fix: address code review issues - bind_param types, path ltrim, secrets sanitization

Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/5bfe8731-c37a-4f7b-a5c7-fbc0393ae134 Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
2026-05-06 16:46:32 +00:00 · 2026-05-06 16:46:32 +00:00 · 5766b86034
commit 5766b86034
parent 0fcdda2ee3
3 changed files with 8 additions and 4 deletions
--- a/modules/billing/admin_config.php
+++ b/modules/billing/admin_config.php
@ -634,8 +634,7 @@ rsort($bakFiles); // newest first
  $diag_lv_wh_set    = ($cfgVals['paypal_live_webhook_id']       ?? '') !== '';
  $diag_wh_path      = '/' . ltrim((string)($cfgVals['paypal_webhook_path'] ?? '/paypal/webhook.php'), '/');
  $diag_wh_full_url  = $computedWebhookUrl;
-  // Correct disk path: billing module root + separator + webhook path (no leading slash)
-  $diag_wh_file      = rtrim(__DIR__, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . ltrim($diag_wh_path, '/\\');
+  $diag_wh_file      = rtrim(__DIR__, DIRECTORY_SEPARATOR) . DIRECTORY_SEPARATOR . ltrim($diag_wh_path, '/');
  $diag_wh_exists    = file_exists($diag_wh_file);

  // Active mode credential check
--- a/modules/billing/api/capture_order.php
+++ b/modules/billing/api/capture_order.php
@ -132,6 +132,11 @@ cap_log('CAPTURE_RESULT', ['success' => $capture['success'], 'txid' => $capture[

 if (!$capture['success']) {
    cap_log('CAPTURE_FAILED', $capture);
+    // Sanitize raw capture data before logging — never store secrets
+    $captureForLog = $capture;
+    foreach (['client_secret', 'access_token', 'refresh_token'] as $_sk) {
+        unset($captureForLog[$_sk]);
+    }
    $repo->logPaypalError([
        'context'         => 'capture_order',
        'error_code'      => $capture['error'] ?? 'capture_failed',
@ -139,7 +144,7 @@ if (!$capture['success']) {
        'paypal_debug_id' => $capture['debug_id'] ?? null,
        'order_id'        => $paypalOrderId,
        'user_id'         => $userId,
-        'raw_json'        => $capture,
+        'raw_json'        => $captureForLog,
    ]);
    ob_clean();
    echo json_encode([
--- a/modules/billing/classes/BillingRepository.php
+++ b/modules/billing/classes/BillingRepository.php
@ -340,7 +340,7 @@ class BillingRepository
            $rawJson = substr($rawJson, 0, 65536) . '…[truncated]';
        }
        $stmt->bind_param(
-            'sssssssss',
+            'ssssssiis',
            $context, $errorCode, $message, $debugId, $orderId, $captureId,
            $billingOrderId, $userId, $rawJson
        );