fix: address code review feedback — setStatus always defined, prepared stmt in checkout_free, better DB error message

Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/d18a8f6c-0715-46c4-9c97-94ec7e2a22fc

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot] 2026-05-05 19:09:23 +00:00 committed by GitHub
parent 73f125ea21
commit 2c1f87b54a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 21 additions and 14 deletions

View file

@ -655,14 +655,18 @@ $siteBase = $protocol . $host;
</div> </div>
<?php endif; ?> <?php endif; ?>
<?php if ($final_amount > 0.00): ?>
<script> <script>
function setStatus(msg) { function setStatus(msg) {
const statusDiv = document.getElementById('status-message'); const statusDiv = document.getElementById('status-message');
statusDiv.textContent = msg; if (statusDiv) {
statusDiv.style.display = 'block'; statusDiv.textContent = msg;
statusDiv.style.display = 'block';
}
} }
</script>
<?php if ($final_amount > 0.00): ?>
<script>
paypal.Buttons({ paypal.Buttons({
createOrder: function(data, actions) { createOrder: function(data, actions) {
setStatus('Creating order...'); setStatus('Creating order...');
@ -740,7 +744,7 @@ $siteBase = $protocol . $host;
// Remove invoice via AJAX and perform a partial reload of the cart container // Remove invoice via AJAX and perform a partial reload of the cart container
function removeInvoice(invoiceId) { function removeInvoice(invoiceId) {
if (!confirm('Remove this item from your cart?')) return; if (!confirm('Remove this item from your cart?')) return;
if (typeof setStatus === 'function') setStatus('Removing item...'); setStatus('Removing item...');
var body = 'remove_invoice_ajax=1&invoice_id=' + encodeURIComponent(invoiceId); var body = 'remove_invoice_ajax=1&invoice_id=' + encodeURIComponent(invoiceId);

View file

@ -32,22 +32,25 @@ if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
// DB connection // DB connection
$db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null); $db = mysqli_connect($db_host, $db_user, $db_pass, $db_name, isset($db_port) ? (int)$db_port : null);
if (!$db) { if (!$db) {
die('Database connection failed: ' . htmlspecialchars(mysqli_connect_error())); die('<p>Database connection failed. Please <a href="/order.php">return to the shop</a> or contact support.</p>');
} }
mysqli_set_charset($db, 'utf8mb4'); mysqli_set_charset($db, 'utf8mb4');
// Fetch unpaid invoices for this user // Fetch unpaid invoices for this user (prepared statement)
$invoices = []; $invoices = [];
$q = mysqli_query($db, "SELECT * FROM {$table_prefix}billing_invoices $stmt = mysqli_prepare($db, "SELECT * FROM {$table_prefix}billing_invoices
WHERE user_id = " . intval($userId) . " WHERE user_id = ?
AND (status = 'due' OR status = '') AND (status = 'due' OR status = '')
AND (payment_status IS NULL OR payment_status NOT IN ('paid','cancelled','refunded')) AND (payment_status IS NULL OR payment_status NOT IN ('paid','cancelled','refunded'))
ORDER BY invoice_id ASC"); ORDER BY invoice_id ASC");
if ($q) { if ($stmt) {
while ($row = mysqli_fetch_assoc($q)) { mysqli_stmt_bind_param($stmt, 'i', $userId);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
while ($row = mysqli_fetch_assoc($result)) {
$invoices[] = $row; $invoices[] = $row;
} }
mysqli_free_result($q); mysqli_stmt_close($stmt);
} }
if (empty($invoices)) { if (empty($invoices)) {