1.5.0 Beta 8/28: Can't delete orders in admin ...

**lat9** · 14 Sep 2011, 01:48 PM

The subject says it all.

Running the 8/28 version of the 1.5.0 beta. When I go into admin to Customers -> Orders and then click "Delete" to delete an order the process completes without an error message (and no debug-log file) ... but the order is not deleted.

**lat9** · 14 Sep 2011, 02:03 PM

... a bit of an update. When I try to delete an order via 1.3.9f (I know, I should have 1.3.9h), the orders delete-confirm page's form statement looks like

Code:

<form name="orders" action="http://localhost/v1.3.9f/admin/orders.php?page=1&oID=1&action=deleteconfirm" method="post">

but the 1.5.0's version of the statement is

Code:

<form name="orders" action="http://localhost/v1.5.0/xxxxxxxx/orders.php?page=1&&action=deleteconfirm" method="post">

There's an extra ampersand (&) being injected into the <form>, and the oID is not one of the parameters.

**lat9** · 14 Sep 2011, 02:33 PM

OK, the extra ampersand is a result of the following code (/includes/YOURADMIN/orders.php, line 927:

Code:

    case 'delete':
      $heading[] = array('text' => '<strong>' . TEXT_INFO_HEADING_DELETE_ORDER . '</strong>');

      $contents = array('form' => zen_draw_form('orders', FILENAME_ORDERS, zen_get_all_get_params(array('oID', 'action')) . '&action=deleteconfirm', 'post', '', true) . zen_draw_hidden_field('oID', $oInfo->orders_id));

Remove the highlighted ampersand and the <form> is properly rendered ... but still does not delete the order.

The problem is that the oID is being sent via POST, but the header portion of orders.php is still looking for it sent via GET (starting at line 34):

Code:

  $action = (isset($_GET['action']) ? $_GET['action'] : '');
  $order_exists = false;
  if (isset($_GET['oID']) && trim($_GET['oID']) == '') unset($_GET['oID']);
  if ($action == 'edit' && !isset($_GET['oID'])) $action = '';

  if (isset($_GET['oID'])) {
    $oID = zen_db_prepare_input(trim($_GET['oID']));

    $orders = $db->Execute("select orders_id from " . TABLE_ORDERS . "
                            where orders_id = '" . (int)$oID . "'");
    $order_exists = true;
    if ($orders->RecordCount() <= 0) {
      $order_exists = false;
      if ($action != '') $messageStack->add_session(ERROR_ORDER_DOES_NOT_EXIST . ' ' . $oID, 'error');
      zen_redirect(zen_href_link(FILENAME_ORDERS, zen_get_all_get_params(array('oID', 'action')), 'NONSSL'));
    }
  }

  if (zen_not_null($action) && $order_exists == true) {

Since the oID is being sent via POST, the variable $order_exists is never set to true so no processing is performed.

**lat9** · 14 Sep 2011, 03:21 PM

Here's what I came up with for a fix for the GET vs. POST data issue; please note that the complete fix also includes the removing of the extra & in my previous post.

Essentially, if the oID value is sent via POST it has precedence over one sent via GET. The oID is set to false initially to cover the case where it's set neither in POST nor GET.

Note also that there are a bunch of other places within the orders.php file that use $_GET['oID'] that could be modified to use the $oID value.

Code:

 $action = (isset($_GET['action']) ? $_GET['action'] : '');
  $order_exists = false;
  
  // ----
  // Get the current order ID.  If the value has been submitted via POST, that is the version used; otherwise, check to
  // see if it's been submitted via GET and use that version if present.
  //
  $oID = false;
  if (isset($_POST['oID'])) {
    if (trim($_POST['oID']) == '') {
	  unset($_POST['oID']);
	} else {
	  $oID = (int)trim($_POST['oID']);
	}
  } elseif (isset($_GET['oID'])) {
    if (trim ($_GET['oID']) == '') {
	  unset($_GET['oID']);
	} else {
	 $oID = (int)trim($_GET['oID']);
	}
  }
//  if (isset($_GET['oID']) && trim($_GET['oID']) == '') unset($_GET['oID']);
  if ($action == 'edit' && /*!isset($_GET['oID'])*/ $oID !== false) $action = '';

  if (/*isset($_GET['oID'])*/ $oID !== false) {
    $oID = zen_db_prepare_input(/*trim($_GET['oID'])*/ $oID);

**Ajeh** · 15 Sep 2011, 07:03 PM

A better more concise solution would probably be:

Code:

/*
// old code
  if (isset($_GET['oID'])) {
    $oID = zen_db_prepare_input(trim($_GET['oID']));

    $orders = $db->Execute("select orders_id from " . TABLE_ORDERS . "
                            where orders_id = '" . (int)$oID . "'");
    $order_exists = true;
    if ($orders->RecordCount() <= 0) {
      $order_exists = false;
      if ($action != '') $messageStack->add_session(ERROR_ORDER_DOES_NOT_EXIST . ' ' . $oID, 'error');
      zen_redirect(zen_href_link(FILENAME_ORDERS, zen_get_all_get_params(array('oID', 'action')), 'NONSSL'));
    }
  }
*/

  $oID = FALSE;
  if (isset($_POST['oID'])) {
    $oID = zen_db_prepare_input(trim($_POST['oID']));
  } elseif (isset($_GET['oID'])) {
    $oID = zen_db_prepare_input(trim($_GET['oID']));
  }
  if ($oID) {
    $orders = $db->Execute("select orders_id from " . TABLE_ORDERS . "
                              where orders_id = '" . (int)$oID . "'");
    $order_exists = true;
    if ($orders->RecordCount() <= 0) {
      $order_exists = false;
      if ($action != '') $messageStack->add_session(ERROR_ORDER_DOES_NOT_EXIST . ' ' . $oID, 'error');
        zen_redirect(zen_href_link(FILENAME_ORDERS, zen_get_all_get_params(array('oID', 'action')), 'NONSSL'));
      }
  }

You might test that and see if there is anything that you can break ...