shell bypass 403
<?php
session_start();
//Declare all variables here
$books_r = array();
include ("global.inc.php");
include("connection.inc.php");
display_page_header("Eklavya Publications Order Summary");
//Make sure we are coming here from the order form page
if (!isset($_POST["qty"]))
die ("Click <a href='http://www.eklavya.in/order'>here</a> to create an order form");
//Read POSTed quantities
$qty_r = array();
foreach ($_POST as $key=>$pvar)
{
if ($key == "qty")
$qty_r = $pvar;
}
//... and validate quantities (must be positive integers)
foreach($qty_r as $key=>$qty) {
$qty = trim($qty);
if (trim($qty) != "") {
if (!is_numeric($qty))
die ("Quantity must be a number!");
if ($qty < 0 or !ctype_digit($qty))
die ("Sorry, we do not take orders for <strong>$qty</strong> books! :-)");
}
}
# Get states
$StateArray = get_states($country_id = INDIA);
//Fetch the book list (book category, book name, price) into an array-----------
include ("books.inc.php");
$numBooks = count($books_r);
$CustName = '';
$CustLastName = '';
$CustCompanyName = '';
$CustAddr = '';$CustStreet = '';$CustTaluka = '';
$CustDist = '';$CustState = '';
$CustPin = '';$CustEmail = '';$CustSTD = '';$CustPhone = '';$CustMobile = '';
$CustWebsite = '';$CustNote = '';$order_is_payment_online = '1';$OrderShiptoName = '';
$send_order_copy_to_cust = 1;
$OrderShiptoSurname = '';$OrderShiptoCompanyName = '';$OrderShiptoAddr1 = '';
$OrderShiptoAddr2 = '';$OrderShiptoAddr3 = '';$OrderShiptoCity = '';$OrderShiptoState = '';
$OrderShiptoPincode = '';$OrderShiptoEmail = '';$OrderShiptoSTD = '';
$OrderShiptoPhone = '';$OrderShiptoMobile = '';
$array = getFromCoockies();
foreach($array AS $key => $val)
{
$$key = stripcslashes($val);
}
//Dislay order summary----------------------------------------------------------
?>
<div id="content_box">
<h3>Eklavya Publications - Order Summary</h3>
<table cellspacing="2" cellpadding="2">
<tr>
<th>Book Title</th>
<th>Price (Rs.)</th>
<th>Quantity</th>
<th>Amount (Rs.)</th>
</tr>
<?php
$gr_total = 0;
$magazine_cost = 0;
$order = array();
$order_has_magazines = 0;
foreach ($qty_r as $key=>$qty)
{
if ($qty != "") {
?>
<tr>
<td><?php
print $books_r[$key]["title"];
if ($books_r[$key]["isnew"] == 1) {
?><img src="new_book.gif" alt="New item icon" title="New item"><?php ;}?>
</td>
<td class="amt"><?php print $books_r[$key]["price"] ?></td>
<td class="amt"><?php print $qty ?></td>
<?php
//Moved '$total = ' to above the if stmt and added previous mag-cost to current -MMM/04oct08
$total = $qty * $books_r[$key]["price"] ;
if ($books_r[$key]["category"] == CATEGORY_SUBSCRIPTION) //Replaced MAGAZINES with CATEGORY_SUBSCRIPTION define. MMM/16jul09
$magazine_cost += $total;
# Set flag true if the order has any magazines. Magazine subscription has no postage.
$order_has_magazines = 1;
?>
<td class="amt"><?php print $total ?></td>
</tr>
<?php
$gr_total += $total;
//Simultaneously build an array for sending the email
$order[] = array($books_r[$key]["title"], $books_r[$key]["price"], $qty, $total);
}
}
# Added by - kaustubh dated 10 Feb 2011
# ceil the total.
?>
<tr>
<td colspan='3' style='text-align: right; font-weight: bold;'>Total</td>
<td class="amt" style='font-weight: bold;'><?php print ceil($gr_total) ?></td>
</tr>
<?php
//Compute the postage charges
$postage = 0;
$gr_total_without_mag = 0;
/* updated by ketan 7 sept 2011 for Postage value problem
Since magazine subscription has no postage, the magazine cost must be subtracted from grand total - in order to
calculate postage.
*/
if($order_has_magazines = 1)
{
$gr_total_without_mag = $gr_total - $magazine_cost;
}
# if the order contains titles other than magazines and also if grand total is below Rs. 500, then add postage
if($gr_total_without_mag != 0 and $gr_total <= 500)
{
# if order total is below Rs. 300 then add 30 rupees as postage
if ($gr_total_without_mag <= 300)
{
$postage = 30;
}
else
# if order total is between Rs. 301 and 500, then add 50 rupees as postage
{
$postage = 50;
}
?>
<tr>
<td colspan='3' style='text-align: right; font-weight: bold;'>Postage </td>
<td class="amt" style='font-weight: bold;'><?php print $postage ?></td>
</tr>
<tr>
<td colspan='3' style='text-align: right; font-weight: bold;'>Total payable</td>
<td class="amt" style='font-weight: bold;'><?php print ceil($gr_total+$postage) ?></td>
</tr>
<?php
}
?>
</table>
<?php
$total_s = '<tr><td colspan="2">Total</td><td>Rs. '.ceil($gr_total).'</td></tr>';
if ($postage != 0) {
$total_s .= '<tr><td colspan="2">Postage</td><td>Rs. '.ceil($postage).'</td></tr>';
$total_s .= '<tr><td colspan="2">Amount payable</td><td>Rs. '.ceil($gr_total+$postage).'</td></tr>';
}
$total .= $total_s;
//Serialize the order data array so it can be passed to the emailer script
$order = serialize($order);
$_SESSION['myorder'] = $order;
?>
<p class="fp_note">Note: To add or remove books, please click the BACK button in your browser,<br>
make modifications to the Order form and click Submit again</p>
<?php
//Display contact form--------------------------------------------------------
?>
<form enctype='multipart/form-data' action='process.php' method='post' onsubmit="return validateContact(this)">
<!--input name="order" type="hidden" value='<?php $order ?>'-->
<input name="grtotal" type="hidden" value="<?php print ceil($gr_total) ?>">
<input name="postage" type="hidden" value="<?php print ceil($postage) ?>">
<br>
<h4>Customer details</h4>
<p style="margin-bottom: 0;">Fields marked with * are mandatory</p>
<table cellspacing='2' width='60%' cellpadding='5'>
<tr>
<td>First Name *</td><td><input type="text" name="CustName" id="CustName" size="50" maxlength="50" value="<?php echo $CustName; ?>"></td>
</tr>
<tr>
<td>Last Name *</td><td><input type="text" name="CustLastName" id="CustLastName" size="50" maxlength="50" value="<?php echo $CustLastName; ?>"></td>
</tr>
<tr>
<td>Company Name</td><td><input type="text" name="CustCompanyName" id="CustCompanyName" size="50" maxlength="150" value="<?php echo $CustCompanyName; ?>"></td>
</tr>
<tr>
<td>Address/House No. *</td><td><input type="text" name="CustAddr" id="CustAddr" size="50" maxlength="200" value="<?php echo htmlspecialchars($CustAddr); ?>"></td>
</tr>
<tr>
<td>Street/Village</td><td><input type="text" name="CustStreet" id="CustStreet" size="50" maxlength="200" value="<?php echo $CustStreet; ?>"></td>
</tr>
<tr>
<td>Area/Taluka</td><td><input type="text" name="CustTaluka" id="CustTaluka" size="25" maxlength="200" value="<?php echo $CustTaluka; ?>"></td>
</tr>
<tr>
<td>City/District *</td><td><input type="text" name="CustDist" id="CustDist" size="25" maxlength="50" value="<?php echo $CustDist; ?>"></td>
</tr>
<tr>
<td>State *</td>
<td>
<!--input type="text" name="CustState" id="CustState" size="25" maxlength="100"-->
<select name="CustState" id="CustState">
<option value="">Please select</option>
<?php
foreach($StateArray AS $key => $val)
{
echo '<option value="'.$key.'"';
if($CustState == $key)echo ' selected="selected"';
echo '>'.$val.'</option>';
}
?>
</select>
</td>
</tr>
<tr>
<td>Pin code *</td><td><input type="text" name="CustPin" id="CustPin" size="10" maxlength="6" value="<?php echo $CustPin; ?>"></td>
</tr>
<tr>
<td>Email Address *</td><td><input type="text" name="CustEmail" id="CustEmail" size="50" maxlength="150" value="<?php echo $CustEmail; ?>"></td>
</tr>
<tr>
<td>Website/Blog</td><td><input type="text" name="CustWebsite" id="CustWebsite" size="50" maxlength="100" value="<?php echo $CustWebsite; ?>"></td>
</tr>
<tr>
<td>Phone (STD code + Number) *</td>
<td><input type="text" name="CustSTD" id="CustSTD" size="7" maxlength="6" value="<?php echo $CustSTD; ?>">
<input type="text" name="CustPhone" id="CustPhone" size="15" maxlength="10" value="<?php echo $CustPhone; ?>"></td>
</tr>
<tr>
<td>Mobile number</td>
<td><input type="text" name="CustMobile" id="CustMobile" size="15" value="<?php echo $CustMobile; ?>"></td>
</tr>
</table>
<br>
<h4>Shipping details</h4>
<table cellspacing='2' width='60%' cellpadding='5'>
<tr>
<td colspan="2"><input type="button" name="SameAsAbove" id="SameAsAbove" value="Click to copy customer details" onclick="CopyShippingDtls()" /></td>
</tr>
<tr>
<td>First Name *</td><td><input type="text" name="OrderShiptoName" id="OrderShiptoName" size="50" maxlength="50" value="<?php echo $OrderShiptoName; ?>"></td>
</tr>
<tr>
<td>Last Name *</td><td><input type="text" name="OrderShiptoSurname" id="OrderShiptoSurname" size="50" maxlength="50" value="<?php echo $OrderShiptoSurname; ?>"></td>
</tr>
<tr>
<td>Company Name</td><td><input type="text" name="OrderShiptoCompanyName" id="OrderShiptoCompanyName" size="50" maxlength="150" value="<?php echo $OrderShiptoCompanyName; ?>"></td>
</tr>
<tr>
<td>Address/House No. *</td><td><input type="text" name="OrderShiptoAddr1" id="OrderShiptoAddr1" size="50" maxlength="200" value="<?php echo htmlspecialchars($OrderShiptoAddr1); ?>"></td>
</tr>
<tr>
<td>Street/Village</td><td><input type="text" name="OrderShiptoAddr2" id="OrderShiptoAddr2" size="50" maxlength="200" value="<?php echo $OrderShiptoAddr2; ?>"></td>
</tr>
<tr>
<td>Area/Taluka</td><td><input type="text" name="OrderShiptoAddr3" id="OrderShiptoAddr3" size="25" maxlength="200" value="<?php echo $OrderShiptoAddr3; ?>"></td>
</tr>
<tr>
<td>City/District *</td><td><input type="text" name="OrderShiptoCity" id="OrderShiptoCity" size="25" maxlength="50" value="<?php echo $OrderShiptoCity; ?>"></td>
</tr>
<tr>
<td>State *</td>
<td>
<select name="OrderShiptoState" id="OrderShiptoState">
<option value="">Please select</option>
<?php
foreach($StateArray AS $key => $val)
{
echo '<option value="'.$key.'"';
if($CustState == $key)echo ' selected="selected"';
echo '>'.$val.'</option>';
}
?>
</select>
</td>
</tr>
<tr>
<td>Pin code *</td><td><input type="text" name="OrderShiptoPincode" id="OrderShiptoPincode" size="10" maxlength="6" value="<?php echo $OrderShiptoPincode; ?>"></td>
</tr>
<tr>
<td>Email Address *</td><td><input type="text" name="OrderShiptoEmail" id="OrderShiptoEmail" size="50" maxlength="150" value="<?php echo $OrderShiptoEmail; ?>"></td>
</tr>
<tr>
<td>Phone (STD code + Number) *</td>
<td><input type="text" name="OrderShiptoSTD" id="OrderShiptoSTD" size="7" maxlength="6" value="<?php echo $OrderShiptoSTD; ?>">
<input type="text" name="OrderShiptoPhone" id="OrderShiptoPhone" size="15" maxlength="10" value="<?php echo $OrderShiptoPhone; ?>"></td>
</tr>
<tr>
<td>Mobile number</td>
<td><input type="text" name="OrderShiptoMobile" id="OrderShiptoMobile" size="15" value="<?php echo $OrderShiptoMobile; ?>"></td>
</tr>
<tr><td style="background:#fff;" colspan="2"> </td></tr>
<tr>
<td style="vertical-align:top;">Special instructions</td>
<td><textarea cols="37" rows="3" name="CustNote" id="CustNote"><?php echo $CustNote;?></textarea></td>
</tr>
<tr>
<td colspan="2"><input type="checkbox" name="AvoidCoockieStorage" id="AvoidCoockieStorage" value="yes"> <b>Do not save my details, I'm sitting in a public place like a Netcafe</b></td>
</tr>
</table>
<div class="fp_note">
<ul>
Please note:
<li>On receiving order email, consignment will be dispatched within 3 days by courier/cargo or Express Parcel Post.
<li>In case of non-receipt of books within 10 days, please send a reminder at [email protected].
<li>Consignment will also contain a bill.
<li>If you haven't sent advance payment, do so as soon as the material reaches.
<li>Kindly send payments in favour of Eklavya, Bhopal by Demand Draft/Cheque at par/Money Order.
<li>Receipt will be sent on arrival of DD/Cheque/MO.
</ul>
</div>
<br>
<input type="submit" value="Pay Online" name="order_is_payment_online[]" />
<input type="submit" value="Pay Offline" name="order_is_payment_online[]" />
</form>
</div><!-- End of content_box -->
</body>
</html>