Quote Originally Posted by swguy View Post
One of my clients has started getting spam signups on this too. I'm considering a few options - maybe limiting it to logged in customers only. I'll post back with notes on what I did.
in observers/class.back_in_stock_notificationsProductInfo.php you could add a product ID verification to stop false product creation.

For info, this is based on ZC1.5.7 and not been fully tested... added the red section
Code:
$already_to_be_notified_query = "
                    SELECT
                        id
                    FROM
                        " . TABLE_BACK_IN_STOCK_NOTIFICATION_SUBSCRIPTIONS . "
                    WHERE
                        product_id = '" . (int) $_GET['products_id'] . "'
                    AND
                        (
                            customer_id = '"  . (int) $_SESSION['customer_id'] . "'
                        OR
                            email_address = '" .
                                $customer_details->fields['customers_email_address'] . "'
                        );";
                
                $already_to_be_notified = $db->Execute($already_to_be_notified_query);
                
                 $productID = $_GET['products_id'];

                  if ($productID == '') {
                    //no product ID used die
                    $back_in_stock_notification_build_form = false;
                    
                    $product_back_in_stock_notification_form_link = 
                            BACK_IN_STOCK_NOTIFICATION_TEXT_ALREADY_SUBSCRIBED;
                } else if ($already_to_be_notified->RecordCount() > 0) {
                    // Customer is already subscribed to the notification list for this product
In ZC157a I could not create a record by adding a non-existing product ID, it just kicks out a can't find product message. However, I could create one with no product ID..