API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Sep 11th, 2018
946
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 61.97 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2. require_once('./files/functions.php');
  3.  
  4. /* RESET ACCOUNT PASSWORD */
  5.  
  6. if(isset($_POST['action']) && $_POST['action'] == 'reset') {
  7. if(isset($_POST['username']) && isset($_POST['email'])
  8. && is_string($_POST['username']) && is_string($_POST['email'])
  9. && !empty($_POST['username']) && !empty($_POST['email'])) {
  10.  
  11. if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) {
  12. $username = stripslashes(strip_tags($_POST['username']));
  13. $email = $_POST['email'];
  14.  
  15. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName AND UserEmail = :UserEmail');
  16. $stmt->execute(array(':UserName' => $username, ':UserEmail' => $email));
  17.  
  18. if($stmt->rowCount() > 0) {
  19. $new_password = substr(md5(rand(1,100000)), 0, 8);
  20.  
  21. $stmt = $pdo->prepare('UPDATE users SET UserPassword = :UserPassword WHERE UserName = :UserName');
  22. $stmt->execute(array(':UserPassword' => md5($new_password), ':UserName' => $username));
  23.  
  24. $subject = 'Password recovery';
  25. $txt = 'Your account password has been reset.';
  26. $txt .= 'Your new account password is: '.$new_password.'';
  27. $headers = "From: ".$RecoveryEmail."" . "\r\n" .
  28. "CC: ".$RecoveryEmail."";
  29.  
  30. @mail($email,$subject,$txt,$headers);
  31. } else {
  32. echo('User with these credentials does not exists.');
  33. }
  34. } else {
  35. echo('The entered E-mail is invalid.');
  36. }
  37. } else {
  38. echo('Fill all fields correctly.');
  39. }
  40. }
  41.  
  42. /* SAVE MERCHANT */
  43.  
  44. if(isset($_POST['action']) && $_POST['action'] == 'save-merchant') {
  45.  
  46. if($UserLevel == 'admin') {
  47. if(isset($_POST['website-name']) && isset($_POST['recovery-email']) && isset($_POST['notification-email']) && isset($_POST['min-deposit']) && isset($_POST['currency-name']) && isset($_POST['currency-symbol']) && isset($_POST['require-skype']) &&
  48. is_string($_POST['website-name']) && ctype_digit($_POST['min-deposit']) && is_string($_POST['currency-name']) && is_string($_POST['currency-symbol']) && ($_POST['require-skype'] == 'Yes' || $_POST['require-skype'] == 'No') &&
  49. !empty($_POST['website-name']) && !empty($_POST['currency-name']) && !empty($_POST['currency-symbol'])) {
  50. if(!filter_var($_POST['recovery-email'], FILTER_VALIDATE_EMAIL) === false) {
  51. if(!filter_var($_POST['notification-email'], FILTER_VALIDATE_EMAIL) === false) {
  52. $WebsiteName = $_POST['website-name'];
  53. $RecoveryEmail = $_POST['recovery-email'];
  54. $NotificationEmail = $_POST['notification-email'];
  55. $MinDeposit = $_POST['min-deposit'];
  56. $CurrencyName = $_POST['currency-name'];
  57. $CurrencySymbol = $_POST['currency-symbol'];
  58. $RequireSkype = $_POST['require-skype'];
  59.  
  60. $PaypalEmail = $_POST['paypal-email'];
  61. $SkrillEmail = $_POST['skrill-email'];
  62. $SkrillSecret = $_POST['skrill-secret'];
  63.  
  64. $stmt = $pdo->prepare('SELECT * FROM merchant');
  65. $stmt->execute();
  66. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  67.  
  68. if(empty($row['MerchantWebsiteName'])) {
  69. $stmt = $pdo->prepare('INSERT INTO merchant (MerchantWebsiteName, MerchantRecoveryEmail, MerchantPaypalEmail, MerchantSkrillEmail, MerchantSkrillSecret, MerchantNotificationEmail,
  70. MerchantMinDeposit, MerchantCurrencyName, MerchantCurrencySymbol, MerchantRequireSkype)
  71. VALUES (:MerchantWebsiteName, :MerchantRecoveryEmail, :MerchantPaypalEmail, :MerchantSkrillEmail, :MerchantSkrillSecret, :MerchantNotificationEmail, :MerchantMinDeposit, :MerchantCurrencyName, :MerchantCurrencySymbol, :MerchantRequireSkype)');
  72.  
  73. $stmt->execute(array(':MerchantWebsiteName' => $WebsiteName, ':MerchantRecoveryEmail' => $RecoveryEmail, ':MerchantPaypalEmail' => $PaypalEmail,
  74. ':MerchantSkrillEmail' => $SkrillEmail, ':MerchantSkrillSecret' => $SkrillSecret, ':MerchantNotificationEmail' => $NotificationEmail,
  75. ':MerchantMinDeposit' => $MinDeposit, ':MerchantCurrencyName' => $CurrencyName, ':MerchantCurrencySymbol' => $CurrencySymbol,
  76. ':MerchantRequireSkype' => $RequireSkype));
  77. } else {
  78. $CurrentName = $row['MerchantWebsiteName'];
  79.  
  80. $stmt = $pdo->prepare('UPDATE merchant SET MerchantWebsiteName = :MerchantWebsiteName, MerchantRecoveryEmail = :MerchantRecoveryEmail,
  81. MerchantPaypalEmail = :MerchantPaypalEmail, MerchantSkrillEmail = :MerchantSkrillEmail, MerchantSkrillSecret = :MerchantSkrillSecret,
  82. MerchantNotificationEmail = :MerchantNotificationEmail, MerchantMinDeposit = :MerchantMinDeposit, MerchantCurrencyName = :MerchantCurrencyName,
  83. MerchantCurrencySymbol = :MerchantCurrencySymbol, MerchantRequireSkype = :MerchantRequireSkype WHERE MerchantWebsiteName = :MerchantWebsiteNameConfirm');
  84.  
  85. $stmt->execute(array(':MerchantWebsiteName' => $WebsiteName, ':MerchantRecoveryEmail' => $RecoveryEmail, ':MerchantPaypalEmail' => $PaypalEmail,
  86. ':MerchantSkrillEmail' => $SkrillEmail, ':MerchantSkrillSecret' => $SkrillSecret, ':MerchantNotificationEmail' => $NotificationEmail,
  87. ':MerchantMinDeposit' => $MinDeposit, ':MerchantCurrencyName' => $CurrencyName, ':MerchantCurrencySymbol' => $CurrencySymbol,
  88. ':MerchantRequireSkype' => $RequireSkype,':MerchantWebsiteNameConfirm' => $CurrentName));
  89. }
  90. } else {
  91. echo 'The provided notification E-mail address is invalid.';
  92. }
  93. } else {
  94. echo('The provided recovery E-mail address is invalid.');
  95. }
  96. } else {
  97. echo('Fill all fields correctly.');
  98. }
  99. } else {
  100. echo('You don\'t have permissions to browse this page.');
  101. }
  102. }
  103.  
  104. /* CREATE USER FROM ADMINISTRATION PANEL */
  105.  
  106. if(isset($_POST['action']) && $_POST['action'] == 'create-user') {
  107. if($UserLevel == 'admin') {
  108. if(isset($_POST['user-first-name']) && isset($_POST['user-last-name']) && isset($_POST['user-email']) && isset($_POST['user-name']) && isset($_POST['user-password']) && isset($_POST['user-level']) && isset($_POST['user-funds']) &&
  109. is_string($_POST['user-first-name']) && is_string($_POST['user-last-name']) && is_string($_POST['user-email']) && is_string($_POST['user-name']) && is_string($_POST['user-password']) && is_string($_POST['user-level']) && is_numeric($_POST['user-funds']) &&
  110. !empty($_POST['user-first-name']) && !empty($_POST['user-last-name']) && !empty($_POST['user-email']) && !empty($_POST['user-name']) && !empty($_POST['user-password']) && !empty($_POST['user-level'])) {
  111. if(strlen($_POST['user-password']) < 32 && strlen($_POST['user-password']) > 3) {
  112. if(strlen($_POST['user-name']) < 16 && strlen($_POST['user-name']) > 3) {
  113. if(!filter_var($_POST['user-email'], FILTER_VALIDATE_EMAIL) === false) {
  114. $UserSkype = '';
  115.  
  116. if($RequireSkype == 'Yes') {
  117. if(isset($_POST['user-skype']) && !empty($_POST['user-skype'])) {
  118. $UserSkype = $_POST['user-skype'];
  119. } else {
  120. echo 'Invalid Skype ID.';
  121. exit();
  122. }
  123. }
  124.  
  125. $first_name = stripslashes(strip_tags($_POST['user-first-name']));
  126. $last_name = stripslashes(strip_tags($_POST['user-last-name']));
  127. $email = $_POST['user-email'];
  128. $user_name = stripslashes(strip_tags($_POST['user-name']));
  129. $password = md5($_POST['user-password']);
  130. $level = stripslashes(strip_tags($_POST['user-level']));
  131. $funds = stripslashes(strip_tags($_POST['user-funds']));
  132. $api = md5($first_name.$last_name.$email.$user_name.time());
  133.  
  134. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
  135. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email));
  136.  
  137. if($stmt->rowCount() == 0) {
  138. $stmt = $pdo->prepare('INSERT INTO users (UserName, UserEmail, UserPassword, UserLevel, UserFirstName, UserLastName, UserRegistrationDate, UserRegistrationAddress, UserFunds, UserAPI, UserSkype)
  139. VALUES (:UserName, :UserEmail, :UserPassword, :UserLevel, :UserFirstName, :UserLastName, :UserRegistrationDate, :UserRegistrationAddress, :UserFunds, :UserAPI, :UserSkype)');
  140.  
  141. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email, ':UserPassword' => $password, ':UserLevel' => $level, ':UserFirstName' => $first_name, ':UserLastName' => $last_name, ':UserRegistrationDate' => time(), ':UserRegistrationAddress' => '127.0.0.1', ':UserFunds' => $funds, ':UserAPI' => $api, ':UserSkype' => $UserSkype));
  142. } else {
  143. echo('User with these credentials already exists.');
  144. return false;
  145. }
  146. } else {
  147. echo('The provided e-mail address is invalid.');
  148. }
  149. } else {
  150. echo('User name length have to be 4-16 characters.');
  151. }
  152. } else {
  153. echo('Password length have to be 4-32 characters.');
  154. }
  155. } else {
  156. echo('Fill all fields correctly.');
  157. }
  158. } else {
  159. echo('You don\'t have permissions to browse this page.');
  160. }
  161. }
  162.  
  163. /* ADD NEW */
  164.  
  165. if(isset($_POST['action']) && $_POST['action'] == 'add-new') {
  166.  
  167.  
  168. if($UserLevel == 'admin') {
  169. if(isset($_POST['new-title']) && isset($_POST['new-content']) &&
  170. is_string($_POST['new-title']) && is_string($_POST['new-content']) &&
  171. !empty($_POST['new-title']) && !empty($_POST['new-content'])) {
  172. $new_title = stripslashes(strip_tags($_POST['new-title']));
  173. $new_content = stripslashes(strip_tags($_POST['new-content']));
  174. $new_user = $user->GetData('UserID');
  175. $new_date = time();
  176.  
  177. $stmt = $pdo->prepare('INSERT INTO news (NewsTitle, NewsContent, NewsDate, NewsUserID) VALUES (:NewsTitle, :NewsContent, :NewsDate, :NewsUserID)');
  178. $stmt->execute(array(':NewsTitle' => $new_title, ':NewsContent' => $new_content, ':NewsDate' => $new_date, ':NewsUserID' => $new_user));
  179. } else {
  180. echo('Fill all fields correctly.');
  181. }
  182. } else {
  183. echo('You don\'t have permissions to browse this page.');
  184. }
  185. }
  186.  
  187. /* EDIT NEW */
  188.  
  189. if(isset($_POST['action']) && $_POST['action'] == 'edit-new') {
  190.  
  191.  
  192. if($UserLevel == 'admin') {
  193. if(isset($_POST['new-id']) && isset($_POST['new-title']) && isset($_POST['new-content']) &&
  194. is_string($_POST['new-title']) && is_string($_POST['new-content']) &&
  195. !empty($_POST['new-title']) && !empty($_POST['new-content'])) {
  196. $new_title = stripslashes(strip_tags($_POST['new-title']));
  197. $new_content = stripslashes(strip_tags($_POST['new-content']));
  198. $new_id = $_POST['new-id'];
  199.  
  200. $stmt = $pdo->prepare('SELECT * FROM news WHERE NewsID = :NewsID');
  201. $stmt->bindParam(':NewsID', $new_id);
  202. $stmt->execute();
  203.  
  204. if($stmt->rowCount() == 1) {
  205. $stmt = $pdo->prepare('UPDATE news SET NewsTitle = :NewsTitle, NewsContent = :NewsContent WHERE NewsID = :NewsID');
  206.  
  207. $stmt->execute(array(':NewsTitle' => $new_title, ':NewsContent' => $new_content, ':NewsID' => $new_id));
  208. } else {
  209. echo('New does not exists.');
  210. }
  211. } else {
  212. echo('Fill all fields correctly.');
  213. }
  214. } else {
  215. echo('You don\'t have permissions to browse this page.');
  216. }
  217. }
  218.  
  219. /* DELETE NEW */
  220.  
  221. if(isset($_POST['action']) && $_POST['action'] == 'delete-new') {
  222.  
  223.  
  224. if($UserLevel == 'admin') {
  225. if(isset($_POST['new-id']) && !empty($_POST['new-id']) && ctype_digit($_POST['new-id'])) {
  226. $NewsID = $_POST['new-id'];
  227.  
  228. $stmt = $pdo->prepare('SELECT * FROM news WHERE NewsID = :NewsID');
  229. $stmt->bindParam(':NewsID', $NewsID);
  230. $stmt->execute();
  231.  
  232. if($stmt->rowCount() == 1) {
  233. $stmt = $pdo->prepare('DELETE FROM news WHERE NewsID = :NewsID');
  234. $stmt->bindParam(':NewsID', $NewsID);
  235. $stmt->execute();
  236. } else {
  237. echo 'New does not exists.';
  238. }
  239. }
  240. } else {
  241. echo('You don\'t have permissions to browse this page.');
  242. }
  243. }
  244.  
  245. /* DELETE LOGS */
  246.  
  247. if(isset($_POST['action']) && $_POST['action'] == 'delete-logs') {
  248.  
  249.  
  250. if($UserLevel == 'admin') {
  251. $stmt = $pdo->prepare('DELETE FROM logs');
  252. $stmt->execute();
  253. } else {
  254. echo('You don\'t have permissions to browse this page.');
  255. }
  256. }
  257.  
  258. /* EDIT USER */
  259.  
  260. if(isset($_POST['action']) && $_POST['action'] == 'edit-user') {
  261.  
  262.  
  263. if($UserLevel == 'admin') {
  264. if(isset($_POST['user-id']) && isset($_POST['user-first-name']) && isset($_POST['user-last-name']) && isset($_POST['user-email']) && isset($_POST['user-name']) && isset($_POST['user-level']) && isset($_POST['user-funds']) &&
  265. is_string($_POST['user-first-name']) && is_string($_POST['user-last-name']) && is_string($_POST['user-email']) && is_string($_POST['user-name']) && is_string($_POST['user-level']) && preg_match('/^[0-9.]+$/', $_POST['user-funds']) &&
  266. !empty($_POST['user-id']) && !empty($_POST['user-first-name']) && !empty($_POST['user-last-name']) && !empty($_POST['user-email']) && !empty($_POST['user-name']) && !empty($_POST['user-level'])) {
  267. if(strlen($_POST['user-name']) < 16 && strlen($_POST['user-name']) > 3) {
  268. if(!filter_var($_POST['user-email'], FILTER_VALIDATE_EMAIL) === false) {
  269. $first_name = stripslashes(strip_tags($_POST['user-first-name']));
  270. $last_name = stripslashes(strip_tags($_POST['user-last-name']));
  271. $email = $_POST['user-email'];
  272. $user_name = stripslashes(strip_tags($_POST['user-name']));
  273. $level = stripslashes(strip_tags($_POST['user-level']));
  274. $funds = stripslashes(strip_tags($_POST['user-funds']));
  275. $user_id = $_POST['user-id'];
  276.  
  277. $user_skype = '';
  278.  
  279. if($RequireSkype == 'Yes') {
  280. if(isset($_POST['user-skype']) && !empty($_POST['user-skype'])) {
  281. $user_skype = $_POST['user-skype'];
  282. } else {
  283. echo 'Incorrect Skype ID.';
  284. exit();
  285. }
  286. }
  287.  
  288. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName OR UserEmail = :UserEmail');
  289. $stmt->execute(array(':UserName' => $user_name, ':UserEmail' => $email));
  290.  
  291.  
  292. $query = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
  293. $query->bindParam(':UserID', $user_id);
  294. $query->execute();
  295.  
  296. if($query->rowCount() == 0) {
  297. echo 'User account does not exists.';
  298. return false;
  299. }
  300. if($stmt->rowCount() <= 1) {
  301. $stmt = $pdo->prepare('UPDATE users SET UserFirstName = :UserFirstName, UserLastName = :UserLastName, UserEmail = :UserEmail, UserName = :UserName, UserLevel = :UserLevel, UserFunds = :UserFunds, UserSkype = :UserSkype WHERE UserID = :UserID');
  302.  
  303. $stmt->execute(array(':UserFirstName' => $first_name, ':UserLastName' => $last_name, ':UserEmail' => $email,
  304. ':UserName' => $user_name, ':UserLevel' => $level, ':UserFunds' => $funds, ':UserSkype' => $user_skype,':UserID' => $user_id));
  305. } else {
  306. echo('User with these credentials already exists.');
  307. return false;
  308. }
  309. } else {
  310. echo('The provided e-mail address is invalid.');
  311. }
  312. } else {
  313. echo('User name length have to be 4-16 characters.');
  314. }
  315. } else {
  316. echo('Fill all fields correctly.');
  317. }
  318. } else {
  319. echo('You don\'t have permissions to browse this page.');
  320. }
  321. }
  322.  
  323. /* CREATE CATEGORY */
  324.  
  325. if(isset($_POST['action']) && $_POST['action'] == 'create-category') {
  326.  
  327.  
  328. if($UserLevel == 'admin') {
  329. if(isset($_POST['category-name']) && isset($_POST['category-description']) &&
  330. is_string($_POST['category-name']) && is_string($_POST['category-description']) &&
  331. !empty($_POST['category-name']) && !empty($_POST['category-description'])) {
  332. $category_name = stripslashes(strip_tags($_POST['category-name']));
  333. $category_description = stripslashes(strip_tags($_POST['category-description']));
  334. $time = time();
  335.  
  336. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryName = :CategoryName');
  337. $stmt->bindParam(':CategoryName', $category_name);
  338. $stmt->execute();
  339.  
  340. if($stmt->rowCount() == 0) {
  341. $stmt = $pdo->prepare('INSERT INTO categories (CategoryName, CategoryDescription, CategoryCreatedDate) VALUES (:CategoryName, :CategoryDescription, :CategoryCreatedDate)');
  342. $stmt->execute(array(':CategoryName' => $category_name, ':CategoryDescription' => $category_description, ':CategoryCreatedDate' => $time));
  343. } else {
  344. echo('Category already exists.');
  345. }
  346. } else {
  347. echo('Fill all fields correctly.');
  348. }
  349. } else {
  350. echo('You don\'t have permissions to browse this page.');
  351. }
  352. }
  353.  
  354. /* OPEN TICKET */
  355.  
  356. if(isset($_POST['action']) && $_POST['action'] == 'open-ticket') {
  357. if(isset($_POST['ticket-title']) && isset($_POST['ticket-message']) &&
  358. is_string($_POST['ticket-title']) && is_string($_POST['ticket-message']) &&
  359. !empty($_POST['ticket-title']) && !empty($_POST['ticket-message'])) {
  360. $ticket_title = stripslashes(strip_tags($_POST['ticket-title']));
  361. $ticket_message = stripslashes(strip_tags($_POST['ticket-message']));
  362. $time = time();
  363. $user_id = $user->GetData('UserID');
  364.  
  365. $stmt = $pdo->prepare('INSERT INTO support (SupportUserID, SupportTitle, SupportMessage, SupportDate, SupportReply) VALUES (:SupportUserID, :SupportTitle, :SupportMessage, :SupportDate, :SupportReply)');
  366. $stmt->execute(array(':SupportUserID' => $user_id, ':SupportTitle' => $ticket_title, ':SupportMessage' => $ticket_message, ':SupportDate' => $time, ':SupportReply' => ''));
  367. } else {
  368. echo('Fill all fields correctly.');
  369. }
  370. }
  371.  
  372. /* TICKET REPLY */
  373.  
  374. if(isset($_POST['action']) && $_POST['action'] == 'reply-ticket') {
  375.  
  376.  
  377. if($UserLevel == 'admin') {
  378. if(isset($_POST['ticket-id']) && isset($_POST['ticket-reply']) &&
  379. ctype_digit($_POST['ticket-id']) && is_string($_POST['ticket-reply']) &&
  380. !empty($_POST['ticket-id']) && !empty($_POST['ticket-reply'])) {
  381. $ticket_id = $_POST['ticket-id'];
  382. $ticket_reply = stripslashes(strip_tags($_POST['ticket-reply']));
  383.  
  384. $stmt = $pdo->prepare('UPDATE support SET SupportReply = :SupportReply WHERE SupportID = :SupportID');
  385. $stmt->execute(array(':SupportReply' => $ticket_reply, ':SupportID' => $ticket_id));
  386. } else {
  387. echo('Fill all fields correctly.');
  388. }
  389. } else {
  390. echo('You don\'t have permissions to browse this page.');
  391. }
  392. }
  393.  
  394. /* TICKET DELETE */
  395.  
  396. if(isset($_POST['action']) && $_POST['action'] == 'delete-ticket') {
  397.  
  398.  
  399. if($UserLevel == 'admin') {
  400. if(isset($_POST['ticket-id']) && ctype_digit($_POST['ticket-id']) && !empty($_POST['ticket-id'])) {
  401. $ticket_id = $_POST['ticket-id'];
  402.  
  403. $stmt = $pdo->prepare('DELETE FROM support WHERE SupportID = :SupportID');
  404. $stmt->bindParam(':SupportID', $ticket_id);
  405. $stmt->execute();
  406. } else {
  407. echo('Fill all fields correctly.');
  408. }
  409. } else {
  410. echo('You don\'t have permissions to browse this page.');
  411. }
  412. }
  413.  
  414. /* CREATE SERVICE */
  415.  
  416. if(isset($_POST['action']) && $_POST['action'] == 'create-service') {
  417.  
  418.  
  419. if($UserLevel == 'admin') {
  420. if(isset($_POST['service-name']) && isset($_POST['service-description']) && isset($_POST['service-quantity']) && isset($_POST['service-price']) && isset($_POST['service-category']) && isset($_POST['service-api']) && isset($_POST['service-reseller-price']) && isset($_POST['service-max-quantity']) && isset($_POST['service-type']) &&
  421. is_string($_POST['service-name']) && is_string($_POST['service-description']) && is_string($_POST['service-quantity']) && is_string($_POST['service-price']) && is_string($_POST['service-category']) && is_string($_POST['service-max-quantity']) &&
  422. !empty($_POST['service-name']) && !empty($_POST['service-description']) && !empty($_POST['service-quantity']) && ctype_digit($_POST['service-quantity']) && !empty($_POST['service-price']) && !empty($_POST['service-category']) && !empty($_POST['service-max-quantity'])) {
  423. $service_name = stripslashes(strip_tags($_POST['service-name']));
  424. $service_description = stripslashes(strip_tags($_POST['service-description']));
  425. $service_quantity = stripslashes(strip_tags($_POST['service-quantity']));
  426. $service_max_quantity = stripslashes(strip_tags($_POST['service-max-quantity']));
  427. $service_price = stripslashes(strip_tags($_POST['service-price']));
  428. $service_category = stripslashes(strip_tags($_POST['service-category']));
  429. $service_api = htmlspecialchars($_POST['service-api']);
  430.  
  431. if(!empty($_POST['service-reseller-price']))
  432. $service_reseller = $_POST['service-reseller-price'];
  433. else
  434. $service_reseller = 0;
  435.  
  436. $service_type = stripslashes($_POST['service-type']);
  437. $time = time();
  438.  
  439. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductName = :ProductName');
  440. $stmt->bindParam(':ProductName', $service_name);
  441. $stmt->execute();
  442.  
  443. if($stmt->rowCount() == 0) {
  444. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
  445. $stmt->bindParam(':CategoryID', $service_category);
  446. $stmt->execute();
  447.  
  448. if($stmt->rowCount() > 0 ) {
  449. if($service_max_quantity > $service_quantity) {
  450. $stmt = $pdo->prepare('INSERT INTO products (ProductCategoryID, ProductName, ProductDescription, ProductMinimumQuantity, ProductMaxQuantity, ProductPrice, ProductAPI, ProductCreatedDate, ProductType, ProductResellerPrice)
  451. VALUES (:ProductCategoryID, :ProductName, :ProductDescription, :ProductMinimumQuantity, :ProductMaxQuantity, :ProductPrice, :ProductAPI, :ProductCreatedDate, :ProductType, :ProductResellerPrice)');
  452.  
  453. $stmt->execute(array(':ProductCategoryID' => $service_category, ':ProductName' => $service_name, ':ProductDescription' => $service_description,
  454. ':ProductMinimumQuantity' => $service_quantity, ':ProductMaxQuantity' => $service_max_quantity, ':ProductPrice' => $service_price,
  455. ':ProductAPI' => $service_api, ':ProductCreatedDate' => $time, ':ProductType' => $service_type, ':ProductResellerPrice' => $service_reseller));
  456. } else {
  457. echo 'Service max quantity have to be bigger than the minimum quantity.';
  458. }
  459. } else {
  460. echo 'Category does not exists.';
  461. }
  462. } else {
  463. echo('Service already exists.');
  464. }
  465. } else {
  466. echo('Fill all fields correctly.');
  467. }
  468. } else {
  469. echo('You don\'t have permissions to browse this page.');
  470. }
  471. }
  472.  
  473. /* EDIT SERVICE */
  474.  
  475. if(isset($_POST['action']) && $_POST['action'] == 'edit-service') {
  476.  
  477.  
  478. if($UserLevel == 'admin') {
  479. if(isset($_POST['service-id']) && isset($_POST['service-name']) && isset($_POST['service-description']) && isset($_POST['service-quantity']) && isset($_POST['service-price']) && isset($_POST['service-category']) && isset($_POST['service-api']) && isset($_POST['service-reseller-price']) && isset($_POST['service-max-quantity']) && isset($_POST['service-type']) &&
  480. is_string($_POST['service-name']) && is_string($_POST['service-description']) && is_string($_POST['service-quantity']) && is_string($_POST['service-price']) && is_string($_POST['service-category']) && is_string($_POST['service-max-quantity']) &&
  481. !empty($_POST['service-name']) && !empty($_POST['service-description']) && !empty($_POST['service-quantity']) && ctype_digit($_POST['service-quantity']) && !empty($_POST['service-price']) && !empty($_POST['service-category']) && !empty($_POST['service-max-quantity'])) {
  482. $service_name = stripslashes(strip_tags($_POST['service-name']));
  483. $service_description = stripslashes(strip_tags($_POST['service-description']));
  484. $service_quantity = stripslashes(strip_tags($_POST['service-quantity']));
  485. $service_max_quantity = stripslashes(strip_tags($_POST['service-max-quantity']));
  486. $service_price = stripslashes(strip_tags($_POST['service-price']));
  487. $service_category = stripslashes(strip_tags($_POST['service-category']));
  488. $service_api = $_POST['service-api'];
  489. $service_reseller = $_POST['service-reseller-price'];
  490. $service_type = stripslashes($_POST['service-type']);
  491. $time = time();
  492.  
  493. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  494. $stmt->bindParam(':ProductID', $_POST['service-id']);
  495. $stmt->execute();
  496.  
  497. if($stmt->rowCount() == 1) {
  498. $ServiceRow = $stmt->fetch(PDO::FETCH_ASSOC);
  499.  
  500. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductName = :ProductName');
  501. $stmt->bindParam(':ProductName', $service_name);
  502. $stmt->execute();
  503.  
  504. if(strtolower($ServiceRow['ProductName']) == strtolower($service_name) || $stmt->rowCount() == 0) {
  505. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
  506. $stmt->bindParam(':CategoryID', $service_category);
  507. $stmt->execute();
  508.  
  509. if($stmt->rowCount() == 1) {
  510. $stmt = $pdo->prepare('UPDATE products SET ProductCategoryID = :ProductCategoryID, ProductName = :ProductName, ProductDescription = :ProductDescription, ProductMinimumQuantity = :ProductMinimumQuantity, ProductPrice = :ProductPrice, ProductAPI = :ProductAPI, ProductResellerPrice = :ProductResellerPrice, ProductMaxQuantity = :ProductMaxQuantity, ProductType = :ProductType WHERE ProductID = :ProductID');
  511. $stmt->execute(array(':ProductCategoryID' => $service_category, ':ProductName' => $service_name, ':ProductDescription' => $service_description,
  512. ':ProductMinimumQuantity' => $service_quantity, ':ProductPrice' => $service_price, ':ProductID' => $_POST['service-id'],
  513. ':ProductAPI' => $service_api, ':ProductResellerPrice' => $service_reseller, ':ProductMaxQuantity' => $service_max_quantity,
  514. ':ProductType' => $service_type));
  515. } else {
  516. echo 'Category does not exists.';
  517. }
  518. } else {
  519. echo 'Service with this name already exists.';
  520. }
  521. } else {
  522. echo('Service does not exists.');
  523. }
  524. } else {
  525. echo('Fill all fields correctly.');
  526. }
  527. } else {
  528. echo('You don\'t have permissions to browse this page.');
  529. }
  530. }
  531.  
  532. /* DELETE SERVICE */
  533.  
  534. if(isset($_POST['action']) && $_POST['action'] == 'delete-service') {
  535.  
  536.  
  537. if($UserLevel == 'admin') {
  538. if(isset($_POST['service-id']) && !empty($_POST['service-id']) && ctype_digit($_POST['service-id'])) {
  539. $ServiceID = $_POST['service-id'];
  540.  
  541. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  542. $stmt->bindParam(':ProductID', $ServiceID);
  543. $stmt->execute();
  544.  
  545. if($stmt->rowCount() == 1) {
  546. $stmt = $pdo->prepare('DELETE FROM products WHERE ProductID = :ProductID');
  547. $stmt->bindParam(':ProductID', $ServiceID);
  548. $stmt->execute();
  549. } else {
  550. echo 'Service does not exists.';
  551. return false;
  552. }
  553. }
  554. } else {
  555. echo('You don\'t have permissions to browse this page.');
  556. }
  557. }
  558.  
  559. if(isset($_POST['action']) && $_POST['action'] == 'get-max-quantity') {
  560. if(isset($_POST['service']) && is_numeric($_POST['service'])) {
  561. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  562. $stmt->execute(array(':ProductID' => $_POST['service']));
  563.  
  564. if($stmt->rowCount() == 1) {
  565. $row = $stmt->fetch();
  566.  
  567. echo $row['ProductMaxQuantity'];
  568. }
  569. }
  570. }
  571.  
  572. /* EDIT CATEGORY */
  573.  
  574. if(isset($_POST['action']) && $_POST['action'] == 'edit-category') {
  575.  
  576.  
  577. if($UserLevel == 'admin') {
  578. if(isset($_POST['category-id']) && isset($_POST['category-name']) && isset($_POST['category-description']) &&
  579. is_string($_POST['category-name']) && is_string($_POST['category-description']) &&
  580. !empty($_POST['category-name']) && !empty($_POST['category-description'])) {
  581. $category_id = stripslashes(strip_tags($_POST['category-id']));
  582. $category_name = stripslashes(strip_tags($_POST['category-name']));
  583. $category_description = stripslashes(strip_tags($_POST['category-description']));
  584. $time = time();
  585.  
  586. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
  587. $stmt->bindParam(':CategoryID', $_POST['category-id']);
  588. $stmt->execute();
  589.  
  590. if($stmt->rowCount() == 1) {
  591. $CategoryRow = $stmt->fetch(PDO::FETCH_ASSOC);
  592.  
  593. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryName = :CategoryName');
  594. $stmt->bindParam(':CategoryName', $category_name);
  595. $stmt->execute();
  596.  
  597. if(strtolower($CategoryRow['CategoryName']) == strtolower($category_name) || $stmt->rowCount() == 0) {
  598. $stmt = $pdo->prepare('UPDATE categories SET CategoryName = :CategoryName, CategoryDescription = :CategoryDescription WHERE CategoryID = :CategoryID');
  599. $stmt->execute(array(':CategoryID' => $category_id, ':CategoryName' => $category_name, ':CategoryDescription' => $category_description));
  600. } else {
  601. echo('Category name already exists.');
  602. }
  603. } else {
  604. echo('Category already exists.');
  605. }
  606. } else {
  607. echo('Fill all fields correctly.');
  608. }
  609. } else {
  610. echo('You don\'t have permissions to browse this page.');
  611. }
  612. }
  613.  
  614. /* DELETE CATEGORY */
  615.  
  616. if(isset($_POST['action']) && $_POST['action'] == 'delete-category') {
  617.  
  618.  
  619. if($UserLevel == 'admin') {
  620. if(isset($_POST['category-id']) && !empty($_POST['category-id']) && ctype_digit($_POST['category-id'])) {
  621. $CategoryID = $_POST['category-id'];
  622.  
  623. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
  624. $stmt->bindParam(':CategoryID', $CategoryID);
  625. $stmt->execute();
  626.  
  627. if($stmt->rowCount() == 1) {
  628. $stmt = $pdo->prepare('DELETE FROM categories WHERE CategoryID = :CategoryID');
  629. $stmt->bindParam(':CategoryID', $CategoryID);
  630. $stmt->execute();
  631.  
  632. $stmt = $pdo->prepare('DELETE FROM products WHERE ProductCategoryID = :ProductCategoryID');
  633. $stmt->bindParam(':ProductCategoryID', $CategoryID);
  634. $stmt->execute();
  635. } else {
  636. echo 'Category does not exists.';
  637. }
  638. }
  639. } else {
  640. echo('You don\'t have permissions to browse this page.');
  641. }
  642. }
  643.  
  644. /* UPDATE ORDER START COUNT */
  645.  
  646. if(isset($_POST['action']) && $_POST['action'] == 'update-order-start-count') {
  647. if($UserLevel == 'admin') {
  648. $start_count = $_POST['start-count'];
  649. $order_id = $_POST['order-id'];
  650.  
  651. $stmt = $pdo->prepare('SELECT * FROM orders WHERE OrderID = :OrderID');
  652. $stmt->bindParam(':OrderID', $order_id);
  653. $stmt->execute();
  654.  
  655. if($stmt->rowCount() == 1) {
  656. $stmt = $pdo->prepare('UPDATE orders SET OrderStartCount = :OrderStartCount WHERE OrderID = :OrderID');
  657. $stmt->execute(array(':OrderStartCount' => $start_count, ':OrderID' => $order_id));
  658. }
  659. }
  660. }
  661.  
  662. /* UPDATE ORDER STATUS */
  663.  
  664.  
  665. if(isset($_POST['action']) && $_POST['action'] == 'update-order-status') {
  666.  
  667.  
  668. if($UserLevel == 'admin') {
  669. if(isset($_POST['order-status']) && !empty($_POST['order-status']) && is_string($_POST['order-status']) &&
  670. isset($_POST['order-id']) && !empty($_POST['order-id']) && ctype_digit($_POST['order-id'])) {
  671. $OrderID = $_POST['order-id'];
  672.  
  673. $stmt = $pdo->prepare('SELECT * FROM orders WHERE OrderID = :OrderID');
  674. $stmt->bindParam(':OrderID', $OrderID);
  675. $stmt->execute();
  676.  
  677. if($stmt->rowCount() == 1) {
  678. $row = $stmt->fetch();
  679.  
  680. $OrderStatus = $_POST['order-status'];
  681. if($OrderStatus == 'Delete Order') {
  682. $stmt = $pdo->prepare('DELETE FROM orders WHERE OrderID = :OrderID');
  683. $stmt->bindParam(':OrderID', $OrderID);
  684. $stmt->execute();
  685. }
  686. if($OrderStatus == 'Refunded') {
  687. $UserID = $user->GetData('UserID');
  688. $UserFunds = $user->GetData('UserFunds');
  689. $stmt = $pdo->prepare('UPDATE users SET UserFunds = :UserFunds WHERE UserID = :UserID');
  690. $stmt->execute(array(':UserFunds' => $row['OrderAmount'] + $UserFunds, ':UserID' => $UserID));
  691. }
  692. $stmt = $pdo->prepare('UPDATE orders SET OrderStatus = :OrderStatus WHERE OrderID = :OrderID');
  693. $stmt->execute(array(':OrderStatus' => $OrderStatus, ':OrderID' => $OrderID));
  694. } else {
  695. echo 'Order does not exists.';
  696. }
  697. }
  698. } else {
  699. echo('You don\'t have permissions to browse this page.');
  700. }
  701. }
  702.  
  703. /* ADD INDIVUDUAL PRICE */
  704.  
  705. if(isset($_POST['action']) && $_POST['action'] == 'add-individual-price') {
  706.  
  707.  
  708. if($UserLevel == 'admin') {
  709. if(isset($_POST['ip-username']) && isset($_POST['ip-service']) && isset($_POST['ip-price']) &&
  710. is_string($_POST['ip-username']) && ctype_digit($_POST['ip-service']) && is_numeric($_POST['ip-price']) &&
  711. !empty($_POST['ip-username']) && !empty($_POST['ip-service'])) {
  712. $username = $_POST['ip-username'];
  713. $service = $_POST['ip-service'];
  714. $price = $_POST['ip-price'];
  715.  
  716. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName');
  717. $stmt->bindParam(':UserName', $username);
  718. $stmt->execute();
  719.  
  720. if($stmt->rowCount() > 0) {
  721. $UserRow = $stmt->fetch(PDO::FETCH_ASSOC);
  722. $UserID = $UserRow['UserID'];
  723.  
  724. $stmt = $pdo->prepare('SELECT * FROM individualprices WHERE IPUserID = :IPUserID AND IPProductID = :IPProductID');
  725. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service));
  726.  
  727. if($stmt->rowCount() == 0) {
  728. $stmt = $pdo->prepare('INSERT INTO individualprices (IPUserID, IPProductID, IPPrice) VALUES (:IPUserID, :IPProductID, :IPPrice)');
  729. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service, ':IPPrice' => $price));
  730. } else {
  731. echo 'Individual price for this user with this service already exists.';
  732. }
  733. } else {
  734. echo 'User name does not exists.';
  735. }
  736. } else {
  737. echo('Fill all fields correctly.');
  738. }
  739. } else {
  740. echo('You don\'t have permissions to browse this page.');
  741. }
  742. }
  743.  
  744. /* EDIT INDIVUDUAL PRICE */
  745.  
  746. if(isset($_POST['action']) && $_POST['action'] == 'edit-individual-price') {
  747.  
  748.  
  749. if($UserLevel == 'admin') {
  750. if(isset($_POST['ip-username']) && isset($_POST['ip-service']) && isset($_POST['ip-price']) && isset($_POST['ip-id']) &&
  751. is_string($_POST['ip-username']) && ctype_digit($_POST['ip-service']) && is_numeric($_POST['ip-price']) &&
  752. !empty($_POST['ip-username']) && !empty($_POST['ip-service'])) {
  753. $id = $_POST['ip-id'];
  754. $username = $_POST['ip-username'];
  755. $service = $_POST['ip-service'];
  756. $price = $_POST['ip-price'];
  757.  
  758. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserName = :UserName');
  759. $stmt->bindParam(':UserName', $username);
  760. $stmt->execute();
  761.  
  762. if($stmt->rowCount() > 0) {
  763. $UserRow = $stmt->fetch(PDO::FETCH_ASSOC);
  764. $UserID = $UserRow['UserID'];
  765.  
  766. $stmt = $pdo->prepare('SELECT * FROM individualprices WHERE IPUserID = :IPUserID AND IPProductID = :IPProductID');
  767. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service));
  768.  
  769. $cs = $pdo->prepare('SELECT * FROM individualprices WHERE IPID = :IPID');
  770. $cs->bindParam(':IPID', $id);
  771. $cs->execute();
  772. $csr = $cs->fetch(PDO::FETCH_ASSOC);
  773.  
  774. if($stmt->rowCount() == 0 || $service == $csr['IPProductID']) {
  775. $stmt = $pdo->prepare('UPDATE individualprices SET IPUserID = :IPUserID, IPProductID = :IPProductID, IPPrice = :IPPrice WHERE IPID = :IPID');
  776. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service, ':IPPrice' => $price, ':IPID' => $id));
  777. } else {
  778. echo 'Individual price for this user with this service already exists.';
  779. }
  780. } else {
  781. echo 'User name does not exists.';
  782. }
  783. } else {
  784. echo('Fill all fields correctly.');
  785. }
  786. } else {
  787. echo('You don\'t have permissions to browse this page.');
  788. }
  789. }
  790.  
  791. /* INDIVIDUAL PRICE DELETE */
  792.  
  793. if(isset($_POST['action']) && $_POST['action'] == 'delete-ip') {
  794.  
  795.  
  796. if($UserLevel == 'admin') {
  797. if(isset($_POST['ip-id']) && !empty($_POST['ip-id']) && ctype_digit($_POST['ip-id'])) {
  798. $IPID = $_POST['ip-id'];
  799.  
  800. $stmt = $pdo->prepare('SELECT * FROM individualprices WHERE IPID = :IPID');
  801. $stmt->bindParam(':IPID', $IPID);
  802. $stmt->execute();
  803.  
  804. if($stmt->rowCount() == 1) {
  805. $stmt = $pdo->prepare('DELETE FROM individualprices WHERE IPID = :IPID');
  806. $stmt->bindParam(':IPID', $IPID);
  807. $stmt->execute();
  808. } else {
  809. echo 'Individual prices does not exists.';
  810. return false;
  811. }
  812. }
  813. } else {
  814. echo('You don\'t have permissions to browse this page.');
  815. }
  816. }
  817.  
  818. /* BAN & UNBAN USER */
  819.  
  820. if(isset($_POST['action']) && $_POST['action'] == 'ban-user') {
  821.  
  822.  
  823. if($UserLevel == 'admin') {
  824. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
  825. $UserID = $_POST['user-id'];
  826.  
  827. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
  828. $stmt->bindParam(':UserID', $UserID);
  829. $stmt->execute();
  830.  
  831. if($stmt->rowCount() == 1) {
  832. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  833. $UserLevel = $row['UserLevel'];
  834.  
  835. if($UserLevel == 'banned') {
  836. echo 'User account is already terminated.';
  837. return false;
  838. } else {
  839. $stmt = $pdo->prepare('UPDATE users SET UserLevel = :UserLevel WHERE UserID = :UserID');
  840. $stmt->execute(array(':UserLevel' => 'banned', ':UserID' => $UserID));
  841. }
  842. } else {
  843. echo 'User account does not exists.';
  844. return false;
  845. }
  846. }
  847. } else {
  848. echo('You don\'t have permissions to browse this page.');
  849. }
  850. }
  851.  
  852. if(isset($_POST['action']) && $_POST['action'] == 'unban-user') {
  853.  
  854.  
  855. if($UserLevel == 'admin') {
  856. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
  857. $UserID = $_POST['user-id'];
  858.  
  859. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
  860. $stmt->bindParam(':UserID', $UserID);
  861. $stmt->execute();
  862.  
  863. if($stmt->rowCount() == 1) {
  864. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  865. $UserLevel = $row['UserLevel'];
  866.  
  867. if($UserLevel != 'banned') {
  868. echo 'User account is not terminated.';
  869. return false;
  870. } else {
  871. $stmt = $pdo->prepare('UPDATE users SET UserLevel = :UserLevel WHERE UserID = :UserID');
  872. $stmt->execute(array(':UserLevel' => 'default', ':UserID' => $UserID));
  873. }
  874. } else {
  875. echo 'User account does not exists.';
  876. return false;
  877. }
  878. }
  879. } else {
  880. echo('You don\'t have permissions to browse this page.');
  881. }
  882. }
  883.  
  884. /* DELETE USER */
  885.  
  886. if(isset($_POST['action']) && $_POST['action'] == 'delete-user') {
  887.  
  888.  
  889. if($UserLevel == 'admin') {
  890. if(isset($_POST['user-id']) && !empty($_POST['user-id']) && ctype_digit($_POST['user-id'])) {
  891. $UserID = $_POST['user-id'];
  892.  
  893. $stmt = $pdo->prepare('SELECT * FROM users WHERE UserID = :UserID');
  894. $stmt->bindParam(':UserID', $UserID);
  895. $stmt->execute();
  896.  
  897. if($stmt->rowCount() == 1) {
  898. $stmt = $pdo->prepare('DELETE FROM users WHERE UserID = :UserID');
  899. $stmt->bindParam(':UserID', $UserID);
  900. $stmt->execute();
  901. } else {
  902. echo 'User account does not exists.';
  903. return false;
  904. }
  905. }
  906. } else {
  907. echo('You don\'t have permissions to browse this page.');
  908. }
  909. }
  910.  
  911. /* UPDATE PROFILE INFORMATION */
  912.  
  913. if(isset($_POST['action']) && $_POST['action'] == 'profile-update') {
  914. if(isset($_POST['first-name']) && isset($_POST['last-name']) && isset($_POST['email']) && isset($_POST['password'])
  915. && is_string($_POST['first-name']) && is_string($_POST['last-name']) && is_string($_POST['email']) && is_string($_POST['password'])
  916. && !empty($_POST['first-name']) && !empty($_POST['last-name']) && !empty($_POST['email']) && !empty($_POST['password'])) {
  917.  
  918. if(md5($_POST['password']) == $user->GetData('UserPassword')) {
  919. if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) === false) {
  920. $first_name = stripslashes(strip_tags($_POST['first-name']));
  921. $last_name = stripslashes(strip_tags($_POST['last-name']));
  922. $email = $_POST['email'];
  923. $UserID = $user->GetData('UserID');
  924.  
  925. $stmt = $pdo->prepare('UPDATE users SET UserFirstName = :UserFirstName, UserLastName = :UserLastName, UserEmail = :UserEmail WHERE UserID = :UserID');
  926. $stmt->execute(array(':UserFirstName' =>$first_name, ':UserLastName' => $last_name, ':UserEmail' => $email, ':UserID' => $UserID));
  927. } else {
  928. echo('The provided E-mail is invalid.');
  929. }
  930. } else {
  931. echo('The entered password does not equals to your account password.');
  932. }
  933. } else {
  934. echo('Fill all fields correctly.');
  935. }
  936. }
  937.  
  938. /* UPDATE ACCOUNT PASSWORD */
  939.  
  940. if(isset($_POST['action']) && $_POST['action'] == 'password-update') {
  941. if(isset($_POST['current-password']) && isset($_POST['new-password'])
  942. && is_string($_POST['current-password']) && is_string($_POST['new-password'])
  943. && !empty($_POST['current-password']) && !empty($_POST['new-password'])) {
  944.  
  945. if(md5($_POST['current-password']) == $user->GetData('UserPassword')) {
  946. if(strlen($_POST['new-password']) > 3 && strlen($_POST['new-password']) < 32) {
  947. $UserID = $user->GetData('UserID');
  948.  
  949. $stmt = $pdo->prepare('UPDATE users SET UserPassword = :UserPassword WHERE UserID = :UserID');
  950. $stmt->execute(array(':UserPassword' => md5($_POST['new-password']), ':UserID' => $UserID));
  951. } else {
  952. echo('Password length have to be 4-32 characters.');
  953. }
  954. } else {
  955. echo('The entered password does not match to your account password.');
  956. }
  957. } else {
  958. echo('Fill all fields correctly.');
  959. }
  960. }
  961.  
  962. /* GET AVAILABLE SERVICES */
  963.  
  964. if(isset($_POST['action']) && $_POST['action'] == 'get-products') {
  965. $category = stripslashes(strip_tags($_POST['option']));
  966.  
  967. $stmt = $pdo->prepare('SELECT * FROM categories WHERE CategoryID = :CategoryID');
  968. $stmt->bindParam(':CategoryID', $category);
  969. $stmt->execute();
  970.  
  971. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  972. $CategoryID = $row['CategoryID'];
  973.  
  974. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductCategoryID = :ProductCategoryID');
  975. $stmt->bindParam(':ProductCategoryID', $CategoryID);
  976. $stmt->execute();
  977.  
  978. $html = '';
  979.  
  980. foreach($stmt->fetchAll() as $rows) {
  981. $html .= '<option value="'.$rows['ProductID'].'">'.$rows['ProductName'].'</option>';
  982. }
  983.  
  984. echo $html;
  985. }
  986.  
  987. /* CREATE SERVICE ORDER */
  988.  
  989. if(isset($_POST['action']) && $_POST['action'] == 'create-order') {
  990. if(isset($_POST['service']) && isset($_POST['link']) && !empty($_POST['service']) && !empty($_POST['link']) && ctype_digit($_POST['service']) && is_string($_POST['link']) &&
  991. (isset($_POST['quantity']) && !empty($_POST['quantity']) && ctype_digit($_POST['quantity'])) || (isset($_POST['comments']) && !empty($_POST['comments']) && is_string($_POST['comments']))) {
  992. $service = strip_tags(stripslashes($_POST['service']));
  993.  
  994. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  995. $stmt->execute(array(':ProductID' => $service));
  996.  
  997. if($stmt->rowCount() == 1) {
  998. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  999. $additional = '';
  1000.  
  1001. if($row['ProductType'] == 'default' || $row['ProductType'] == 'hashtag' || $row['ProductType'] == 'mentions') {
  1002. if(isset($_POST['quantity']) && ctype_digit($_POST['quantity'])) {
  1003. $quantity = strip_tags(stripslashes($_POST['quantity']));
  1004. } else {
  1005. echo 'Invalid quantity.';
  1006. exit();
  1007. }
  1008. if($row['ProductType'] == 'hashtag') {
  1009. if(isset($_POST['hashtag']) && is_string($_POST['hashtag'])) {
  1010. $hashtag = stripslashes(strip_tags($_POST['hashtag']));
  1011. $additional = $hashtag;
  1012. } else {
  1013. echo 'Hashtag must be provided.';
  1014. exit();
  1015. }
  1016. } else if($row['ProductType'] == 'mentions') {
  1017. if(isset($_POST['mentions']) && is_string($_POST['mentions'])) {
  1018. $mentions = stripslashes(strip_tags($_POST['mentions']));
  1019. $additional = $mentions;
  1020. } else {
  1021. echo 'Mentions username must be provided.';
  1022. exit();
  1023. }
  1024. }
  1025. } else if($row['ProductType'] == 'comments') {
  1026. if(isset($_POST['comments']) && is_string($_POST['comments']) && strpos($_POST['comments'], '\n') !== false) {
  1027. $comments = $_POST['comments'];
  1028. $quantity = substr_count($_POST['comments'], '\n') + 1;
  1029. $additional = $comments;
  1030. } else {
  1031. echo 'Incorrect comments format.';
  1032. exit();
  1033. }
  1034. } else {
  1035. echo 'Invalid product type.';
  1036. exit();
  1037. }
  1038.  
  1039. $link = stripslashes(strip_tags($_POST['link']));
  1040. $time = time();
  1041. $UserID = $user->GetData('UserID');
  1042. $UserName = $user->GetData('UserName');
  1043. $UserGroup = $user->GetData('UserLevel');
  1044.  
  1045. $max_quantity = $row['ProductMaxQuantity'];
  1046. $product_quantity = $row['ProductMinimumQuantity'];
  1047. $account_balance = $user->GetData('UserFunds');
  1048.  
  1049. if($quantity >= $product_quantity) {
  1050. if($quantity <= $max_quantity) {
  1051. if(empty($additional)) {
  1052. $query = $pdo->prepare('SELECT * FROM orders WHERE OrderLink = :OrderLink AND OrderProductID = :OrderProductID');
  1053. $query->execute(array(':OrderLink' => $link, ':OrderProductID' => $service));
  1054. } else {
  1055. $query = $pdo->prepare('SELECT * FROM orders WHERE OrderLink = :OrderLink AND OrderAdditional = :OrderAdditional AND OrderProductID = :OrderProductID');
  1056. $query->execute(array(':OrderLink' => $link, ':OrderAdditional' => $additional, ':OrderProductID' => $service));
  1057. }
  1058.  
  1059. $stmt = $pdo->prepare('SELECT * FROM individualprices WHERE IPUserID = :IPUserID AND IPProductID = :IPProductID');
  1060. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service));
  1061.  
  1062. if($stmt->rowCount() == 1) {
  1063. $IPPrice = $stmt->fetch(PDO::FETCH_ASSOC);
  1064. $newprice = $product->DeclarePrice($IPPrice['IPPrice'], $row['ProductMinimumQuantity'], $quantity);
  1065. } else {
  1066. if($UserGroup == 'reseller') {
  1067. if(!empty($row['ProductResellerPrice']))
  1068. $newprice = $product->DeclarePrice($row['ProductResellerPrice'], $row['ProductMinimumQuantity'], $quantity);
  1069. else
  1070. $newprice = $product->DeclarePrice($row['ProductPrice'], $row['ProductMinimumQuantity'], $quantity);
  1071. } else {
  1072. $newprice = $product->DeclarePrice($row['ProductPrice'], $row['ProductMinimumQuantity'], $quantity);
  1073. }
  1074. }
  1075. $price = round($newprice, 2);
  1076. if($account_balance >= $price) {
  1077. $api = $row['ProductAPI'];
  1078.  
  1079. if(!empty($api)) {
  1080. if($row['ProductType'] == 'default' || $row['ProductType'] == 'hashtag' || $row['ProductType'] == 'mentions') {
  1081. $api_link = str_replace('[LINK]', $link, $api);
  1082. $api_link = str_replace('[QUANTITY]', $quantity, $api_link);
  1083.  
  1084. if($row['ProductType'] == 'hashtag') {
  1085. $api_link = str_replace('[HASHTAG]', $hashtag, $api_link);
  1086. } else if($row['ProductType'] == 'mentions') {
  1087. $api_link = str_replace('[USERNAME]', $mentions, $api_link);
  1088. }
  1089. } else if($row['ProductType'] == 'comments') {
  1090. $api_link = str_replace('[LINK]', $link, $api);
  1091. $api_link = str_replace('[COMMENTS]', $comments, $api_link);
  1092. }
  1093.  
  1094. $api_final = str_replace('&amp;', '&', $api_link);
  1095. $resp = file_get_contents($api_final);
  1096.  
  1097. $resp = json_decode($resp);
  1098.  
  1099. if(isset($resp->order)) {
  1100. $order_id = $resp->order;
  1101.  
  1102. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate,
  1103. OrderLink, OrderQuantity, OrderAmount, OrderStatus, OrderAPIID, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderStatus, :OrderAPIID, :OrderAdditional, :OrderType)');
  1104.  
  1105. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link,
  1106. ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderStatus' => 'In Process', 'OrderAPIID' => $order_id, ':OrderAdditional' => $additional,
  1107. ':OrderType' => $row['ProductType']));
  1108. } else {
  1109. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderAdditional, :OrderType)');
  1110. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderAdditional' => $additional, ':OrderType' => $row['ProductType']));
  1111. }
  1112. } else {
  1113. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderAdditional, :OrderType)');
  1114. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderAdditional' => $additional, ':OrderType' => $row['ProductType']));
  1115. }
  1116. // Take balance from user's account
  1117.  
  1118. $UserFunds = $account_balance - $price;
  1119.  
  1120. $stmt = $pdo->prepare('UPDATE users SET UserFunds = :UserFunds WHERE UserID = :UserID');
  1121. $stmt->execute(array(':UserFunds' => $UserFunds, ':UserID' => $UserID));
  1122.  
  1123. $ProductName = $product->GetData($service, 'ProductName');
  1124.  
  1125. if(!empty($NotificationEmail)) {
  1126. $txt = "";
  1127.  
  1128. $subject = "New Service Order";
  1129. $txt .= "+----------------------------------+\r\n";
  1130. $txt .= "| New Service Order |\r\n";
  1131. $txt .= "+----------------------------------+\r\n";
  1132. $txt .= "| User ID: ".$UserID."\r\n";
  1133. $txt .= "| User Name: ".$UserName."\r\n";
  1134. $txt .= "| Service ID: ".$service."\r\n";
  1135. $txt .= "| Service Name: ".$ProductName."\r\n";
  1136. $txt .= "| Quantity: ".$quantity.".\r\n";
  1137. $txt .= "| Link: ".$link."\r\n";
  1138. $txt .= "| Price: ".$currency.$price."\r\n";
  1139. $txt .= "+----------------------------------+\r\n";
  1140. $headers = "From: purchase@".$_SERVER['SERVER_NAME']."" . "\r\n" .
  1141. "CC: purchase@".$_SERVER['SERVER_NAME']."";
  1142.  
  1143. @mail($NotificationEmail,$subject,$txt,$headers);
  1144. }
  1145. } else {
  1146. echo 'Not enough funds in the account.You can deposit funds to your account from <a href="./deposit.php">here</a>.';
  1147. }
  1148. } else {
  1149. echo 'Maximum quantity for this service: '.$max_quantity;
  1150. }
  1151. } else {
  1152. echo 'Minimum product quantity for purchase is '.$product_quantity.'.';
  1153. }
  1154. } else {
  1155. echo 'Invalid Product ID.';
  1156. }
  1157. } else {
  1158. echo 'Fill all fields correctly.';
  1159. }
  1160. }
  1161.  
  1162. /* Get User Balance */
  1163.  
  1164. if(isset($_POST['action']) && $_POST['action'] == 'get-user-balance') {
  1165. $UserBalance = $user->GetData('UserFunds');
  1166.  
  1167. echo $currency.$UserBalance;
  1168. }
  1169.  
  1170. /* ADD NAVIGATION LINK */
  1171.  
  1172. if(isset($_POST['action']) && $_POST['action'] == 'add-navigation') {
  1173.  
  1174.  
  1175. if($UserLevel == 'admin') {
  1176. if(isset($_POST['nav-text']) && isset($_POST['nav-url']) && isset($_POST['nav-icon']) &&
  1177. is_string($_POST['nav-text']) && is_string($_POST['nav-url']) && is_string($_POST['nav-icon']) &&
  1178. !empty($_POST['nav-text']) && !empty($_POST['nav-url']) && !empty($_POST['nav-icon'])) {
  1179. $NavText = stripslashes(strip_tags($_POST['nav-text']));
  1180. $NavURL = stripslashes(strip_tags($_POST['nav-url']));
  1181. $NavIcon = stripslashes(strip_tags($_POST['nav-icon']));
  1182.  
  1183. $stmt = $pdo->prepare('INSERT INTO navigation (NavigationText, NavigationURL, NavigationIcon)
  1184. VALUES (:NavigationText, :NavigationURL, :NavigationIcon)');
  1185. $stmt->execute(array(':NavigationText' => $NavText, ':NavigationURL' => $NavURL, ':NavigationIcon' => $NavIcon));
  1186. } else {
  1187. echo('Fill all fields correctly.');
  1188. }
  1189. } else {
  1190. echo('You don\'t have permissions to browse this page.');
  1191. }
  1192. }
  1193.  
  1194. /* EDIT NAVIGATION LINK */
  1195.  
  1196. if(isset($_POST['action']) && $_POST['action'] == 'edit-navigation') {
  1197.  
  1198.  
  1199. if($UserLevel == 'admin') {
  1200. if(isset($_POST['nav-text']) && isset($_POST['nav-url']) && isset($_POST['nav-icon']) && isset($_POST['nav-id']) &&
  1201. is_string($_POST['nav-text']) && is_string($_POST['nav-url']) && is_string($_POST['nav-icon']) && is_numeric($_POST['nav-id']) &&
  1202. !empty($_POST['nav-text']) && !empty($_POST['nav-url']) && !empty($_POST['nav-icon'])) {
  1203. $NavID = stripslashes(strip_tags($_POST['nav-id']));
  1204. $NavText = stripslashes(strip_tags($_POST['nav-text']));
  1205. $NavURL = stripslashes(strip_tags($_POST['nav-url']));
  1206. $NavIcon = stripslashes(strip_tags($_POST['nav-icon']));
  1207.  
  1208. $stmt = $pdo->prepare('UPDATE navigation SET NavigationText = :NavigationText, NavigationURL = :NavigationURL, NavigationIcon = :NavigationIcon WHERE NavigationID = :NavigationID');
  1209. $stmt->execute(array(':NavigationText' => $NavText, ':NavigationURL' => $NavURL, ':NavigationIcon' => $NavIcon, ':NavigationID' => $NavID));
  1210. } else {
  1211. echo('Fill all fields correctly.');
  1212. }
  1213. } else {
  1214. echo('You don\'t have permissions to browse this page.');
  1215. }
  1216. }
  1217.  
  1218. /* DELETE NAVIGATION LINK */
  1219.  
  1220. if(isset($_POST['action']) && $_POST['action'] == 'delete-navigation') {
  1221.  
  1222.  
  1223. if($UserLevel == 'admin') {
  1224. if(isset($_POST['nav-id']) && is_numeric($_POST['nav-id'])) {
  1225. $NavID = stripslashes(strip_tags($_POST['nav-id']));
  1226.  
  1227. $stmt = $pdo->prepare('SELECT * FROM navigation WHERE NavigationID = :NavigationID');
  1228. $stmt->execute(array(':NavigationID' => $NavID));
  1229.  
  1230. if($stmt->rowCount() > 0) {
  1231. $stmt = $pdo->prepare('DELETE FROM navigation WHERE NavigationID = :NavigationID');
  1232. $stmt->execute(array(':NavigationID' => $NavID));
  1233. } else {
  1234. echo('Navigation link does not exists.');
  1235. }
  1236. } else {
  1237. echo('Error.');
  1238. }
  1239. } else {
  1240. echo('You don\'t have permissions to browse this page.');
  1241. }
  1242. }
  1243.  
  1244. /* GET ORDER AMOUNT */
  1245.  
  1246. if(isset($_POST['action']) && $_POST['action'] == 'get-amount' && isset($_POST['service']) && !empty($_POST['service']) && ctype_digit($_POST['service'])) {
  1247. $service = strip_tags(stripslashes($_POST['service']));
  1248. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  1249. $stmt->bindParam(':ProductID', $service);
  1250. $stmt->execute();
  1251.  
  1252. if($stmt->rowCount() > 0) {
  1253. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  1254. if($row['ProductType'] != 'comments') {
  1255. if(ctype_digit($_POST['quantity'])) {
  1256. $quantity = $_POST['quantity'];
  1257. } else {
  1258. echo 'Invalid product quantity';
  1259. exit();
  1260. }
  1261. } else {
  1262. if(isset($_POST['comments'])) {
  1263. $quantity = substr_count($_POST['comments'], '\n');
  1264. }
  1265. }
  1266.  
  1267. $UserGroup = $user->GetData('UserLevel');
  1268. $UserID = $user->GetData('UserID');
  1269. $product_quantity = $row['ProductMinimumQuantity'];
  1270.  
  1271. if($quantity >= $product_quantity) {
  1272. $stmt = $pdo->prepare('SELECT * FROM individualprices WHERE IPUserID = :IPUserID AND IPProductID = :IPProductID');
  1273. $stmt->execute(array(':IPUserID' => $UserID, ':IPProductID' => $service));
  1274.  
  1275. if($stmt->rowCount() == 1) {
  1276. $IPPrice = $stmt->fetch(PDO::FETCH_ASSOC);
  1277. $price = $product->DeclarePrice($IPPrice['IPPrice'], $product_quantity, $quantity);
  1278. } else {
  1279. if($UserGroup == 'reseller') {
  1280. if(!empty($row['ProductResellerPrice']))
  1281. $price = $product->DeclarePrice($row['ProductResellerPrice'], $product_quantity, $quantity);
  1282. else
  1283. $price = $product->DeclarePrice($row['ProductPrice'], $product_quantity, $quantity);
  1284. } else {
  1285. $price = $product->DeclarePrice($row['ProductPrice'], $product_quantity, $quantity);
  1286. }
  1287. }
  1288. echo round($price, 2);
  1289. } else {
  1290. echo 'Invalid quantity.';
  1291. }
  1292. } else {
  1293. echo 'Invalid Product ID.';
  1294. }
  1295. }
  1296.  
  1297. /* GET PRODUCT DETAILS (SUCH AS QUANTITY, PRICE) */
  1298.  
  1299. if(isset($_POST['action']) && $_POST['action'] == 'product-details') {
  1300. if(isset($_POST['details']) && isset($_POST['product-id']) && !empty($_POST['details']) && !empty($_POST['product-id']) && is_string($_POST['details']) && ctype_digit($_POST['product-id'])) {
  1301. $Details = strip_tags(stripslashes($_POST['details']));
  1302. $ProductID = strip_tags(stripslashes($_POST['product-id']));
  1303.  
  1304. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :ProductID');
  1305. $stmt->bindParam(':ProductID', $ProductID);
  1306. $stmt->execute();
  1307.  
  1308. if($stmt->rowCount() == 1) {
  1309. $row = $stmt->fetch(PDO::FETCH_ASSOC);
  1310. echo $row[$Details];
  1311. } else {
  1312. echo 'Error.';
  1313. }
  1314. }
  1315. }
  1316.  
  1317. /* UPDATE ACCOUNT AVATAR */
  1318.  
  1319. if(is_array($_FILES) && isset($_FILES['avatar'])) {
  1320. if(is_uploaded_file($_FILES['avatar']['tmp_name'])) {
  1321. if(($_FILES['avatar']['type'] == 'image/gif') || ($_FILES['avatar']['type'] == 'image/jpeg') || ($_FILES['avatar']['type'] == 'image/png')) {
  1322. $image_info = getimagesize($_FILES["avatar"]["tmp_name"]);
  1323. $image_width = $image_info[0];
  1324. $image_height = $image_info[1];
  1325. if($image_width > 512 && $image_height > 512) {
  1326. echo 'Maximum image size: width: 512px & height: 512px.';
  1327. } else {
  1328. $image = addslashes(file_get_contents($_FILES['avatar']['tmp_name']));
  1329. $UserID = $user->GetData('UserID');
  1330.  
  1331. $stmt = $pdo->prepare('UPDATE users SET UserImage = :UserImage WHERE UserID = :UserID');
  1332. $stmt->execute(array(':UserImage' => $image, ':UserID' => $UserID));
  1333. }
  1334. } else {
  1335. echo 'Image format not supported, or image is corrupt.';
  1336. }
  1337. } else {
  1338. echo 'An error occurred.';
  1339. }
  1340. }
  1341.  
  1342. if(isset($_POST['action']) && $_POST['action'] == 'mass' && isset($_POST['orders'])) {
  1343. $bulk = explode("\n",$_POST['orders']);
  1344.  
  1345. $total = 0;
  1346.  
  1347. foreach($bulk as $order) {
  1348. if(strpos($order, ' | ') !== false) {
  1349. $order = explode(' | ', $order);
  1350. }
  1351. else if(strpos($order, '|') !== false) {
  1352. $order = explode('|', $order);
  1353. }
  1354. else {
  1355. return $display->ReturnError('Invalid order format.');
  1356. }
  1357.  
  1358. if(!isset($order[0]) || !isset($order[1]) || !isset($order[2])) {
  1359. return $display->ReturnError('There is an error with the format of your order.');
  1360. }
  1361.  
  1362. $service = $order[0];
  1363. $link = $order[1];
  1364. $quantity = $order[2];
  1365.  
  1366. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = :id');
  1367. $stmt->execute(array(':id' => $service));
  1368.  
  1369. if($stmt->rowCount() != 1) {
  1370. $error = true;
  1371. return $display->ReturnError('Some of the ordered services does not exists.');
  1372. }
  1373. $row = $stmt->fetch();
  1374. if($row['ProductType'] != 'default') {
  1375. $error = true;
  1376. return $display->ReturnError('You are allowed to order only default type services.');
  1377. }
  1378.  
  1379. $order_storage = (array(
  1380. 'service' => $service,
  1381. 'link' => $link,
  1382. 'quantity' => $quantity,
  1383. 'user' =>$UserID
  1384. ));
  1385.  
  1386. $total += $product->DeclarePrice($row['ProductPrice'], $row['ProductMinimumQuantity'], $quantity);
  1387. }
  1388.  
  1389. if(isset($error)) {
  1390. return $display->ReturnError('There is an error with your order.');
  1391. }
  1392.  
  1393. $UserFunds = $user->GetData('UserFunds');
  1394.  
  1395. if($total > $UserFunds) {
  1396. return $display->ReturnError('Insufficient account balance.');
  1397. }
  1398.  
  1399. $bulk = explode("\n",$_POST['orders']);
  1400.  
  1401. foreach($bulk as $order) {
  1402. if(strpos($order, ' | ') !== false) {
  1403. $order = explode(' | ', $order);
  1404. }
  1405. else if(strpos($order, '|') !== false) {
  1406. $order = explode('|', $order);
  1407. }
  1408. else {
  1409. return $display->ReturnError('Invalid order format');
  1410. }
  1411.  
  1412. $additional = '';
  1413. $time = time();
  1414.  
  1415. $service = $order[0];
  1416. $link = $order[1];
  1417. $quantity = $order[2];
  1418. $order_storage = (array(
  1419. 'service' => $service,
  1420. 'link' => $link,
  1421. 'quantity' => $quantity,
  1422. 'user' =>$UserID
  1423. ));
  1424.  
  1425. $stmt = $pdo->prepare('SELECT * FROM products WHERE ProductID = ?');
  1426. $stmt->execute(array($order_storage['service']));
  1427.  
  1428. $r_row = $stmt->fetch();
  1429. $api = $r_row['ProductAPI'];
  1430.  
  1431. $price = $product->DeclarePrice($r_row['ProductPrice'], $r_row['ProductMinimumQuantity'], $order_storage['quantity']);
  1432. if(!empty($api)) {
  1433. if($row['ProductType'] == 'default' || $row['ProductType'] == 'hashtag' || $row['ProductType'] == 'mentions') {
  1434. $api_link = str_replace('[LINK]', $link, $api);
  1435. $api_link = str_replace('[QUANTITY]', $quantity, $api_link);
  1436.  
  1437. if($row['ProductType'] == 'hashtag') {
  1438. $api_link = str_replace('[HASHTAG]', $hashtag, $api_link);
  1439. } else if($row['ProductType'] == 'mentions') {
  1440. $api_link = str_replace('[USERNAME]', $mentions, $api_link);
  1441. }
  1442. } else if($row['ProductType'] == 'comments') {
  1443. $api_link = str_replace('[LINK]', $link, $api);
  1444. $api_link = str_replace('[COMMENTS]', $comments, $api_link);
  1445. }
  1446.  
  1447. $api_final = str_replace('&amp;', '&', $api_link);
  1448. $resp = file_get_contents($api_final);
  1449.  
  1450. $resp = json_decode($resp);
  1451.  
  1452. if(isset($resp->order)) {
  1453. $order_id = $resp->order;
  1454.  
  1455. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate,
  1456. OrderLink, OrderQuantity, OrderAmount, OrderStatus, OrderAPIID, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderStatus, :OrderAPIID, :OrderAdditional, :OrderType)');
  1457.  
  1458. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link,
  1459. ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderStatus' => 'In Process', 'OrderAPIID' => $order_id, ':OrderAdditional' => $additional,
  1460. ':OrderType' => $row['ProductType']));
  1461. } else {
  1462. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderAdditional, :OrderType)');
  1463. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderAdditional' => $additional, ':OrderType' => $row['ProductType']));
  1464. }
  1465. } else {
  1466. $stmt = $pdo->prepare('INSERT INTO orders (OrderUserID, OrderProductID, OrderDate, OrderLink, OrderQuantity, OrderAmount, OrderAdditional, OrderType) VALUES (:OrderUserID, :OrderProductID, :OrderDate, :OrderLink, :OrderQuantity, :OrderAmount, :OrderAdditional, :OrderType)');
  1467. $stmt->execute(array(':OrderUserID' => $UserID, ':OrderProductID' => $service, ':OrderDate' => $time, ':OrderLink' => $link, ':OrderQuantity' => $quantity, ':OrderAmount' => $price, ':OrderAdditional' => $additional, ':OrderType' => $row['ProductType']));
  1468. }
  1469.  
  1470. // Take balance from user's account
  1471.  
  1472. $UserFunds = $UserFunds - $total;
  1473.  
  1474. $stmt = $pdo->prepare('UPDATE users SET UserFunds = :UserFunds WHERE UserID = :UserID');
  1475. $stmt->execute(array(':UserFunds' => $UserFunds, ':UserID' => $UserID));
  1476.  
  1477. return $display->ReturnSuccess('Your mass order is placed.');
  1478. }
  1479. }
  1480.  
  1481.  
  1482. // Get description
  1483.  
  1484. if (isset($_POST['action']) && $_POST['action'] == 'get-description') {
  1485. if (isset($_POST['service']) && is_numeric($_POST['service'])) {
  1486. $service = stripslashes(strip_tags($_POST['service']));
  1487. $stmt = $pdo->prepare('SELECT ProductDescription FROM products WHERE ProductID = :ProductID');
  1488. $stmt->execute(array(':ProductID' => $service));
  1489. if ($stmt->rowCount() != 1) {
  1490. exit();
  1491. }
  1492. $row = $stmt->fetch();
  1493. echo $row['ProductDescription'];
  1494. }
  1495. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!