bug in custom "card on file" payment module

**saxtuplet** · 6 Mar 2013, 07:37 PM

We had a customer sign up with an apostrophe in their last name and this caused a SQL error in modules/payment/cardonfile.php.

I replaced this on line 39:

$sql = "SELECT customers_id FROM customers WHERE customers_firstname = '{$order->customer['firstname']}' AND customers_lastname = '{$order->customer['lastname']}'";

with this:

$lastname = addslashes($order->customer['lastname']);
$firstname = addslashes($order->customer['firstname']);

$sql = "SELECT customers_id FROM customers WHERE customers_firstname = '{$firstname}' AND customers_lastname = '{$lastname}'";

We have ver. v1.3.9b.

I am surprised this has not come up before!

**schoolboy** · 6 Mar 2013, 08:42 PM

Originally Posted by saxtuplet

I am surprised this has not come up before!

Probably because the module is not a core module, and neither is it available in the plugins area.

Looks like you're the only one using it. Be interested to know where you got it from, and whether your server meets PCI compliances. If not, this presents a massive security risk to your customers.

**saxtuplet** · 7 Mar 2013, 09:44 PM

I just found out this was a custom module added when someone worked on the site's linkpoint integration. Looks like it uses similar logic to the Ceon card module - it just stores the 4 digits at each end of the card number and the admin then looks up the number at linkpoint.