Post by safa-blm » Thu Mar 25, 2021 4:59 pm

Hello all,
I'm trying to create an advanced order search page for admin, I'm not familiar with MVC so I'm using basic php, the page is basically giving me the option to search for orders by Name, Email, Phone, Country, Order Status and soon will add City.
And I'll add more features such as changing the order status by a click of a button and adding comments to order history.

So far everything works just find and as I want it except for 2 challenges I need your help with:
1- Prevent accessing the page if not logged as admin.
If you can help me with a workaround to redirect the user to login page if he/she not logged in as admin

2- Get user token to be able to redirect to order details page when clicking on the order id.
I just need to get the value of current user_token (

Code: Select all

$this->session->data['user_token']
) so my link will be something like

Code: Select all

$url = "http://mydomain.com/admin/index.php?route=sale/order/user_token=". $GLOBALS['user_token'] ."&info&order_id="; 
My version is: 3.0.3.2

Here is my code:

Code: Select all


<?php  
require $_SERVER['DOCUMENT_ROOT']."/store2/admin/controller/sale/order_search.php";
$GLOBALS['totalrows'] = "";

function getConnection(){

$GLOBALS['varServerName'] = "localhost";
$GLOBALS['varUsername'] = "root";
$GLOBALS['varPassword'] = "";
$GLOBALS['varDatabase'] = "mystoredatabase";

}

?>

<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset="UTF-8" />
<title>BLM | Order Search</title>

<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=no, minimum-scale=1.0, maximum-scale=1.0" />
<script type="text/javascript" src="../../javascript/jquery/jquery-2.1.1.min.js"></script>
<script type="text/javascript" src="../../javascript/bootstrap/js/bootstrap.min.js"></script>
<link href="../../stylesheet/bootstrap.css" type="text/css" rel="stylesheet" />
<link href="../../javascript/font-awesome/css/font-awesome.min.css" type="text/css" rel="stylesheet" />
<script src="../../javascript/jquery/datetimepicker/moment/moment.min.js" type="text/javascript"></script>
<script src="../../javascript/jquery/datetimepicker/moment/moment-with-locales.min.js" type="text/javascript"></script>
<script src="../../javascript/jquery/datetimepicker/bootstrap-datetimepicker.min.js" type="text/javascript"></script>
<link href="../../javascript/jquery/datetimepicker/bootstrap-datetimepicker.min.css" type="text/css" rel="stylesheet" media="screen" />
<link type="text/css" href="../../stylesheet/stylesheet.css" rel="stylesheet" media="screen" />

<script src="../../javascript/common.js" type="text/javascript"></script>

</head>
<body>
<div id="container">
<header id="header" class="navbar navbar-static-top">
  <div class="container-fluid">

  
    <div id="header-logo" class="navbar-header"><a href="myurl/admin" class="navbar-brand"><img src="../../image/logo.png" alt="{{ heading_title }}" /></a></div>
    <a href="#" id="button-menu" class="hidden-md hidden-lg"><span class="fa fa-bars"></span></a>
    
    </div>
</header>

<div id="content">
<div class="page-header">
  <div class="container-fluid">
    <div class="pull-left">
    <h1>Order Search</h1>
  </div>
</div></div>

<form method="POST">

<div class="container-fluid">

<div class="col-md-11 col-md-offset-1">

<div class="col-md-1">
<input class="form-control" name="txt_order_search" id="txt_order_search" placeholder="Order ID"/>
</div>

<div class="col-md-2">
<input class="form-control" name="txt_name_search" id="txt_name_search" placeholder="First Name" />
</div>

<div class="col-md-2">
<input class="form-control" name="txt_email_search" id="txt_email_search" placeholder="Email" />
</div>

<div class="col-md-2">
<input class="form-control" name="txt_phone_search" id="txt_phone_search" placeholder="Phone" />
</div>

<div class="col-md-2">
<select class='select2 form-control custom-select' style='width: 100%; height:36px;' name='ddl_country' id='ddl_country'>
<option value='-1' >--- Country ---</option>
<?php

getConnection();

$conn = new mysqli($GLOBALS['varServerName'], $GLOBALS['varUsername'], $GLOBALS['varPassword'], $GLOBALS['varDatabase']); 

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT oc_country.country_id, oc_country_description.name FROM oc_country INNER JOIN oc_country_description ON oc_country.country_id = oc_country_description.country_id WHERE  (oc_country_description.language_id = 1) AND (oc_country.status = 1) ORDER BY oc_country_description.language_id";

$result = $conn->query($sql);

if ($result->num_rows > 0) {

while($row = $result->fetch_assoc()) {

   $select_attribute = ''; 
   if ( $row["country_id"] == $selected_value ) { 
        $select_attribute = ' selected'; 
    } 
   
echo "<option value='".$row["country_id"]. " '".$select_attribute.">" . $row["name"] . "</option>";

}
} else {
echo "<option> -- none -- </option>";


}

echo "Error in ".$query."<br>".$db->error;

$conn->close();


?>
</select>
</div>

<div class="col-md-2">
<select class='select2 form-control custom-select' style='width: 100%; height:36px;' name='ddl_order_status' id='ddl_order_status'>
<option value='-1' >--- Status ---</option>
<?php

getConnection();

$conn = new mysqli($GLOBALS['varServerName'], $GLOBALS['varUsername'], $GLOBALS['varPassword'], $GLOBALS['varDatabase']); 

// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}

$sql = "SELECT order_status_id, name FROM oc_order_status WHERE (language_id = 1) ORDER BY name ASC";

$result = $conn->query($sql);

if ($result->num_rows > 0) {

while($row = $result->fetch_assoc()) {

   $select_attribute = ''; 
   if ( $row["order_status_id"] == $selected_value ) { 
        $select_attribute = ' selected'; 
    } 
   
echo "<option value='".$row["order_status_id"]. " '".$select_attribute.">" . $row["name"] . "</option>";

}
} else {
echo "<option> -- none -- </option>";


}

echo "Error in ".$query."<br>".$db->error;

$conn->close();


?>
</select>
</div>

<div class="col-md-1">
<button type="submit" id="btn_search" name="btn_search" title="Search" class="btn btn-info"><i class="fa fa-search"></i></button>
</div>

</div>

</div>

</div>

<div class="col-md-9 col-md-offset-1 col-sm-12">
      <div class="panel panel-default">
        <div class="panel-heading">
          <h3 class="panel-title"><i class="fa fa-list"></i> Order List <?php echo $GLOBALS['totalrows'] ?></h3>
        </div>
        <div class="panel-body">
          

        <table class="table table-bordered table-hover" id="tbl_main">
         <thead>
            <tr>
               <th scope="col">Order ID</th>   
               <th scope="col">First Name</th>
               <th scope="col">Last Name</th>
               <th scope="col">Email</th>
               <th scope="col">Telephone</th>
               <th scope="col">Country</th>
               <th scope="col">Order Status</th>
               <th scope="col">Order Date</th>
               <th scope="col">Payment Code</th>

            </tr>
         </thead>
         <tbody>

<?php

function getColor($orderstatis) {

    $classValue = "background-color:#";

    switch ($orderstatis) {
        case 1: // Pending
            return $classValue = $classValue . "e9f77e";
            break;
        case 2: // Processing
            return $classValue = $classValue . "58c5c7";
            break;          
        case 3: // Shipped
            return $classValue = $classValue . "9be8ba";
            break;             
        case 5: // complete
            return $classValue = $classValue . "42f57e";
            break;
        case 7: // Canceled
            return $classValue = $classValue . "cacfcc";
            break;
      }
}

if (array_key_exists('btn_search', $_POST)) {

    load_data();

}

function load_data() {

    getConnection();

    $conn = new mysqli($GLOBALS['varServerName'], $GLOBALS['varUsername'], $GLOBALS['varPassword'], $GLOBALS['varDatabase']); 

// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
    }
    
    //txt_order_search
    //txt_pname_search txt_name_search txt_email_search txt_phone_search ddl_country
    
    if ($_POST['txt_order_search']){
        $qOrderID = " AND (oc_order.order_id = ". $_POST['txt_order_search'] .")";} else {$qOrderID = "";}

    if ($_POST['txt_name_search']){
        $qName = " AND CONCAT(oc_order.firstname, ' ', oc_order.lastname) LIKE '%" . $_POST['txt_name_search'] . "%'";} else {$qName = "";}

    if ($_POST['txt_email_search']){
        $qEmail = " AND (oc_order.email LIKE '%" . $_POST['txt_email_search'] . "%')";} else {$qEmail = "";}

    if ($_POST['txt_phone_search']){
        $qPhone = " AND (oc_order.telephone LIKE '%" . $_POST['txt_phone_search'] . "%')";} else {$qPhone = "";}
    
    if ($_POST['ddl_country'] >= 1){
        $qCountry = " AND (oc_country.country_id = " . $_POST['ddl_country'] . ")";} else {$qCountry = "";}

    if ($_POST['ddl_order_status'] >= 1){
        $qStatus = " AND (oc_order_status.order_status_id = " . $_POST['ddl_order_status'] . ")";} else {$qStatus = "";}

    $qWhere = " WHERE (oc_order_status.language_id = 1) ". $qOrderID . $qName . $qEmail . $qPhone . $qCountry . $qStatus;
    $sql = "SELECT oc_order.order_id, oc_country.name AS CountryName, oc_order.firstname AS order_FirstName, oc_order.lastname AS order_LastName, oc_order.email AS order_Email, oc_order.telephone, oc_order.payment_code, oc_order_status.name AS OrderStatus, oc_order.date_added, oc_order_status.language_id,oc_order_status.order_status_id, oc_country.country_id FROM oc_country INNER JOIN oc_order ON oc_country.country_id = oc_order.payment_country_id INNER JOIN oc_order_status ON oc_order.order_status_id = oc_order_status.order_status_id" . $qWhere;
    
    //echo $sql;

    $result = $conn->query($sql);

    $GLOBALS['totalrows'] = "(".$result->num_rows.")";
    $url = "http://192.168.208.144/store2/admin/index.php?route=sale/order/user_token=". $GLOBALS['user_token'] ."&info&order_id=";
    if ($result->num_rows > 0) {
    while($row = $result->fetch_assoc()) {
    
     echo "<tr><td scope='row'>" .
     "<a target='_blank' style='display: block; text-align: center;' href='" . $url . $row["order_id"] . "'>" . $row["order_id"] ."</a></td>" .
     "<td>" . $row["order_FirstName"] . "</td>" .
     "<td>" . $row["order_LastName"] . "</td>" .
     "<td>" . $row["order_Email"] . "</td>" .
     "<td>" . $row["telephone"] . "</td>" .
     "<td>" . $row["CountryName"] . "</td>" .
     "<td style='". getColor($row["order_status_id"]) ."' >" . $row["OrderStatus"] . "</td>" .
     "<td>" . $row["date_added"] . "</td>" .
     "<td>" . $row["payment_code"] . "</td>" .
     "</tr>";

    }
    } else {
    echo "<tr><td colspan='9' scope='row'><strong><center>No Results.</center></strong></td></tr>";
    }
    $conn->close();
}

?>

</tbody>
      </table>
          
        </div>
      </div>
    </div>

</form>

Last edited by safa-blm on Wed Mar 31, 2021 2:51 pm, edited 1 time in total.

Newbie

Posts

Joined
Thu Dec 24, 2020 6:13 pm

Post by sw!tch » Thu Mar 25, 2021 5:31 pm

Suggest you take the time and do a proper implementation, plenty of info here and members to help if you get stuck.

I am not seeing anything in your code to protect against SQL injection, validation, etc .

Full Stack Web Developer :: Send a PM for Custom Work.
Backup and learn how to recover before you make any changes!


Active Member

Posts

Joined
Sat Apr 28, 2012 2:32 pm
Location - USA

Post by safa-blm » Thu Mar 25, 2021 5:47 pm

sw!tch wrote:
Thu Mar 25, 2021 5:31 pm
Suggest you take the time and do a proper implementation, plenty of info here and members to help if you get stuck.
Thanks for your reply, this is the problem I don't have much time so that's why I created this by simple php.
sw!tch wrote:
Thu Mar 25, 2021 5:31 pm
I am not seeing anything in your code to protect against SQL injection, validation, etc .
You are totally correct, but it's mostly going to be used by me or someone from our team, as for the SQL injection it won't be an issue as I'll handle them when I get everything works as intended.

Newbie

Posts

Joined
Thu Dec 24, 2020 6:13 pm

Post by paulfeakins » Thu Mar 25, 2021 7:05 pm

safa-blm wrote:
Thu Mar 25, 2021 5:47 pm
Thanks for your reply, this is the problem I don't have much time so that's why I created this by simple php.
I was going to say the same as sw!tch, MVC really isn't hard to understand, just look at any other simple extension and it should all make sense really. You'll save time in the long run by doing it properly.

safa-blm wrote:
Thu Mar 25, 2021 5:47 pm
You are totally correct, but it's mostly going to be used by me or someone from our team, as for the SQL injection it won't be an issue as I'll handle them when I get everything works as intended.
That's no excuse! Again, look at how the core OpenCart code sanitises database inputs.

For quick, professional OpenCart support please email info@antropy.co.uk


User avatar
Guru Member

Posts

Joined
Mon Aug 22, 2011 11:01 pm
Location - Reigate, Surrey, United Kingdom

Post by safa-blm » Tue Mar 30, 2021 1:51 pm

Thank you for your reply guys.
I think you are right, I'll not create anything from scratch, therefor I have decided to try to implement my changes in Order list page.

I have created a new topic discussing the how to edit the current filter in order list.
viewtopic.php?f=202&t=223206

Newbie

Posts

Joined
Thu Dec 24, 2020 6:13 pm
Who is online

Users browsing this forum: No registered users and 17 guests