fix: address code review - prepared stmt, first-radio auto-select, remove unused var, clarify comment

Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/4a9c8aab-3782-44a8-a5e4-01b50a813cc0

Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>

modules/billing/adminserverlist.php

@@ -71,7 +71,6 @@ if (isset($_POST['save_matrix'])) {
 
         $price_col = $period === 'daily' ? 'price_daily' : ($period === 'yearly' ? 'price_year' : 'price_monthly');
         $base_esc   = $db->real_escape_string($base_price);
-        $period_esc = $db->real_escape_string($period);
 
         $db->query(
             "UPDATE `{$table_prefix}billing_services`
@@ -88,23 +87,29 @@ if (isset($_POST['save_matrix'])) {
         $allServerIds[] = (int)$rsRow['remote_server_id'];
     }
 
+    $stmt = $db->prepare(
+        "INSERT INTO `{$table_prefix}billing_service_remote_servers`
+            (service_id, remote_server_id, enabled, override_price)
+         VALUES (?, ?, ?, ?)
+         ON DUPLICATE KEY UPDATE
+            enabled        = VALUES(enabled),
+            override_price = VALUES(override_price)"
+    );
     foreach ((array)$postedServices as $sid => $ignored) {
         $sid = (int)$sid;
         foreach ($allServerIds as $rid) {
             $mapEnabled = isset($postedMappings[$sid][$rid]['enabled']) ? 1 : 0;
             $ovRaw      = $postedMappings[$sid][$rid]['override_price'] ?? '';
-            $override   = (trim($ovRaw) === '') ? 'NULL' : "'" . $db->real_escape_string(number_format((float)$ovRaw, 2, '.', '')) . "'";
-
-            $db->query(
-                "INSERT INTO `{$table_prefix}billing_service_remote_servers`
-                    (service_id, remote_server_id, enabled, override_price)
-                 VALUES ({$sid}, {$rid}, {$mapEnabled}, {$override})
-                 ON DUPLICATE KEY UPDATE
-                    enabled        = VALUES(enabled),
-                    override_price = VALUES(override_price)"
-            );
+            $ovPrice    = (trim($ovRaw) === '') ? null : number_format((float)$ovRaw, 2, '.', '');
+            if ($stmt) {
+                $stmt->bind_param('iisd', $sid, $rid, $mapEnabled, $ovPrice);
+                $stmt->execute();
+            }
         }
     }
+    if ($stmt) {
+        $stmt->close();
+    }
 
     $flash[] = "Matrix saved successfully.";
 }

modules/billing/module.php

@@ -173,7 +173,8 @@ $install_queries[1] = array(
     ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;"
 );
 
-// Version 3: Add override_price to service-to-server mapping table
+// Version 3 (array index 2, because install_queries is zero-indexed starting from version 1):
+// Add override_price to service-to-server mapping table
 $install_queries[2] = array(
     "ALTER TABLE `".OGP_DB_PREFIX."billing_service_remote_servers` ADD COLUMN `override_price` DECIMAL(10,2) NULL AFTER `enabled`"
 );

modules/billing/order.php

@@ -201,12 +201,15 @@ if ($row['price_monthly'] == 0.0) {
 			               ORDER BY r.remote_server_name";
 			$mappedResult = $db->query($mappedQuery);
 			if ($mappedResult) {
+				$firstServer = true;
 				while ($rs = $mappedResult->fetch_assoc()) {
-					$rsID   = (int)$rs['remote_server_id'];
-					$rsNAME = htmlspecialchars((string)$rs['remote_server_name'], ENT_QUOTES, 'UTF-8');
+					$rsID    = (int)$rs['remote_server_id'];
+					$rsNAME  = htmlspecialchars((string)$rs['remote_server_name'], ENT_QUOTES, 'UTF-8');
+					$checked = $firstServer ? ' checked' : '';
 					$available_server = true;
+					$firstServer = false;
 					echo "<div>\n"
-					   . "  <input type='radio' name='ip_id' id='rs_{$rsID}' value='{$rsID}' required>\n"
+					   . "  <input type='radio' name='ip_id' id='rs_{$rsID}' value='{$rsID}' required{$checked}>\n"
 					   . "  <label for='rs_{$rsID}'>{$rsNAME}</label>\n"
 					   . "</div>\n";
 				}