1<?php
2require($PathPrefix . 'config.php');
3require_once('includes/DefineCartItemClass.php');
4include('includes/Functions.php');
5if (!isset($RootPath)){
6	$RootPath = dirname(htmlspecialchars($_SERVER['PHP_SELF']));
7	if ($RootPath == '/' OR $RootPath == "\\") {
8		$RootPath = '';
9	}
10}
11
12if (isset($SessionSavePath)){
13	session_save_path($SessionSavePath);
14}
15ini_set('session.gc_maxlifetime',$SessionLifeTime);
16
17if( !ini_get('safe_mode') ){
18	set_time_limit($MaximumExecutionTime);
19	ini_set('max_execution_time',$MaximumExecutionTime);
20}
21session_write_close(); //in case a previous session is not closed
22session_name('webERPStoreSESSID');
23session_start();
24
25if (isset($_GET['LoggOff'])){
26	ResetForNewOrder($LogOff=true);
27}
28
29if (!isset($_SESSION['SessionName'])){
30	session_name(CreateRandomHash(15));
31	$_SESSION['SessionName'] = session_name();
32	$_SESSION['FormID'] = sha1(uniqid(mt_rand(), true));
33}
34
35require('includes/DatabaseFunctions.php'); //had to go with a local copy due to error messages/logging in webERP file
36require($PathPrefix . 'includes/DateFunctions.inc');
37include($PathPrefix . 'includes/LanguageSetup.php');
38
39/*Sanitise $_POST and $_GET data */
40foreach ($_POST as $PostVariableName => $PostVariableValue) {
41	if (gettype($PostVariableValue) != 'array') {
42		$_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
43	} else {
44		foreach ($PostVariableValue as $PostArrayKey => $PostArrayValue) {
45			if(get_magic_quotes_gpc()) {
46				$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
47			}
48			$PostVariableValue[$PostArrayKey] = DB_escape_string($PostArrayValue);
49		}
50	}
51}
52
53/* iterate through all elements of the $_GET array and DB_escape_string them
54to limit possibility for SQL injection attacks and cross scripting attacks
55*/
56foreach ($_GET as $GetKey => $GetValue) {
57	if (gettype($GetValue) != 'array') {
58		$_GET[$GetKey] = DB_escape_string($GetValue);
59	}
60}
61
62if (!isset($_SESSION['CompanyDefaultsLoaded'])) {
63
64	//echo '<Br />LOADED NEW DEFAULTS';
65
66	$sql = "SELECT confname, confvalue FROM config";
67	$ErrMsg = _('Could not get the configuration parameters from the database because');
68	$ConfigResult = DB_query($sql,$ErrMsg);
69	while( $myrow = DB_fetch_array($ConfigResult) ) {
70		if (is_numeric($myrow['confvalue']) AND $myrow['confname']!='DefaultPriceList' AND $myrow['confname']!='VersionNumber'){
71			//the variable name is given by $myrow[0]
72			$_SESSION[$myrow['confname']] = (double) $myrow['confvalue'];
73		} else {
74			$_SESSION[$myrow['confname']] =  $myrow['confvalue'];
75		}
76	} //end loop through all config variables
77
78	DB_free_result($ConfigResult); // no longer needed
79
80	$sql=	"SELECT	coyname,
81					gstno,
82					regoffice1,
83					regoffice2,
84					regoffice3,
85					regoffice4,
86					regoffice5,
87					regoffice6,
88					telephone,
89					fax,
90					email,
91					currencydefault,
92					debtorsact,
93					pytdiscountact,
94					creditorsact,
95					payrollact,
96					grnact,
97					exchangediffact,
98					purchasesexchangediffact,
99					retainedearnings,
100					freightact,
101					gllink_debtors,
102					gllink_creditors,
103					gllink_stock,
104					decimalplaces
105				FROM companies
106				INNER JOIN currencies ON companies.currencydefault=currencies.currabrev
107				WHERE coycode=1";
108
109	$ErrMsg = _('An error occurred accessing the database to retrieve the company information');
110	$ReadCoyResult = DB_query($sql,$ErrMsg);
111
112	if (DB_num_rows($ReadCoyResult)==0) {
113		echo '<br /><b>';
114		prnMsg( _('The company record has not yet been set up') . '</b><br />' . _('From the system setup tab select company maintenance to enter the company information and system preferences'),'error',_('CRITICAL PROBLEM'));
115		exit;
116	} else {
117		$_SESSION['CompanyRecord'] = DB_fetch_array($ReadCoyResult);
118	}
119	if (isset($ShopDebtorNo) AND $ShopDebtorNo!='' AND isset($ShopBranchCode) AND $ShopBranchCode!='') { //$ShopDebtorNo set in includes/config.php is not empty
120		//then use $ShopDebtorNo for this shop - this allows multiple webSHOPs for a single webERP installation
121		$_SESSION['ShopDebtorNo']=$ShopDebtorNo;
122		$_SESSION['ShopBranchCode']=$ShopBranchCode;
123	}
124	include('includes/GetCustomerDetails.php'); // also used when a customer logs in
125
126	if (isset($ShopName) AND $ShopName!='') { //$ShopName set in includes/config.php is not empty
127		//then use $ShopName for this shop - this allows multiple webSHOPs for a single webERP installation
128		$_SESSION['ShopName'] = $ShopName;
129	}
130	if (isset($ShopAboutUs) AND $ShopAboutUs!='') { //$ShopAboutUs set in includes/config.php is not empty
131		//then use $ShopAboutUs for this shop - this allows multiple webSHOPs for a single webERP installation
132		$_SESSION['ShopAboutUs'] = $ShopAboutUs;
133	}
134	if (isset($ShopFreightPolicy) AND $ShopFreightPolicy!='') { //$ShopFreightPolicy set in includes/config.php is not empty
135		//then use $ShopName for this shop - this allows multiple webSHOPs for a single webERP installation
136		$_SESSION['ShopFreightPolicy'] = $ShopFreightPolicy;
137	}
138	if (isset($ShopContactUs) AND $ShopContactUs!='') { //$ShopContactUs set in includes/config.php is not empty
139		//then use $ShopContactUs for this shop - this allows multiple webSHOPs for a single webERP installation
140		$_SESSION['ShopContactUs'] = $ShopContactUs;
141	}
142
143	$_SESSION['CompanyDefaultsLoaded'] = true; //so we don't do this with every page
144}
145
146if (!isset($_SESSION['ShoppingCart'])){
147	$_SESSION['ShoppingCart']=array(); //of  CartItem objects from DefineCartItemClass.php above
148}
149
150//set up the PaymentMethods array based on shop config paramteres
151$PaymentMethods = array();
152if ($_SESSION['ShopAllowPayPal'] == '1') {
153	$PaymentMethods['PayPal']=array('MethodName'=>_('Pay Pal'), 'Surcharge'=>$_SESSION['ShopPayPalSurcharge']);
154}
155if ($_SESSION['ShopAllowCreditCards']==1){
156	$PaymentMethods[$_SESSION['ShopCreditCardGateway']]=array('MethodName'=>_('Credit Card'), 'Surcharge'=>$_SESSION['ShopCreditCardSurcharge']);
157}
158if ($_SESSION['ShopAllowBankTransfer'] == '1') {
159	$PaymentMethods['BankTransfer']=array('MethodName'=>_('Bank Transfer'), 'Surcharge'=>$_SESSION['ShopBankTransferSurcharge']);
160}
161
162if ($_SESSION['CustomerDetails']['creditcustomer']==true) { //set up additional system CreditAccount PaymentMethod
163	$PaymentMethods['CreditAccount']['MethodName'] = 'Credit Account';
164	$PaymentMethods['CreditAccount']['Surcharge']= 0;
165}
166if  (sizeof($_POST) > 0) {
167	/*Security check to ensure that the form submitted is originally sourced from webERP with the FormID = $_SESSION['FormID'] - which is set before the first login*/
168	if (!isset($_POST['FormID']) OR ($_POST['FormID'] != $_SESSION['FormID'])) {
169		$Title = _('Error in form verification');
170		include('includes/header.php');
171		echo '<br />
172			<br />';
173		prnMsg(_('This form was not submitted with a correct ID') , 'error');
174		include('includes/footer.php');
175		exit;
176	}
177}
178
179function CreateRandomHash($Length){
180	$Characters = 'ABCDEFGHIJKLMOPQRSTUVXWYZ0123456789';
181	$SizeofCharArray = strlen($Characters);
182	$SizeofCharArray--;
183
184	$Hash='';
185	for($i=1;$i<=$Length;$i++){
186		$Position = rand(0,$SizeofCharArray);
187		$Hash .= substr($Characters,$Position,1);
188	}
189
190	return $Hash;
191}
192?>
193