Fix paygol IPN by adding the missing functions (sanitize, getValue)

Now it will also check if the serviceID in config.php is the same as it is in paygol. Because, it is possible to do 'fake' payments at paygol, by just changing the report URL, to report url on any other OT (assuming we know the file name) and thus it will pass the IP check, because the request is coming from paygol.

paygol_ipn.php

@@ -4,9 +4,17 @@ require 'engine/database/connect.php';
 
 // check that the request comes from PayGol server
 if(!in_array($_SERVER['REMOTE_ADDR'],
-  array('109.70.3.48', '109.70.3.146', '109.70.3.58'))) {
-  header("HTTP/1.0 403 Forbidden");
-  die("Error: Unknown IP");
+	array('109.70.3.48', '109.70.3.146', '109.70.3.58'))) {
+	header("HTTP/1.0 403 Forbidden");
+	die("Error: Unknown IP");
+}
+
+// Fetch and sanitize POST and GET values
+function getValue($value) {
+	return (!empty($value)) ? sanitize($value) : false;
+}
+function sanitize($data) {
+	return htmlentities(strip_tags(mysql_znote_escape_string($data)));
 }
 
 // get the variables from PayGol system
@@ -23,12 +31,18 @@ $points	 = getValue($_GET['points']);
 $price	 = getValue($_GET['price']);
 $currency	= getValue($_GET['currency']);
 
+// config paygol settings
 $paygol = $config['paygol'];
-$new_points = $paygol['points'];
 
+// Check if request serviceID is the same as it is in config
+if($service_id != $paygol['serviceID']) {
+	header("HTTP/1.0 403 Forbidden");
+	die("Error: serviceID does not match.");
+}
+
+$new_points = $paygol['points'];
 // Update logs:
 mysql_insert("INSERT INTO `znote_paygol` VALUES ('', '$custom', '$price', '$new_points', '$message_id', '$service_id', '$shortcode', '$keyword', '$message', '$sender', '$operator', '$country', '$currency')");
-
 // Fetch points
 $account = mysql_select_single("SELECT `points` FROM `znote_accounts` WHERE `account_id`='$custom';");
 // Calculate new points