Fix paygol IPN by adding the missing functions (sanitize, getValue)

Now it will also check if the serviceID in config.php is the same as it is in paygol. Because, it is possible to do 'fake' payments at paygol, by just changing the report URL, to report url on any other OT (assuming we know the file name) and thus it will pass the IP check, because the request is coming from paygol.

paygol_ipn.php

@@ -9,6 +9,14 @@ if(!in_array($_SERVER['REMOTE_ADDR'],
 	die("Error: Unknown IP");
 }
 
+// Fetch and sanitize POST and GET values
+function getValue($value) {
+	return (!empty($value)) ? sanitize($value) : false;
+}
+function sanitize($data) {
+	return htmlentities(strip_tags(mysql_znote_escape_string($data)));
+}
+
 // get the variables from PayGol system
 $message_id	= getValue($_GET['message_id']);
 $service_id	= getValue($_GET['service_id']);
@@ -23,12 +31,18 @@ $points	 = getValue($_GET['points']);
 $price	 = getValue($_GET['price']);
 $currency	= getValue($_GET['currency']);
 
+// config paygol settings
 $paygol = $config['paygol'];
-$new_points = $paygol['points'];
 
+// Check if request serviceID is the same as it is in config
+if($service_id != $paygol['serviceID']) {
+	header("HTTP/1.0 403 Forbidden");
+	die("Error: serviceID does not match.");
+}
+
+$new_points = $paygol['points'];
 // Update logs:
 mysql_insert("INSERT INTO `znote_paygol` VALUES ('', '$custom', '$price', '$new_points', '$message_id', '$service_id', '$shortcode', '$keyword', '$message', '$sender', '$operator', '$country', '$currency')");
-
 // Fetch points
 $account = mysql_select_single("SELECT `points` FROM `znote_accounts` WHERE `account_id`='$custom';");
 // Calculate new points