fix: harden billing module for standalone portability

- config_loader.php: prefer local billing config FIRST (root cause fix) - was: panel config loaded first, overriding local config with wrong db name - now: local modules/billing/includes/config.inc.php always wins when present - config.inc.php: add $db_port="3306" - config.example.php: new example config with all variables documented - menu.php: add $db_port to mysqli_connect - admin_auth.php: add $db_port; remove hardcoded /_website path detection - bootstrap.php billing_get_db(): add $db_port - login.php: fix /_website path detection - adminserverlist.php: add $db_port; fix hardcoded /modules/billing/ URL - All other mysqli_connect calls: add isset($db_port) port parameter (my_servers, forgot_password, serverlist, server_status, order, register, reset_password, payment_success, my_account, admin_invoices, admin_payments, diag_remote, admin_coupons, test_db_connection, tools/check_db_user, renew_server) - timestamp.txt: updated Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/a3e1e4bb-8eb1-4e6e-b1f8-7f3952301231 Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
2026-05-02 13:15:50 +00:00 · 2026-05-02 13:15:50 +00:00 · 1247e5e7ca
commit 1247e5e7ca
parent 834d56a506
25 changed files with 105 additions and 70 deletions
--- a/modules/billing/admin_coupons.php
+++ b/modules/billing/admin_coupons.php
@ -36,7 +36,7 @@ function h($s){ return htmlspecialchars((string)$s, ENT_QUOTES, 'UTF-8'); }
 $db = false;
 try {
  // suppress direct output; we'll log errors and show a friendly message
-  $db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+  $db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 } catch (Throwable $e) {
  error_log('[admin_coupons] mysqli_connect exception: ' . $e->getMessage());
  $db = false;
--- a/modules/billing/admin_invoices.php
+++ b/modules/billing/admin_invoices.php
@ -12,7 +12,7 @@ require_once __DIR__ . '/classes/GatewayFactory.php';

 function h($s) { return htmlspecialchars((string)$s, ENT_QUOTES, 'UTF-8'); }

-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) die('DB connection failed');
 mysqli_set_charset($db, 'utf8mb4');
 $prefix = $table_prefix ?? 'gsp_';
--- a/modules/billing/admin_payments.php
+++ b/modules/billing/admin_payments.php
@ -10,7 +10,7 @@ require_once __DIR__ . '/classes/BillingRepository.php';

 function h($s) { return htmlspecialchars((string)$s, ENT_QUOTES, 'UTF-8'); }

-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 $transactions = [];
 $errorMsg = '';
 if (!$db) {
--- a/modules/billing/adminserverlist.php
+++ b/modules/billing/adminserverlist.php
@ -18,8 +18,8 @@ $siteBaseUrl = isset($SITE_BASE_URL) ? trim((string)$SITE_BASE_URL) : '';
 // Protect this page: require admin
 require_once(__DIR__ . '/includes/admin_auth.php');

-// Create database connection (admin_auth already validated DB but we need connection for UI ops)
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+// Create database connection
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
  die("Connection failed: " . mysqli_connect_error());
 }
@ -29,7 +29,7 @@ include(__DIR__ . '/includes/top.php');
 include(__DIR__ . '/includes/menu.php');

 echo "<div class='panel mb-12'><strong>Need the XML field reference?</strong> ";
-echo "<a href=\"/modules/billing/docs/xml_notes.php\" target=\"_blank\" rel=\"noopener\">Open XML Notes</a>";
+echo "<a href=\"docs/xml_notes.php\" target=\"_blank\" rel=\"noopener\">Open XML Notes</a>";
 echo "</div>";

 /* show errors during setup */
--- a/modules/billing/bootstrap.php
+++ b/modules/billing/bootstrap.php
@ -28,7 +28,7 @@ $billing_db_opened_by_bootstrap = false;
 */
 function billing_get_db()
 {
-    global $billing_db, $db, $db_host, $db_user, $db_pass, $db_name, $billing_db_opened_by_bootstrap;
+    global $billing_db, $db, $db_host, $db_user, $db_pass, $db_name, $db_port, $billing_db_opened_by_bootstrap;
    if (!empty($billing_db) && ($billing_db instanceof mysqli)) {
        return $billing_db;
    }
@ -36,8 +36,9 @@ function billing_get_db()
        $billing_db = $db;
        return $billing_db;
    }
+    $port = isset($db_port) ? (int)$db_port : null;
    // Try to connect (suppress warnings; caller may check return value)
-    $conn = @mysqli_connect($db_host ?? null, $db_user ?? null, $db_pass ?? null, $db_name ?? null);
+    $conn = @mysqli_connect($db_host ?? null, $db_user ?? null, $db_pass ?? null, $db_name ?? null, $port);
    if ($conn) {
        // Set charset when available
        if (function_exists('mysqli_set_charset')) {
--- a/modules/billing/diag_remote.php
+++ b/modules/billing/diag_remote.php
@ -37,7 +37,7 @@ if (defined('BILLING_CONFIG_PATH') && is_readable(BILLING_CONFIG_PATH)) {
 echo "Trying DB connection...\n";
 $ok = false;
 if (isset($db_host)) {
-    $db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+    $db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
    if ($db) {
        echo "DB connect: OK (host=$db_host db=$db_name)\n";
        $ok = true;
--- a/modules/billing/forgot_password.php
+++ b/modules/billing/forgot_password.php
@ -14,7 +14,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/includes/admin_auth.php
+++ b/modules/billing/includes/admin_auth.php
@ -4,17 +4,8 @@ require_once(__DIR__ . '/session_bridge.php');

 // If not logged in, redirect to login
 if (empty($_SESSION['website_user_id'])) {
-    // Build absolute login URL to avoid browser-relative resolution issues
-    $script = $_SERVER['SCRIPT_NAME'] ?? '';
-    $siteRoot = '/';
-    $pos = strpos($script, '/_website');
-    if ($pos !== false) {
-        $siteRoot = substr($script, 0, $pos + strlen('/_website'));
-    } else {
-        $siteRoot = rtrim(dirname($script), '/\\');
-    }
-    $loginUrl = $siteRoot . '/login.php';
-    $returnTo = $siteRoot . '/' . basename($_SERVER['PHP_SELF']);
+    $loginUrl = rtrim(dirname($_SERVER['SCRIPT_NAME'] ?? '/'), '/\\') . '/login.php';
+    $returnTo = $_SERVER['SCRIPT_NAME'] ?? '/';
    header('Location: ' . $loginUrl . '?return_to=' . urlencode($returnTo));
    exit();
 }
@ -29,15 +20,13 @@ require_once(__DIR__ . '/config_loader.php');
 /** @var string $db_name Database name */
 /** @var string $table_prefix Table prefix for database tables */

+$auth_db_port = isset($db_port) ? (int)$db_port : null;
 // Use a local connection variable so we don't clash with pages that also use $db
-$auth_db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$auth_db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, $auth_db_port);
 if (!$auth_db) {
    // If DB unavailable, deny access gracefully
-    // Redirect to absolute login URL
-    $script = $_SERVER['SCRIPT_NAME'] ?? '';
-    $pos = strpos($script, '/_website');
-    $siteRoot = $pos !== false ? substr($script, 0, $pos + strlen('/_website')) : rtrim(dirname($script), '/\\');
-    header('Location: ' . $siteRoot . '/login.php');
+    $loginUrl = rtrim(dirname($_SERVER['SCRIPT_NAME'] ?? '/'), '/\\') . '/login.php';
+    header('Location: ' . $loginUrl);
    exit();
 }

@ -52,15 +41,10 @@ mysqli_close($auth_db);

 if (strtolower($role) !== 'admin') {
    // Not an admin — redirect to login or home
-    // Redirect to absolute login URL
-    $script = $_SERVER['SCRIPT_NAME'] ?? '';
-    $pos = strpos($script, '/_website');
-    $siteRoot = $pos !== false ? substr($script, 0, $pos + strlen('/_website')) : rtrim(dirname($script), '/\\');
-    header('Location: ' . $siteRoot . '/login.php');
+    $loginUrl = rtrim(dirname($_SERVER['SCRIPT_NAME'] ?? '/'), '/\\') . '/login.php';
+    header('Location: ' . $loginUrl);
    exit();
 }

 // If we reach here, user is an admin
 ?>
-
-
--- a/modules/billing/includes/config.example.php
+++ b/modules/billing/includes/config.example.php
@ -0,0 +1,43 @@
+<?php
+###############################################
+# Billing Website Configuration Example
+#
+# Copy this file to config.inc.php and fill in
+# your actual settings.
+# config.inc.php is excluded from version control.
+#
+# This file is used by modules/billing/ both as a
+# standalone website and as a panel-integrated module.
+# The billing module reads ONLY this file — it does NOT
+# depend on the parent panel's includes/config.inc.php.
+###############################################
+
+# --- Database connection ---
+$db_host = "localhost";
+$db_port = "3306";          // MySQL port (default 3306)
+$db_user = "your_db_user";
+$db_pass = "your_db_password";
+$db_name = "your_db_name";  // Panel database name (e.g. "gsp" or "panel")
+$table_prefix = "gsp_";     // Table prefix used in the panel database
+$db_type = "mysql";
+
+# --- Site base URL ---
+# Leave empty to use relative paths (works for any install path).
+# Set to your full base URL (without trailing slash) if you need absolute URLs:
+#   e.g. "https://gameservers.world" or "http://173.208.136.11/testing/modules/billing"
+$SITE_BASE_URL = '';
+
+# --- Background image ---
+# Relative to the billing site root.
+$SITE_BACKGROUND = 'images/dark.jpg';
+
+# --- Data directory ---
+# Absolute path where payment webhook JSON files are stored.
+# Default: modules/billing/data/
+$SITE_DATA_DIR = realpath(__DIR__ . '/..') . DIRECTORY_SEPARATOR . 'data';
+
+# --- PayPal settings ---
+$paypal_sandbox       = true;   // Set to false for live payments
+$paypal_client_id     = '';     // Your PayPal Client ID
+$paypal_client_secret = '';     // Your PayPal Client Secret
+$paypal_webhook_id    = '';     // Your PayPal Webhook ID (for webhook signature verification)
--- a/modules/billing/includes/config.inc.php
+++ b/modules/billing/includes/config.inc.php
@ -8,6 +8,7 @@
 # database configuration in includes/config.inc.php
 ###############################################
 $db_host="localhost";
+$db_port="3306";
 $db_user="localuser";
 $db_pass="Pkloyn7yvpht!";
 $db_name="panel";
--- a/modules/billing/includes/config_loader.php
+++ b/modules/billing/includes/config_loader.php
@ -2,27 +2,44 @@
 /**
 * Billing config loader
 *
- * Attempts to load the main panel config file first (../includes/config.inc.php).
- * If that file is not readable, falls back to a module-local config.inc.php copy.
- * When neither file exists, output a plain-text error and stop execution so that
- * the admin knows to copy the config locally.
+ * Priority order (standalone-first):
+ *   1. modules/billing/includes/config.inc.php  (local billing config — always wins when present)
+ *   2. <panel_root>/includes/config.inc.php      (panel config — fallback when no local config)
+ *
+ * This ensures that copying modules/billing/ to any web root works correctly
+ * after editing its own config.inc.php, without being overridden by a parent
+ * panel installation that may have a different database name.
 */
 if (defined('BILLING_CONFIG_LOADED')) {
    return;
 }

+$localConfig = __DIR__ . '/config.inc.php';
+$attempted = [];
+
+// Always prefer the local billing config so the module is self-contained.
+if (is_readable($localConfig)) {
+    $attempted[] = $localConfig;
+    require_once $localConfig;
+    if (!defined('BILLING_CONFIG_PATH')) {
+        define('BILLING_CONFIG_PATH', $localConfig);
+    }
+    define('BILLING_CONFIG_LOADED', true);
+    return;
+}
+
+$attempted[] = $localConfig;
+
+// Fallback: try to load the panel's config (useful when running embedded inside the panel
+// and no local copy has been made yet).
 $panelConfig = null;
 $projectRoot = realpath(__DIR__ . '/../../..');
 if ($projectRoot !== false) {
    $panelConfig = $projectRoot . '/includes/config.inc.php';
 } else {
-    // Fallback relative path without resolving symlinks
    $panelConfig = __DIR__ . '/../../..' . '/includes/config.inc.php';
 }

-$localConfig = __DIR__ . '/config.inc.php';
-$attempted = [];
-
 if ($panelConfig && is_readable($panelConfig)) {
    $attempted[] = $panelConfig;
    require_once $panelConfig;
@ -34,17 +51,6 @@ if ($panelConfig && is_readable($panelConfig)) {
 }

 $attempted[] = $panelConfig;
-if (is_readable($localConfig)) {
-    $attempted[] = $localConfig;
-    require_once $localConfig;
-    if (!defined('BILLING_CONFIG_PATH')) {
-        define('BILLING_CONFIG_PATH', $localConfig);
-    }
-    define('BILLING_CONFIG_LOADED', true);
-    return;
-}
-
-$attempted[] = $localConfig;

 $message = "GSP Billing module cannot find config.inc.php.\n";
 $message .= "Looked in:\n";
--- a/modules/billing/includes/menu.php
+++ b/modules/billing/includes/menu.php
@ -58,7 +58,8 @@ if ($is_logged_in) {
  if (isset($db) && $db instanceof mysqli) {
    $menu_db = $db;
  } else {
-    $menu_db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+    $menu_db_port = isset($db_port) ? (int)$db_port : null;
+    $menu_db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, $menu_db_port);
    $menu_db_opened = true;
  }

--- a/modules/billing/login.php
+++ b/modules/billing/login.php
@ -20,10 +20,9 @@ require_once(__DIR__ . '/includes/log.php');
 /** @var string $db_name Database name */
 /** @var string $table_prefix Table prefix for database tables */

-// Determine site root up to /_website so we can enforce absolute redirects within this site
+// Determine site root (directory of this script) for building absolute redirects within this site
 $script = $_SERVER['SCRIPT_NAME'] ?? '';
-$pos = strpos($script, '/_website');
-$SITE_ROOT_PATH = $pos !== false ? substr($script, 0, $pos + strlen('/_website')) : rtrim(dirname($script), '/\\');
+$SITE_ROOT_PATH = rtrim(dirname($script), '/\\');

 // Strict sanitizer that returns an absolute path under $SITE_ROOT_PATH or empty string on invalid
 $sanitize_return_path = function($p) use ($SITE_ROOT_PATH) {
@ -50,7 +49,7 @@ $sanitize_return_path = function($p) use ($SITE_ROOT_PATH) {
 };

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/my_account.php
+++ b/modules/billing/my_account.php
@ -38,7 +38,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/my_servers.php
+++ b/modules/billing/my_servers.php
@ -21,7 +21,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/order.php
+++ b/modules/billing/order.php
@ -34,7 +34,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/payment_success.php
+++ b/modules/billing/payment_success.php
@ -22,7 +22,7 @@ $user_id = isset($_SESSION['website_user_id']) ? intval($_SESSION['website_user_
           (isset($_SESSION['user_id']) ? intval($_SESSION['user_id']) : 0);

 // Connect to database
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 $orders = [];
 $total_paid = 0;

--- a/modules/billing/register.php
+++ b/modules/billing/register.php
@ -12,7 +12,7 @@ require_once(__DIR__ . '/bootstrap.php');

 // Simple registration form (creates a user in {table_prefix}users with MD5 password)
 if ($_SERVER['REQUEST_METHOD'] === 'POST' && !empty($_POST['username']) && !empty($_POST['password'])) {
-    $db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+    $db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
    if ($db) {
        $username = trim($_POST['username']);
        $password = $_POST['password'];
--- a/modules/billing/renew_server.php
+++ b/modules/billing/renew_server.php
@ -19,7 +19,7 @@ require_once(__DIR__ . '/includes/log.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Connect to DB (use mysqli like other website modules)
-$db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = @mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    // fail silently and redirect back
    $back = $_SERVER['HTTP_REFERER'] ?? 'my_account.php';
--- a/modules/billing/reset_password.php
+++ b/modules/billing/reset_password.php
@ -14,7 +14,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/server_status.php
+++ b/modules/billing/server_status.php
@ -11,7 +11,7 @@
 require_once(__DIR__ . '/bootstrap.php');

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/serverlist.php
+++ b/modules/billing/serverlist.php
@ -22,7 +22,7 @@ require_once(__DIR__ . '/bootstrap.php');
 /** @var string $table_prefix Table prefix for database tables */

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/test_db_connection.php
+++ b/modules/billing/test_db_connection.php
@ -14,7 +14,7 @@
 require_once(__DIR__ . '/bootstrap.php');

 // Create database connection
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    die("Connection failed: " . mysqli_connect_error());
 }
--- a/modules/billing/timestamp.txt
+++ b/modules/billing/timestamp.txt
@ -1 +1 @@
-Last Updated at 12:49pm on 2026-02-05
+Last Updated at 1:15pm on 2026-02-05
--- a/modules/billing/tools/check_db_user.php
+++ b/modules/billing/tools/check_db_user.php
@ -1,6 +1,6 @@
 <?php
 require_once(__DIR__ . '/../includes/config_loader.php');
-$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name);
+$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
 if (!$db) {
    echo "DB connect failed: " . mysqli_connect_error() . PHP_EOL;
    exit(1);