevel');
269.  
270. if($UserLevel == 'admin') {
271. if(isset($_POST['new-title']) && isset($_POST['new-content']) &&
272. is_string($_POST['new-title']) && is_string($_POST['new-content']) &&
273. !empty($_POST['new-title']) && !empty($_POST['new-content'])) {
274. $new_title = stripslashes(strip_tags($_POST['new-title']));
275. $new_content = stripslashes(strip_tags($_POST['new-content']));
276. $new_user = $user->GetData('UserID');
277. $new_date = time();
278.  
279. $stmt = $pdo->prepare('INSERT INTO news (NewsTitle, NewsContent, NewsDate, NewsUserID) VALUES (:NewsTitle, :NewsContent, :NewsDate, :NewsUserID)');
280. $stmt->execute(array(':NewsTitle' => $new_title, ':NewsContent' => $new_content, ':NewsDate' => $new_date, ':NewsUserID' => $new_user));
281. } else {
282. echo('Fill all fields correctly.');
283. }
284. } else {
285. echo('You don\'t have permissions to browse this page.');
286. }
287. }
288.  
289. /* EDIT NEW */
290.  
291. if(isset($_POST['action']) && $_POST['action'] == 'edit-new') {
292. $UserLevel = $user->GetData('UserLevel');
293.  
294. if($UserLevel == 'admin') {
295. if(isset($_POST['new-id']) && isset($_POST['new-title']) && isset($_POST['new-content']) &&
296. is_string($_POST['new-title']) && is_string($_POST['new-content']) &&
297. !empty($_POST['new-title']) && !empty($_POST['new-content'])) {
298. $new_title = stripslashes(strip_tags($_POST['new-title']));
299. $new_content = stripslashes(strip_tags($_POST['new-content']));
300. $new_id = $_POST['new-id'];
301.  
302. $stmt = $pdo->prepare('SELECT * FROM news WHERE NewsID = :NewsID');
303. $stmt->bindParam(':NewsID', $new_id);
304. $stmt->execute();
305.  
306. if($stmt->rowCount() == 1) {
307. $stmt = $pdo->prepare('UPDATE news SET NewsTitle = :NewsTitle, NewsContent = :NewsContent WHERE NewsID = :NewsID');
308.  
309. $stmt->execute(array(':NewsTitle' => $new_title, ':NewsContent' => $new_content, ':NewsID' => $new_id));
310. } else {
311. echo('New does not exists.');
312. }
313. } else {
314. echo('Fill all fields correctly.');
315. }
316. } else {
317. echo('You don\'t have permissions to browse this page.');
318. }
319. }
320.  
321. /* DELETE NEW */
322.  
323. if(isset($_POST['action']) && $_POST['action'] == 'delete-new') {
324. $UserLevel = $user->GetData('UserLevel');
325.  
326. if($UserLevel == 'admin') {
327. if(isset($_POST['new-id']) && !empty($_POST['new-id']) && ctype_digit($_POST['new-id'])) {
328. $NewsID = $_POST['new-id'];
329.  
330. $stmt = $pdo->prepare('SELECT * FROM news WHERE NewsID = :NewsID');
331. $stmt->bindParam(':NewsID', $NewsID);
332. $stmt->execute();
333.  
334. if($stmt->rowCount() == 1) {
335. $stmt = $pdo->prepare('DELETE FROM news WHERE NewsID = :NewsID');
336. $stmt->bindParam(':NewsID', $NewsID);
337. $stmt->execute();
338. } else {
339. echo 'New does not exists.';
340. }
341. }
342. } else {
343. echo('You don\'t have permissions to browse this page.');
344. }
345. }
346.  
347. /* DELETE LOGS */
348.  
349. if(isset($_POST['action']) && $_POST['action'] == 'delete-logs') {
350. $UserLevel = $user->GetData('UserLevel');
351.  
352. if($UserLevel == 'admin') {
353. $stmt = $pdo->prepare('DELETE FROM logs');
354. $stmt->execute();
355. } else {
356. echo('You don\'t have permissions to browse this page.');
357. }
358. }
359.  
360. /* EDIT USER */
361.  
362. if(isset($_POST['action']) && $_POST['action'] == 'edit-user') {
363. $UserLevel = $user->GetData('UserLevel');
364.  
365. if($UserLevel == 'admin') {
366. if(isset($_POST['user-id']) && isset($_POST['user-first-name']) && isset($_POST['user-last-name']) && isset($_POST['user-email']) && isset($_POST['user-name']) && isset($_POST['user-level']) && isset($_POST['user-funds']) &&
367. is_string($_POST['user-first-name']) && is_string($_POST['user-last-name']) && is_string($_POST['user-email']) && is_string($_POST['user-name']) && is_string($_POST['user-level']) && preg_match('/^[0-9.]+$/', $_POST['user-funds']) &&
368. !empty($_POST['user-id']) && !empty($_POST['user-first-name']) && !empty($_POST['user-last-name']) && !empty($_POST['user-email']) && !empty($_POST['user-name']) && !empty($_POST['user-level'])) {
369. if(strlen($_POST['user-name']) < 16 && strlen($_POST['user-name']) > 3) {
370. if(!filter_var($_POST['user-email'], FILTER_VALIDATE_EMAIL) === false) {
371. $first_name = stripslashes(strip_tags($_POST['user-first-name']));
372. $last_name = stripslashes(strip_tags($_POST['user-last-name']));
373. $email = $_POST['user-email'];
374. $user_name = stripslashes(strip_tags($_POST['user-name']));
375. $level = stripslashes(strip_tags($_POST['user-level']));
376. $funds = stripslashes(strip_tags($_POST['user-funds']));
377. $user_id = $_POST['user-id'];
378.  
379. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
380. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email));
381.  
382.  
383. $query = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
384. $query->bindParam(':UserID', $user_id);
385. $query->execute();
386.  
387. if($query->rowCount() == 0) {
388. echo 'User account does not exists.';
389. return false;
390. }
391. if($stmt->rowCount() <= 1) {
392. $stmt = $pdo->prepare('UPDATE users SET UserFirstName = :UserFirstName, UserLastName = :UserLastName, UserEmail = :UserEmail, UserName = :UserName, UserLevel = :UserLevel, UserFunds = :UserFunds WHERE UserID = :UserID');
393.  
394. $stmt->execute(array(':UserFirstName' => $first_name, ':UserLastName' => $last_name, ':UserEmail' => $email,
395. ':UserName' => $user_name, ':UserLevel' => $level, ':UserFunds' => $funds, ':UserID' => $user_id));
396. } else {
397. echo('User with these credentials already exists.');
398. return false;
399. }
400. } else {
401. echo('The provided e-mail address is invalid.');
402. }
403. } else {
404. echo('User name length have to be 4-16 characters.');
405. }
406. } else {
407. echo('Fill all fields correctly.');
408. }
409. } else {
410. echo('You don\'t have permissions to browse this page.');
411. }
412. }
413.  
414. /* CREATE CATEGORY */
415.  
416. if(isset($_POST['action']) && $_POST['action'] == 'create-category') {
417. $UserLevel = $user->GetData('UserLevel');
418.  
419. if($UserLevel == 'admin') {
420. if(isset($_POST['category-name']) && isset($_POST['category-description']) &&
421. is_string($_POST['category-name']) && is_string($_POST['category-description']) &&
422. !empty($_POST['category-name']) && !empty($_POST['category-description'])) {
423. $category_name = stripslashes(strip_tags($_POST['category-name']));
424. $category_description = stripslashes(strip_tags($_POST['category-description']));
425. $time = time();
426.  
427. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryName = :CategoryName');
428. $stmt->bindParam(':CategoryName', $category_name);
429. $stmt->execute();
430.  
431. if($stmt->rowCount() == 0) {
432. $stmt = $pdo->prepare('INSERT INTO categories (CategoryName, CategoryDescription, CategoryCreatedDate) VALUES (:CategoryName, :CategoryDescription, :CategoryCreatedDate)');
433. $stmt->execute(array(':CategoryName' => $category_name, ':CategoryDescription' => $category_description, ':CategoryCreatedDate' => $time));
434. } else {
435. echo('Category already exists.');
436. }
437. } else {
438. echo('Fill all fields correctly.');
439. }
440. } else {
441. echo('You don\'t have permissions to browse this page.');
442. }
443. }
444.  
445. /* OPEN TICKET */
446.  
447. if(isset($_POST['action']) && $_POST['action'] == 'open-ticket') {
448. if(isset($_POST['ticket-title']) && isset($_POST['ticket-message']) &&
449. is_string($_POST['ticket-title']) && is_string($_POST['ticket-message']) &&
450. !empty($_POST['ticket-title']) && !empty($_POST['ticket-message'])) {
451. $ticket_title = stripslashes(strip_tags($_POST['ticket-title']));
452. $ticket_message = stripslashes(strip_tags($_POST['ticket-message']));
453. $time = time();
454. $user_id = $user->GetData('UserID');
455.  
456. $stmt = $pdo->prepare('INSERT INTO support (SupportUserID, SupportTitle, SupportMessage, SupportDate) VALUES (:SupportUserID, :SupportTitle, :SupportMessage, :SupportDate)');
457. $stmt->execute(array(':SupportUserID' => $user_id, ':SupportTitle' => $ticket_title, ':SupportMessage' => $ticket_message, ':SupportDate' => $time));
458. } else {
459. echo('Fill all fields correctly.');
460. }
461. }
462.  
463. /* TICKET REPLY */
464.  
465. if(isset($_POST['action']) && $_POST['action'] == 'reply-ticket') {
466. $UserLevel = $user->GetData('UserLevel');
467.  
468. if($UserLevel == 'admin') {
469. if(isset($_POST['ticket-id']) && isset($_POST['ticket-reply']) &&
470. ctype_digit($_POST['ticket-id']) && is_string($_POST['ticket-reply']) &&
471. !empty($_POST['ticket-id']) && !empty($_POST['ticket-reply'])) {
472. $ticket_id = $_POST['ticket-id'];
473. $ticket_reply = stripslashes(strip_tags($_POST['ticket-reply']));
474.  
475. $stmt = $pdo->prepare('UPDATE support SET SupportReply = :SupportReply WHERE SupportID = :SupportID');
476. $stmt->execute(array(':SupportReply' => $ticket_reply, ':SupportID' => $ticket_id));
477. } else {
478. echo('Fill all fields correctly.');
479. }
480. } else {
481. echo('You don\'t have permissions to browse this page.');
482. }
483. }
484.  
485. /* TICKET DELETE */
486.  
487. if(isset($_POST['action']) && $_POST['action'] == 'delete-ticket') {
488. $UserLevel = $user->GetData('UserLevel');
489.  
490. if($UserLevel == 'admin') {
491. if(isset($_POST['ticket-id']) && ctype_digit($_POST['ticket-id']) && !empty($_POST['ticket-id'])) {
492. $ticket_id = $_POST['ticket-id'];
493.  
494. $stmt = $pdo->prepare('DELETE FROM support WHERE SupportID = :SupportID');
495. $stmt->bindParam(':SupportID', $ticket_id);
496. $stmt->execute();
497. } else {
498. echo('Fill all fields correctly.');
499. }
500. } else {
501. echo('You don\'t have permissions to browse this page.');
502. }
503. }
504.  
505. /* CREATE SERVICE */
506.  
507. if(isset($_POST['action']) && $_POST['action'] == 'create-service') {
508. $UserLevel = $user->GetData('UserLevel');
509.  
510. if($UserLevel == 'admin') {
511. if(isset($_POST['service-name']) && isset($_POST['service-description']) && isset($_POST['service-quantity']) && isset($_POST['service-price']) && isset($_POST['service-category']) && isset($_POST['service-api']) &&
512. is_string($_POST['service-name']) && is_string($_POST['service-description']) && is_string($_POST['service-quantity']) && is_string($_POST['service-price']) && is_string($_POST['service-category']) &&
513. !empty($_POST['service-name']) && !empty($_POST['service-description']) && !empty($_POST['service-quantity']) && ctype_digit($_POST['service-quantity']) && !empty($_POST['service-price']) && !empty($_POST['service-category'])) {
514. $service_name = stripslashes(strip_tags($_POST['service-name']));
515. $service_description = stripslashes(strip_tags($_POST['service-description']));
516. $service_quantity = stripslashes(strip_tags($_POST['service-quantity']));
517. $service_price = stripslashes(strip_tags($_POST['service-price']));
518. $service_category = stripslashes(strip_tags($_POST['service-category']));
519. $service_api = htmlspecialchars($_POST['service-api']);
520. $time = time();
521.  
522. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductName = :ProductName');
523. $stmt->bindParam(':ProductName', $service_name);
524. $stmt->execute();
525.  
526. if($stmt->rowCount() == 0) {
527. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
528. $stmt->bindParam(':CategoryID', $service_category);
529. $stmt->execute();
530.  
531. if($stmt->rowCount() > 0 ) {
532. $stmt = $pdo->prepare('INSERT INTO products (ProductCategoryID, ProductName, ProductDescription, ProductMinimumQuantity, ProductPrice, ProductCreatedDate, ProductAPI)
533. VALUES (:ProductCategoryID, :ProductName, :ProductDescription, :ProductMinimumQuantity, :ProductPrice, :ProductCreatedDate, :ProductAPI)');
534.  
535. $stmt->execute(array(':ProductCategoryID' => $service_category, ':ProductName' => $service_name, ':ProductDescription' => $service_description, ':ProductMinimumQuantity' => $service_quantity, ':ProductPrice' => $service_price, ':ProductCreatedDate' => $time, ':ProductAPI' => $service_api));
536. } else {
537. echo 'Category does not exists.';
538. }
539. } else {
540. echo('Service already exists.');
541. }
542. } else {
543. echo('Fill all fields correctly.');
544. }
545. } else {
546. echo('You don\'t have permissions to browse this page.');
547. }
548. }
549.  
550. /* EDIT SERVICE */
551.  
552. if(isset($_POST['action']) && $_POST['action'] == 'edit-service') {
553. $UserLevel = $user->GetData('UserLevel');
554.  
555. if($UserLevel == 'admin') {
556. if(isset($_POST['service-id']) && isset($_POST['service-name']) && isset($_POST['service-description']) && isset($_POST['service-quantity']) && isset($_POST['service-price']) && isset($_POST['service-category']) && isset($_POST['service-api']) &&
557. is_string($_POST['service-name']) && is_string($_POST['service-description']) && is_string($_POST['service-quantity']) && is_string($_POST['service-price']) && is_string($_POST['service-category']) &&
558. !empty($_POST['service-name']) && !empty($_POST['service-description']) && !empty($_POST['service-quantity']) && ctype_digit($_POST['service-quantity']) && !empty($_POST['service-price']) && !empty($_POST['service-category'])) {
559. $service_name = stripslashes(strip_tags($_POST['service-name']));
560. $service_description = stripslashes(strip_tags($_POST['service-description']));
561. $service_quantity = stripslashes(strip_tags($_POST['service-quantity']));
562. $service_price = stripslashes(strip_tags($_POST['service-price']));
563. $service_category = stripslashes(strip_tags($_POST['service-category']));
564. $service_api = $_POST['service-api'];
565. $time = time();
566.  
567. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
568. $stmt->bindParam(':ProductID', $_POST['service-id']);
569. $stmt->execute();
570.  
571. if($stmt->rowCount() == 1) {
572. $ServiceRow = $stmt->fetch(PDO::FETCH_ASSOC);
573.  
574. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductName = :ProductName');
575. $stmt->bindParam(':ProductName', $service_name);
576. $stmt->execute();
577.  
578. if(strtolower($ServiceRow['ProductName']) == strtolower($service_name) || $stmt->rowCount() == 0) {
579. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
580. $stmt->bindParam(':CategoryID', $service_category);
581. $stmt->execute();
582.  
583. if($stmt->rowCount() == 1) {
584. $stmt = $pdo->prepare('UPDATE products SET ProductCategoryID = :ProductCategoryID, ProductName = :ProductName, ProductDescription = :ProductDescription, ProductMinimumQuantity = :ProductMinimumQuantity, ProductPrice = :ProductPrice, ProductAPI = :ProductAPI WHERE ProductID = :ProductID');
585. $stmt->execute(array(':ProductCategoryID' => $service_category, ':ProductName' => $service_name, ':ProductDescription' => $service_description, ':ProductMinimumQuantity' => $service_quantity, ':ProductPrice' => $service_price, ':ProductID' => $_POST['service-id'], ':ProductAPI' => $service_api));
586. } else {
587. echo 'Category does not exists.';
588. }
589. } else {
590. echo 'Service with this name already exists.';
591. }
592. } else {
593. echo('Service does not exists.');
594. }
595. } else {
596. echo('Fill all fields correctly.');
597. }
598. } else {
599. echo('You don\'t have permissions to browse this page.');
600. }
601. }
602.  
603. /* DELETE SERVICE */
604.  
605. if(isset($_POST['action']) && $_POST['action'] == 'delete-service') {
606. $UserLevel = $user->GetData('UserLevel');
607.  
608. if($UserLevel == 'admin') {
609. if(isset($_POST['service-id']) && !empty($_POST['service-id']) && ctype_digit($_POST['service-id'])) {
610. $ServiceID = $_POST['service-id'];
611.  
612. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
613. $stmt->bindParam(':ProductID', $ServiceID);
614. $stmt->execute();
615.  
616. if($stmt->rowCount() == 1) {
617. $stmt = $pdo->prepare('DELETE FROM products WHERE ProductID = :ProductID');
618. $stmt->bindParam(':ProductID', $ServiceID);
619. $stmt->execute();
620. } else {
621. echo 'Service does not exists.';
622. return false;
623. }
624. }
625. } else {
626. echo('You don\'t have permissions to browse this page.');
627. }
628. }
629.  
630. /* EDIT CATEGORY */
631.  
632. if(isset($_POST['action']) && $_POST['action'] == 'edit-category') {
633. $UserLevel = $user->GetData('UserLevel');
634.  
635. if($UserLevel == 'admin') {
636. if(isset($_POST['category-id']) && isset($_POST['category-name']) && isset($_POST['category-description']) &&
637. is_string($_POST['category-name']) && is_string($_POST['category-description']) &&
638. !empty($_POST['category-name']) && !empty($_POST['category-description'])) {
639. $category_id = stripslashes(strip_tags($_POST['category-id']));
640. $category_name = stripslashes(strip_tags($_POST['category-name']));
641. $category_description = stripslashes(strip_tags($_POST['category-description']));
642. $time = time();
643.  
644. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
645. $stmt->bindParam(':CategoryID', $_POST['category-id']);
646. $stmt->execute();
647.  
648. if($stmt->rowCount() == 1) {
649. $CategoryRow = $stmt->fetch(PDO::FETCH_ASSOC);
650.  
651. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryName = :CategoryName');
652. $stmt->bindParam(':CategoryName', $category_name);
653. $stmt->execute();
654.  
655. if(strtolower($CategoryRow['CategoryName']) == strtolower($category_name) || $stmt->rowCount() == 0) {
656. $stmt = $pdo->prepare('UPDATE categories SET CategoryName = :CategoryName, CategoryDescription = :CategoryDescription WHERE CategoryID = :CategoryID');
657. $stmt->execute(array(':CategoryID' => $category_id, ':CategoryName' => $category_name, ':CategoryDescription' => $category_description));
658. } else {
659. echo('Category name already exists.');
660. }
661. } else {
662. echo('Category already exists.');
663. }
664. } else {
665. echo('Fill all fields correctly.');
666. }
667. } else {
668. echo('You don\'t have permissions to browse this page.');
669. }
670. }
671.  
672. /* DELETE CATEGORY */
673.  
674. if(isset($_POST['action']) && $_POST['action'] == 'delete-category') {
675. $UserLevel = $user->GetData('UserLevel');
676.  
677. if($UserLevel == 'admin') {
678. if(isset($_POST['category-id']) && !empty($_POST['category-id']) && ctype_digit($_POST['category-id'])) {
679. $CategoryID = $_POST['category-id'];
680.  
681. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
682. $stmt->bindParam(':CategoryID', $CategoryID);
683. $stmt->execute();
684.  
685. if($stmt->rowCount() == 1) {
686. $stmt = $pdo->prepare('DELETE FROM categories WHERE CategoryID = :CategoryID');
687. $stmt->bindParam(':CategoryID', $CategoryID);
688. $stmt->execute();
689.  
690. $stmt = $pdo->prepare('DELETE FROM products WHERE ProductCategoryID = :ProductCategoryID');
691. $stmt->bindParam(':ProductCategoryID', $CategoryID);
692. $stmt->execute();
693. } else {
694. echo 'Category does not exists.';
695. }
696. }
697. } else {
698. echo('You don\'t have permissions to browse this page.');
699. }
700. }
701.  
702. /* UPDATE ORDER STATUS */
703.  
704.  
705. if(isset($_POST['action']) && $_POST['action'] == 'update-order-status') {
706. $UserLevel = $user->GetData('UserLevel');
707.  
708. if($UserLevel == 'admin') {
709. if(isset($_POST['order-status']) && !empty($_POST['order-status']) && is_string($_POST['order-status']) &&
710. isset($_POST['order-id']) && !empty($_POST['order-id']) && ctype_digit($_POST['order-id'])) {
711. $OrderID = $_POST['order-id'];
712.  
713. $stmt = $pdo->prepare('SELECT * FROM orders WHERE OrderID = :OrderID');
714. $stmt->bindParam(':OrderID', $OrderID);
715. $stmt->execute();
716.  
717. if($stmt->rowCount() == 1) {
718. $OrderStatus = $_POST['order-status'];
719. if($OrderStatus == 'Delete Order') {
720. $stmt = $pdo->prepare('DELETE FROM orders WHERE OrderID = :OrderID');
721. $stmt->bindParam(':OrderID', $OrderID);
722. $stmt->execute();
723. }
724. $stmt = $pdo->prepare('UPDATE orders SET OrderStatus = :OrderStatus WHERE OrderID = :OrderID');
725. $stmt->execute(array(':OrderStatus' => $OrderStatus, ':OrderID' => $OrderID));
726. } else {
727. echo 'Order does not exists.';
728. }
729. }
730. } else {
731. echo('You don\'t have permissions to browse this page.');
732. }
733. }
734.  
735. if(isset($_POST['action']) && $_POST['action'] == 'update-order-start-count') {
736. $UserLevel = $user->GetData('UserLevel');
737.  
738. if($UserLevel == 'admin') {
739. if(isset($_POST['start-count']) && ctype_digit($_POST['start-count']) &&
740. isset($_POST['order-id']) && !empty($_POST['order-id']) && ctype_digit($_POST['order-id'])) {
741. $OrderID = $_POST['order-id'];
742.  
743. $stmt = $pdo->prepare('SELECT * FROM orders WHERE OrderID = :OrderID');
744. $stmt->bindParam(':OrderID', $OrderID);
745. $stmt->execute();
746.  
747. if($stmt->rowCount() == 1) {
748. $OrderStartCount = $_POST['start-count'];
749. $stmt = $pdo->prepare('UPDATE orders SET OrderStartCount = :OrderStartCount WHERE OrderID = :OrderID');
750. $stmt->execute(array(':OrderStartCount' => $OrderStartCount, ':OrderID' => $OrderID));
751. } else {
752. echo 'Order does not exists.';
753. }
754. }
755. } else {
756. echo('You don\'t have permissions to browse this page.');
757. }
758. }
759.  
760. /* BAN & UNBAN USER */
761.  
762. if(isset($_POST['action']) && $_POST['action'] == 'ban-user') {
763. $UserLevel = $user->GetData('UserLevel');
764.  
765. if($UserLevel == 'admin') {
766. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
767. $UserID = $_POST['user-id'];
768.  
769. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
770. $stmt->bindParam(':UserID', $UserID);
771. $stmt->execute();
772.  
773. if($stmt->rowCount() == 1) {
774. $row = $stmt->fetch(PDO::FETCH_ASSOC);
775. $UserLevel = $row['UserLevel'];
776.  
777. if($UserLevel == 'banned') {
778. echo 'User account is already terminated.';
779. return false;
780. } else {
781. $stmt = $pdo->prepare('UPDATE users SET UserLevel = :UserLevel WHERE UserID = :UserID');
782. $stmt->execute(array(':UserLevel' => 'banned', ':UserID' => $UserID));
783. }
784. } else {
785. echo 'User account does not exists.';
786. return false;
787. }
788. }
789. } else {
790. echo('You don\'t have permissions to browse this page.');
791. }
792. }
793.  
794. if(isset($_POST['action']) && $_POST['action'] == 'unban-user') {
795. $UserLevel = $user->GetData('UserLevel');
796.  
797. if($UserLevel == 'admin') {
798. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
799. $UserID = $_POST['user-id'];
800.  
801. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
802. $stmt->bindParam(':UserID', $UserID);
803. $stmt->execute();
804.  
805. if($stmt->rowCount() == 1) {
806. $row = $stmt->fetch(PDO::FETCH_ASSOC);
807. $UserLevel = $row['UserLevel'];
808.  
809. if($UserLevel != 'banned') {
810. echo 'User account is not terminated.';
811. return false;
812. } else {
813. $stmt = $pdo->prepare('UPDATE users SET UserLevel = :UserLevel WHERE UserID = :UserID');
814. $stmt->execute(array(':UserLevel' => 'default', ':UserID' => $UserID));
815. }
816. } else {
817. echo 'User account does not exists.';
818. return false;
819. }
820. }
821. } else {
822. echo('You don\'t have permissions to browse this page.');
823. }
824. }
825.  
826. /* DELETE USER */
827.  
828. if(isset($_POST['action']) && $_POST['action'] == 'delete-user') {
829. $UserLevel = $user->GetData('UserLevel');
830.  
831. if($UserLevel == 'admin') {
832. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
833. $UserID = $_POST['user-id'];
834.  
835. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
836. $stmt->bindParam(':UserID', $UserID);
837. $stmt->execute();
838.  
839. if($stmt->rowCount() == 1) {
840. $stmt = $pdo->prepare('DELETE FROM users WHERE UserID = :UserID');
841. $stmt->bindParam(':UserID', $UserID);
842. $stmt->execute();
843. } else {
844. echo 'User account does not exists.';
845. return false;
846. }
847. }
848. } else {
849. echo('You don\'t have permissions to browse this page.');
850. }
851. }
852.  
853. /* UPDATE PROFILE INFORMATION */
854.  
855. if(isset($_POST['action']) && $_POST['action'] == 'profile-update') {
856. if(isset($_POST['first-name']) && isset($_POST['last-name']) && isset($_POST['email']) && isset($_POST['password'])
857. && is_string($_POST['first-name']) && is_string($_POST['last-name']) && is_string($_POST['email']) && is_string($_POST['password'])
858. && !empty($_POST['first-name']) && !empty($_POST['last-name']) && !empty($_POST['email']) && !empty($_POST['password'])) {
859.  
860. if(md5($_POST['password']) == $user->GetData('UserPassword')) {
861. if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) {
862. $first_name = stripslashes(strip_tags($_POST['first-name']));
863. $last_name = stripslashes(strip_tags($_POST['last-name']));
864. $email = $_POST['email'];
865. $UserID = $user->GetData('UserID');
866.  
867. $stmt = $pdo->prepare('UPDATE users SET UserFirstName = :UserFirstName, UserLastName = :UserLastName, UserEmail = :UserEmail WHERE UserID = :UserID');
868. $stmt->execute(array(':UserFirstName' =>$first_name, ':UserLastName' => $last_name, ':UserEmail' => $email, ':UserID' => $UserID));
869. } else {
870. echo('The provided E-mail is invalid.');
871. }
872. } else {
873. echo('The entered password does not equals to your account password.');
874. }
875. } else {
876. echo('Fill all fields correctly.');
877. }
878. }
879.  
880. /* UPDATE ACCOUNT PASSWORD */
881.  
882. if(isset($_POST['action']) && $_POST['action'] == 'password-update') {
883. if(isset($_POST['current-password']) && isset($_POST['new-password'])
884. && is_string($_POST['current-password']) && is_string($_POST['new-password'])
885. && !empty($_POST['current-password']) && !empty($_POST['new-password'])) {
886.  
887. if(md5($_POST['current-password']) == $user->GetData('UserPassword')) {
888. if(strlen($_POST['new-password']) > 3 && strlen($_POST['new-password']) < 32) {
889. $UserID = $user->GetData('UserID');
890.  
891. $stmt = $pdo->prepare('UPDATE users SET UserPassword = :UserPassword WHERE UserID = :UserID');
892. $stmt->execute(array(':UserPassword' => md5($_POST['new-password']), ':UserID' => $UserID));
893. } else {
894. echo('Password length have to be 4-32 characters.');
895. }
896. } else {
897. echo('The entered password does not match to your account password.');
898. }
899. } else {
900. echo('Fill all fields correctly.');
901. }
902. }
903.  
904. /* GET AVAILABLE SERVICES */
905.  
906. if(isset($_POST['action']) && $_POST['action'] == 'get-products') {
907. $category = stripslashes(strip_tags($_POST['option']));
908.  
909. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
910. $stmt->bindParam(':CategoryID', $category);
911. $stmt->execute();
912.  
913. $row = $stmt->fetch(PDO::FETCH_ASSOC);
914. $CategoryID = $row['CategoryID'];
915.  
916. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductCategoryID = :ProductCategoryID');
917. $stmt->bindParam(':ProductCategoryID', $CategoryID);
918. $stmt->execute();
919.  
920. $html = '';
921.  
922. foreach($stmt->fetchAll() as $rows) {
923. $html .= '<option value="'.$rows['ProductID'].'">'.$rows['ProductName'].'</option>';
924. }
925.  
926. echo $html;
927. }
928.  
929. /* CREATE SERVICE ORDER */
930.  
931. if(isset($_POST['action']) && $_POST['action'] == 'create-order') {
932. if(isset($_POST['service']) && isset($_POST['quantity']) && isset($_POST['link']) &&
933. !empty($_POST['service']) && !empty($_POST['quantity']) && !empty($_POST['link']) &&
934. ctype_digit($_POST['service']) && ctype_digit($_POST['quantity']) && is_string($_POST['link'])) {
935. $service = strip_tags(stripslashes($_POST['service']));
936. $quantity = strip_tags(stripslashes($_POST['quantity']));
937. $link = $_POST['link'];
938. $time = time();
939. $UserID = $user->GetData('UserID');
940.  
941. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
942. $stmt->bindParam(':ProductID', $service);
943. $stmt->execute();
944.  
945. if($stmt->rowCount() > 0) {
946. $row = $stmt->fetch(PDO::FETCH_ASSOC);
947. $product_quantity = $row['ProductMinimumQuantity'];
948. $account_balance = $user->GetData('UserFunds');
949. if($quantity >= $product_quantity) {
950. $newprice = $product->DeclarePrice($row['ProductPrice'], $row['ProductMinimumQuantity'], $quantity);
951. $price = round($newprice, 2);
952. if($account_balance >= $price) {
953. $api = $row['ProductAPI'];
954.  
955. if(!empty($api)) {
956. $api = str_replace('&amp;','&',$api);
957. $api_link = str_replace('[LINK]', rawurlencode($link), $api);
958. $api_final = str_replace('[QUANTITY]', $quantity, $api_link);
959.  
960. $curl = curl_init();
961. curl_setopt_array($curl, array(
962. CURLOPT_RETURNTRANSFER => 1,
963. CURLOPT_URL => $api_final,
964. CURLOPT_USERAGENT => 'Enigma SMM API Caller'
965. ));
966.  
967. $resp = curl_exec($curl);
968. curl_close($curl);
969.  
970. $response = json_decode($resp,true);
971. $orderid = $response['id'];
972.  
973. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount, OrderStatus, OrderAPIID) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderStatus, :OrderAPIID)');
974. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderStatus' => 'In Process', ':OrderAPIID' => $orderid));
975. } else {
976. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount)');
977. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price));
978. }
979. // Take balance from user's account
980.  
981. $UserFunds = $account_balance - $price;
982.  
983. $stmt = $pdo->prepare('UPDATE users SET UserFunds = :UserFunds WHERE UserID = :UserID');
984. $stmt->execute(array(':UserFunds' => $UserFunds, ':UserID' => $UserID));
985. } else {
986. echo 'Not enough funds in the account.You can deposit funds to your account from <a href="./deposit.php">here</a>.';
987. }
988. } else {
989. echo 'Minimum product quantity for purchase is '.$product_quantity.'.';
990. }
991. } else {
992. echo 'Invalid Product ID.';
993. }
994. } else {
995. echo 'Fill all fields correctly.';
996. }
997. }
998.  
999. /* GET ORDER AMOUNT */
1000.  
1001. if(isset($_POST['action']) && $_POST['action'] == 'get-amount') {
1002. if(isset($_POST['service']) && isset($_POST['quantity']) &&
1003. !empty($_POST['service']) && !empty($_POST['quantity'])&&
1004. ctype_digit($_POST['service']) && ctype_digit($_POST['quantity'])) {
1005. $service = strip_tags(stripslashes($_POST['service']));
1006. $quantity = strip_tags(stripslashes($_POST['quantity']));
1007.  
1008. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
1009. $stmt->bindParam(':ProductID', $service);
1010. $stmt->execute();
1011.  
1012. if($stmt->rowCount() > 0) {
1013. $row = $stmt->fetch(PDO::FETCH_ASSOC);
1014. $product_quantity = $row['ProductMinimumQuantity'];
1015.  
1016. if($quantity >= $product_quantity) {
1017. $price = $product->DeclarePrice($row['ProductPrice'], $row['ProductMinimumQuantity'], $quantity);
1018. echo round($price, 2);
1019. } else {
1020. echo 'Invalid quantity.';
1021. }
1022. } else {
1023. echo 'Invalid Product ID.';
1024. }
1025. } else {
1026. echo 'Fill all fields correctly.';
1027. }
1028. }
1029.  
1030. /* GET PRODUCT DETAILS (SUCH AS QUANTITY, PRICE) */
1031.  
1032. if(isset($_POST['action']) && $_POST['action'] == 'product-details') {
1033. if(isset($_POST['details']) && isset($_POST['product-id']) && !empty($_POST['details']) && !empty($_POST['product-id']) && is_string($_POST['details']) && ctype_digit($_POST['product-id'])) {
1034. $Details = strip_tags(stripslashes($_POST['details']));
1035. $ProductID = strip_tags(stripslashes($_POST['product-id']));
1036.  
1037. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
1038. $stmt->bindParam(':ProductID', $ProductID);
1039. $stmt->execute();
1040.  
1041. if($stmt->rowCount() > 0) {
1042. $row = $stmt->fetch(PDO::FETCH_ASSOC);
1043. echo $row[$Details];
1044. } else {
1045. echo 'Error.';
1046. }
1047. }
1048. }
1049.  
1050. /* UPDATE ACCOUNT AVATAR */
1051.  
1052. if(is_array($_FILES) && isset($_FILES['avatar'])) {
1053. if(is_uploaded_file($_FILES['avatar']['tmp_name'])) {
1054. if(($_FILES['avatar']['type'] == 'image/gif') || ($_FILES['avatar']['type'] == 'image/jpeg') || ($_FILES['avatar']['type'] == 'image/png')) {
1055. $image_info = getimagesize($_FILES["avatar"]["tmp_name"]);
1056. $image_width = $image_info[0];
1057. $image_height = $image_info[1];
1058. if($image_width > 512 && $image_height > 512) {
1059. echo 'Maximum image size: width: 512px & height: 512px.';
1060. } else {
1061. $image = addslashes(file_get_contents($_FILES['avatar']['tmp_name']));
1062. $UserID = $user->GetData('UserID');
1063.  
1064. $stmt = $pdo->prepare('UPDATE users SET UserImage = :UserImage WHERE UserID = :UserID');
1065. $stmt->execute(array(':UserImage' => $image, ':UserID' => $UserID));
1066. }
1067. } else {
1068. echo 'Image format not supported, or image is corrupt.';
1069. }
1070. } else {
1071. echo 'An error occurred.';
1072. }
1073. }