Context Navigation

adminsettings.php

Revision 699, 15.3 KB (checked in by brieb, 2 years ago)
Added more severe checking for encrytion key file Added security tips on implementing payment encryption Added mailchimp update.php so module would display as not installed during update process
Property svn:keywords set to `LastChangedBy LastChangedDate LastChangedRevision`

Line
1	<?php
2	//if we had specific update code for the module, we would create a class
3	//called [module]Update with a method called updateSettings($variables)
4	class bmsUpdate{
5
6	/**
7	* $updateErrorMessage
8	* @var string An error message that will be displayed.
9	*/
10	var $updateErrorMessage = "";
11
12	function bmsUpdate($db){
13
14	$this->db = $db;
15
16	}//end method
17
18
19	/**
20	* function isValidPath
21	* @param string $path Absolute Server path
22	* @return boolean True if the path is valid, False if not.
23	*/
24
25	function isValidPath($path) {
26
27	$theReturn = false;
28
29	if(is_file($path))
30	if(is_readable($path))
31	if(filesize($path) > 0)
32	$theReturn = true;
33
34	return $theReturn;
35
36	}//end if --isValidPath--
37
38	/**
39	* function obfuscatePaymentInformation
40	*
41	* obfuscates payment information for invoices. Process is irreversable
42	* (unlike encryption).
43	*/
44
45	function obfuscatePaymentInformation() {
46
47	$querystatment = "
48	UPDATE
49	`invoices`
50	SET
51	`ccverification` = REPEAT('*',LENGTH(`ccverification`)),
52	`ccexpiration` = REPEAT('*',LENGTH(`ccexpiration`)),
53	`routingnumber` = NULL,
54	`accountnumber` = NULL,
55	`ccnumber` = LPAD(SUBSTRING(`ccnumber`,-4),LENGTH(`ccnumber`),'*')
56	WHERE
57	`type` != 'Order'
58	AND
59	`type` != 'Quote'
60	";
61
62	$this->db->query($querystatment);
63
64	$querystatment = "
65	UPDATE
66	`receipts`
67	SET
68	`ccverification` = REPEAT('*',LENGTH(`ccverification`)),
69	`ccexpiration` = REPEAT('*',LENGTH(`ccexpiration`)),
70	`routingnumber` = NULL,
71	`accountnumber` = NULL,
72	`ccnumber` = LPAD(SUBSTRING(`ccnumber`,-4),LENGTH(`ccnumber`),'*')
73	WHERE
74	`posted` = '1'";
75
76	$this->db->query($querystatment);
77
78	}//end method --obfuscatePaymentInformation--
79
80	/**
81	* function encryptPaymentInformation
82	*
83	* Encrypt all payment information in invoices and receipts with
84	* `type` of Order. The current key (if any) is used by default.
85	*
86	* @param string $encryptionKey An overriding encryption key.
87	*/
88
89	function encyptPaymentInformation($encryptionKey = NULL){
90
91	if($encryptionKey !== NULL)
92	$encryptionKey = mysql_real_escape_string($encryptionKey);
93
94	$querystatment = "
95	UPDATE
96	`invoices`
97	SET
98	`ccnumber` = ".$this->db->encrypt("`ccnumber`", $encryptionKey).",
99	`ccexpiration` = ".$this->db->encrypt("`ccexpiration`", $encryptionKey).",
100	`ccverification` = ".$this->db->encrypt("`ccverification`", $encryptionKey).",
101	`accountnumber` = ".$this->db->encrypt("`accountnumber`", $encryptionKey).",
102	`routingnumber` = ".$this->db->encrypt("`routingnumber`", $encryptionKey)."
103	WHERE
104	`type` = 'Order' OR `type` = 'Quote'
105	";
106
107	$queryresult = $this->db->query($querystatment);
108
109	$querystatment = "
110	UPDATE
111	`receipts`
112	SET
113	`ccnumber` = ".$this->db->encrypt("`ccnumber`", $encryptionKey).",
114	`ccexpiration` = ".$this->db->encrypt("`ccexpiration`", $encryptionKey).",
115	`ccverification` = ".$this->db->encrypt("`ccverification`", $encryptionKey).",
116	`accountnumber` = ".$this->db->encrypt("`accountnumber`", $encryptionKey).",
117	`routingnumber` = ".$this->db->encrypt("`routingnumber`", $encryptionKey)."
118	WHERE
119	`posted` = '0'
120	";
121
122	$queryresult = $this->db->query($querystatment);
123
124	}//end method --encryptPaymentInformation--
125
126	/**
127	* function decryptPaymentInformation
128	*
129	* Decrypt all payment information in invoices and receipts with
130	* `type` of Order. The current key (if any) is used.
131	*
132	* @param string $encryptionKey An overriding encryption key.
133	*/
134
135	function decryptPaymentInformation($encryptionKey = NULL){
136
137	if($encryptionKey !== NULL)
138	$encryptionKey = mysql_real_escape_string($encryptionKey);
139
140
141	$querystatment = "
142	UPDATE
143	`invoices`
144	SET
145	`ccnumber` = ".$this->db->decrypt("`ccnumber`", $encryptionKey).",
146	`ccexpiration` = ".$this->db->decrypt("`ccexpiration`", $encryptionKey).",
147	`ccverification` = ".$this->db->decrypt("`ccverification`", $encryptionKey).",
148	`accountnumber` = ".$this->db->decrypt("`accountnumber`", $encryptionKey).",
149	`routingnumber` = ".$this->db->decrypt("`routingnumber`", $encryptionKey)."
150	WHERE
151	`type` = 'Order' OR `type`='Quote'
152	";
153
154	$queryresult = $this->db->query($querystatment);
155
156	$querystatment = "
157	UPDATE
158	`receipts`
159	SET
160	`ccnumber` = ".$this->db->decrypt("`ccnumber`", $encryptionKey).",
161	`ccexpiration` = ".$this->db->decrypt("`ccexpiration`", $encryptionKey).",
162	`ccverification` = ".$this->db->decrypt("`ccverification`", $encryptionKey).",
163	`accountnumber` = ".$this->db->decrypt("`accountnumber`", $encryptionKey).",
164	`routingnumber` = ".$this->db->decrypt("`routingnumber`", $encryptionKey)."
165	WHERE
166	`posted` = '0'
167	";
168
169	$queryresult = $this->db->query($querystatment);
170
171	}
172
173	function updateSettings($variables){
174
175	if(!isset($variables["default_hascredit"]))
176	$variables["default_hascredit"] = 0;
177
178	if(!isset($variables["prospects_on_orders"]))
179	$variables["prospects_on_orders"] = 0;
180
181	if(!isset($variables["encrypt_payment_fields"]))
182	$variables["encrypt_payment_fields"] = 0;
183
184	$variables["default_creditlimit"] = currencyToNumber($variables["default_creditlimit"]);
185
186	/**
187	* Need to encrypt/obfuscate if changing from no encryption and
188	* decrypt if changing from encryption.
189	*/
190	if($variables["encryptionStatusChanged"]){
191
192	if($variables["encrypt_payment_fields"] == 0){
193	/**
194	* There has to be a valid encryption key path if the new
195	* encryption status is 0
196	*/
197
198	$this->decryptPaymentInformation();
199
200	if($variables["encryptionPathChanged"]){
201
202	/**
203	* If the path has changed, we need to make sure
204	* that it is a valid one.
205	*/
206
207	if(!$this->isValidPath($variables["encryption_key_path"])){
208	unset($variables["encryption_key_path"]);
209	$this->updateErrorMessage = "Invalid encryption key path";
210	}//end if --not valid path?--
211
212	}//end if --path changed--
213
214	}else{
215
216	if($variables["encryptionPathChanged"]){
217
218	if($this->isValidPath($variables["encryption_key_path"])){
219
220	$res = fopen($variables["encryption_key_path"], "r");
221	$key = fread($res, filesize($variables["encryption_key_path"]));
222	fclose($res);
223	$key = trim($key);
224
225	$this->encyptPaymentInformation($key);
226	$this->obfuscatePaymentInformation();
227
228	}else{
229
230	$this->updateErrorMessage = "Invalid encryption key path";
231	unset($variables["encrypt_payment_fields"]);
232	unset($variables["encryption_key_path"]);
233
234	}//end if -- valid path?--
235
236	}else{
237
238	if($this->isValidPath(ENCRYPTION_KEY_PATH)){
239	$this->encyptPaymentInformation();
240	$this->obfuscatePaymentInformation();
241	}else{
242	$this->updateErrorMessage = "No valid encryption key path";
243	unset($variables["encrypt_payment_fields"]);
244	}//end if --encryption key defined--
245
246	}//end if -- path changed?--
247
248	}//end if --encrypt fields?--
249
250	}else{
251
252	if($variables["encryptionPathChanged"]){
253
254	if($this->isValidPath($variables["encryption_key_path"])){
255
256	if($variables["encrypt_payment_fields"]){
257
258	$this->decryptPaymentInformation();
259
260	$res = fopen($variables["encryption_key_path"], "r");
261	$key = fread($res, filesize($variables["encryption_key_path"]));
262	fclose($res);
263	$key = trim($key);
264
265	$this->encyptPaymentInformation($key);
266	$this->obfuscatePaymentInformation();
267
268	}//end if --encrypt fields?--
269
270	}else{
271	unset($variables["encryption_key_path"]);
272	$this->updateErrorMessage = "Invalid encryption key path";
273	}//end if --is valid path--
274
275	}//end if --encryption path changed--
276
277	}//end if -- status changed--
278
279	return $variables;
280
281	}//end method
282
283
284	}//end class
285
286	class bmsDisplay{
287
288	function getFields($therecord){
289
290	global $db;
291
292	$theinput = new inputField("shipping_markup",$therecord["shipping_markup"],"shipping markup",false,"real",4,4);
293	$fields[] = $theinput;
294
295	$theinput = new inputField("shipping_postalcode",$therecord["shipping_postalcode"],"shipping origination zip/postal code",false,NULL,32,128);
296	$fields[] = $theinput;
297
298	$theinput = new inputDataTableList($db, "default_payment",$therecord["default_payment"],"paymentmethods","uuid","name",
299	"inactive=0 AND (`type` != 'receivable' OR `type` IS NULL)", "priority,name", true, "default payment method", true, "");
300	$fields[] = $theinput;
301
302	$theinput = new inputDataTableList($db, "default_shipping",$therecord["default_shipping"],"shippingmethods","uuid","name",
303	"inactive=0", "priority,name", true, "default shipping method", true, "");
304	$fields[] = $theinput;
305
306	$theinput = new inputDataTableList($db, "default_discount",$therecord["default_discount"],"discounts","uuid","name",
307	"inactive=0", "name", true, "default discount", true, "");
308	$fields[] = $theinput;
309
310	$theinput = new inputDataTableList($db, "default_taxarea",$therecord["default_taxarea"],"tax","uuid","name",
311	"inactive=0", "name", true, "default tax area", true, "");
312	$fields[] = $theinput;
313
314	$theinput = new inputBasicList("default_clienttype",$therecord["default_clienttype"],array("prospect"=>"prospect","client"=>"client"), "default type");
315	$fields[] = $theinput;
316
317	$theinput = new inputCheckbox("default_hascredit",$therecord["default_hascredit"],"has credit by default");
318	$fields[] = $theinput;
319
320	$theinput = new inputCurrency("default_creditlimit", $therecord["default_creditlimit"], "default credit limit");
321	$fields[] = $theinput;
322
323	$theinput = new inputField("term1_days",$therecord["term1_days"],"term 1 length",false,"integer",4,4);
324	$theinput->setAttribute("class","important");
325	$fields[] = $theinput;
326
327	$theinput = new inputField("term1_percentage",$therecord["term1_percentage"],"term 1 percentage",false,"real",4,4);
328	$fields[] = $theinput;
329
330	$theinput = new inputField("term2_days",$therecord["term2_days"],"term 2 length",false,"integer",4,4);
331	$theinput->setAttribute("class","important");
332	$fields[] = $theinput;
333
334	$theinput = new inputField("term2_percentage",$therecord["term2_percentage"],"term 2 percentage",false,"real",4,4);
335	$fields[] = $theinput;
336
337	$theinput = new inputField("term3_days",$therecord["term3_days"],"term 3 length",false,"integer",4,4);
338	$theinput->setAttribute("class","important");
339	$fields[] = $theinput;
340
341	$theinput = new inputField("term3_percentage",$therecord["term3_percentage"],"term 3 percentage",false,"real",4,4);
342	$fields[] = $theinput;
343
344	$theinput = new inputCheckbox("prospects_on_orders",$therecord["prospects_on_orders"],"allow prospects on sales orders");
345	$fields[] = $theinput;
346
347	$theinput = new inputCheckbox("encrypt_payment_fields", $therecord["encrypt_payment_fields"], "encrypt/obfuscate payment information");
348	$fields[] = $theinput;
349
350	$theinput = new inputField("encryption_key_path", $therecord["encryption_key_path"], "absolute server path to a file containing the encryption key", false, NULL, 64);
351	$fields[] = $theinput;
352
353	return $fields;
354	}
355
356	function display($theform,$therecord){
357	?>
358	<div class="moduleTab" title="clients">
359	<fieldset>
360	<legend>clients</legend>
361
362	<p><?php echo $theform->showField("default_clienttype");?></p>
363
364	<p><?php echo $theform->showField("default_hascredit");?></p>
365
366	<p><?php echo $theform->showField("default_creditlimit");?></p>
367
368	</fieldset>
369	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
370	</div>
371
372	<div class="moduleTab" title="sales orders">
373	<fieldset>
374	<legend>sales orders</legend>
375
376	<p><?php $theform->showField("prospects_on_orders");?></p>
377
378	<p>
379	<label for="invoice_default_printinstruc">default printed instructions</label><br/>
380	<textarea id="invoice_default_printinstruc" name="invoice_default_printinstruc" cols="60" rows="3" ><?php echo $therecord["invoice_default_printinstruc"]?></textarea>
381	</p>
382
383	<p><?php $theform->showField("default_payment");?></p>
384
385	<p><?php $theform->showField("default_shipping");?></p>
386
387	<p><?php $theform->showField("default_discount");?></p>
388
389	<p><?php $theform->showField("default_taxarea");?></p>
390
391	</fieldset>
392	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
393	</div>
394
395	<div class="moduleTab" title="shipping">
396	<fieldset>
397	<legend>shipping</legend>
398	<p class="notes">
399	<strong>Note:</strong> The shipping information below is used when connecting to
400	UPS to calculate shipping costs for product. Current tests show that the UPS
401	shipping calculator only works when shipping to and from the Unites States.
402	</p>
403
404	<p><?php $theform->showField("shipping_markup");?></p>
405
406	<p class="notes"><strong>Note:</strong> Enter the number to multiply the calculated shipping cost. For example to mark up shipping costs by 10%, enter 1.1</p>
407
408	<p><?php $theform->showField("shipping_postalcode");?></p>
409
410	</fieldset>
411	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
412	</div>
413
414	<div class="moduleTab" title="accounts receivable">
415	<fieldset>
416	<legend>Accounts Receivable</legend>
417
418	<p><?php echo $theform->showField("term1_days");?> days</p>
419
420	<p><?php echo $theform->showField("term1_percentage");?> %</p>
421
422	<p><?php echo $theform->showField("term2_days");?> days</p>
423
424	<p><?php echo $theform->showField("term2_percentage");?> %</p>
425
426	<p><?php echo $theform->showField("term3_days");?> days</p>
427
428	<p><?php echo $theform->showField("term3_percentage");?> %</p>
429
430	</fieldset>
431	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
432	</div>
433
434	<div class="moduleTab" title="payment information encryption">
435	<fieldset>
436	<legend>Payment Information Encryption</legend>
437
438	<p class="notes">
439	Changing these settings can potentially take a while as they update
440	most or all records in sales orders and receipts.
441	</p>
442
443
444	<input type="hidden" name="encryptionStatusChanged" id="encryptionStatusChanged" value="0" />
445	<p><?php echo $theform->showField("encrypt_payment_fields");?></p>
446	<p class="notes">
447	Enabling this option encrypts sensitive payment information in sales orders and
448	receipts with a `type` of 'Order'.<br/>
449
450	In addition, payment fields in sales orders and receipts records of `type`
451	'Invoice' will be removed or obfuscated when a sales order or receipt
452	is posted as an invoice or voided/deleted.
453	</p>
454
455	<p class="notes"><strong>Obfuscation is not reversible.</strong></p>
456
457	<input type="hidden" name="encryptionPathChanged" id="encryptionPathChanged" value="0" />
458	<p><?php echo $theform->showField("encryption_key_path");?></p>
459
460	<p class="notes">
461	Typically, encyrption key files are text containing a 64-128 character hash. Good security practices include regularly
462	rotating key files. Do not delete the old key until the new key has been accepted and processed by phpBMS. The system will
463	decrypt data using the old key and then re-encrypt it using the new key.
464	</p>
465
466	<p class="notes"><strong>Always keep back ups of your key file(s). Losing them may result in unencryptable data.</strong></p>
467
468	</fieldset>
469	<p class="updateButtonP"><button type="button" class="Buttons UpdateButtons">save</button></p>
470	</div>
471
472	<?php
473	}//end method
474	}//end class
475	?>

Note: See TracBrowser for help on using the browser.

phpBMS

Context Navigation

root/trunk/phpbms/modules/bms/adminsettings.php

Download in other formats: