From 583001e91d1823c3e9ee324e64622ad09c0cbc7a Mon Sep 17 00:00:00 2001
From: Gabriel Pedro <gpedro831@gmail.com>
Date: Mon, 2 May 2016 04:12:14 -0400
Subject: [PATCH 1/5] feat: improving pagseguro payment

---
 buypoints.php | 21 ++++++++++++++++++++-
 config.php    | 26 ++++++++++++++++++++++++++
 2 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/buypoints.php b/buypoints.php
index eec0fe7..ba428ed 100644
--- a/buypoints.php
+++ b/buypoints.php
@@ -54,6 +54,25 @@ if ($paypal['enabled']) {
 </table>
 <?php } ?>
 
+<?php
+if ($config['pagseguro']['enabled'] == true) {
+?>
+	<h2>Buy points using Pagseguro:</h2>
+	<form target="pagseguro" action="https://<?=$pagseguro['urls']['www']?>/checkout/checkout.jhtml" method="post">
+		<input type="hidden" name="email_cobranca" value="<?=$pagseguro['email']?>">
+		<input type="hidden" name="tipo" value="CP">
+		<input type="hidden" name="moeda" value="<?=$pagseguro['currency']?>">
+		<input type="hidden" name="ref_transacao" value="<?php echo (int)$session_user_id; ?>">
+		<input type="hidden" name="item_id_1" value="1">
+		<input type="hidden" name="item_descr_1" value="<?=$pagseguro['product_name']?>">
+		<input type="number" name="item_quant_1" min="1" step="4" value="1">
+		<input type="hidden" name="item_peso_1" value="0">
+		<input type="hidden" name="item_valor_1" value="<?=$pagseguro['price']?>">
+		<input type="submit" value="  PURCHASE  ">
+	</form>
+	<br>
+<?php } ?>
+
 <?php
 if ($config['paygol']['enabled'] == true) {
 ?>
@@ -73,5 +92,5 @@ if ($config['paygol']['enabled'] == true) {
 </form>
 <?php }
 
-if (!$config['paypal']['enabled'] && !$config['paygol']['enabled']) echo '<h1>Buy Points system disabled.</h1><p>Sorry, this functionality is disabled.</p>';
+if (!$config['paypal']['enabled'] && !$config['paygol']['enabled'] && !$config['pagseguro']['enabled']) echo '<h1>Buy Points system disabled.</h1><p>Sorry, this functionality is disabled.</p>';
 include 'layout/overall/footer.php'; ?>
\ No newline at end of file
diff --git a/config.php b/config.php
index 485e6eb..7a50ac0 100644
--- a/config.php
+++ b/config.php
@@ -707,6 +707,32 @@
 		30 => 420, // +40% bonus
 	);
 
+	/////////////////
+	/// PAGSEGURO ///
+	/////////////////
+	// Write your pagseguro address here, and what currency you want to recieve money in.
+	$config['pagseguro'] = array(
+		'enabled' => true,
+		'sandbox' => false,
+		'email' => '', // Example: pagseguro@mail.com
+		'token' => '',
+		'currency' => 'BRL',
+		'product_name' => '',
+		'price' => 100, // 1 real
+		'ipn' => "http://".$_SERVER['HTTP_HOST']."/pagseguro_ipn.php",
+		'urls' => array(
+			'www' => 'pagseguro.uol.com.br',
+			'ws'  => 'ws.pagseguro.uol.com.br',
+			'stc' => 'stc.pagseguro.uol.com.br'
+		)
+	);
+
+	if ($config['pagseguro']['sandbox']) {
+		$config['pagseguro']['urls'] = array_map(function ($item) {
+			return str_replace('pagseguro', 'sandbox.pagseguro', $item);
+		}, $config['pagseguro']['urls']);
+	}
+
 	//////////////////
 	/// PAYGOL SMS ///
 	//////////////////

From e48ee4854d9defcfafc1438585c2349ab07915e4 Mon Sep 17 00:00:00 2001
From: Gabriel Pedro <gpedro831@gmail.com>
Date: Mon, 2 May 2016 13:42:30 -0400
Subject: [PATCH 2/5] feat: finishing pagseguro implementation

---
 pagseguro_ipn.php     | 112 ++++++++++++++++++++++++++++++++++++++++++
 pagseguro_retorno.php | 107 ++++++++++++++++++++++++++++++++++++++++
 shop.php              |   4 ++
 3 files changed, 223 insertions(+)
 create mode 100644 pagseguro_ipn.php
 create mode 100644 pagseguro_retorno.php

diff --git a/pagseguro_ipn.php b/pagseguro_ipn.php
new file mode 100644
index 0000000..25eb8c5
--- /dev/null
+++ b/pagseguro_ipn.php
@@ -0,0 +1,112 @@
+<?php
+	// Require the functions to fetch config values
+	require 'config.php';
+
+	$pagseguro = $config['pagseguro'];
+	$notificationCode = $_POST['notificationCode'];
+	$notificationType = $_POST['notificationType'];
+
+	// Require the functions to connect to database
+	require 'engine/database/connect.php';
+
+	// Fetch and sanitize POST and GET values
+	function getValue($value) {
+		return (!empty($value)) ? sanitize($value) : false;
+	}
+	function sanitize($data) {
+		return htmlentities(strip_tags(mysql_znote_escape_string($data)));
+	}
+
+	// Util function to insert log
+	function report($code, $details = '') {
+		$connectedIp = $_SERVER['REMOTE_ADDR'];
+		$details = getValue($details);
+		$details .= '\nConnection from IP: '. $connectedIp;
+		mysql_insert('INSERT INTO `znote_pagseguro_notifications` VALUES (null, \'' . getValue($code) . '\', \'' . $details . '\', CURRENT_TIMESTAMP)');
+	}
+
+	function VerifyPagseguroIPN($code) {
+		global $pagseguro;
+		$url = $pagseguro['urls']['ws'];
+
+		$cURL = curl_init();
+		curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false);
+		curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false);
+		curl_setopt($cURL, CURLOPT_URL, 'https://' . $url . '/v3/transactions/notifications/' . $code . '?email=' . $pagseguro['email'] . '&token=' . $pagseguro['token']);
+		curl_setopt($cURL, CURLOPT_HEADER, false);
+		curl_setopt($cURL, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($cURL, CURLOPT_FORBID_REUSE, true);
+		curl_setopt($cURL, CURLOPT_FRESH_CONNECT, true);
+		curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 30);
+		curl_setopt($cURL, CURLOPT_TIMEOUT, 60);
+		curl_setopt($cURL, CURLINFO_HEADER_OUT, true);
+		curl_setopt($cURL, CURLOPT_HTTPHEADER, array(
+			'Connection: close',
+			'Expect: ',
+		));
+		$Response = curl_exec($cURL);
+		$Status = (int)curl_getinfo($cURL, CURLINFO_HTTP_CODE);
+		curl_close($cURL);
+
+		$output = print_r($Response, true);
+		if(empty($Response) OR !$Status){
+			return null;
+		}
+		if(intval($Status / 100) != 2){
+			return false;
+		}
+		return trim($Response);
+	}
+
+	// Send an empty HTTP 200 OK response to acknowledge receipt of the notification
+	header('HTTP/1.1 200 OK');
+
+	if(empty($notificationCode) || empty($notificationType)){
+		report($notificationCode, 'notificationCode or notificationType is empty. Type: ' . $notificationType . ', Code: ' . $notificationCode);
+		exit();
+	}
+
+	if ($notificationType !== 'transaction') {
+		report($notificationCode, 'Unknown ' . $notificationType . ' notificationType');
+		exit();
+	}
+
+	$rawPayment = VerifyPagseguroIPN($notificationCode);
+	$payment = simplexml_load_string($rawPayment);
+
+	report($notificationCode, $rawPayment);
+
+	// Updating Payment Status
+	mysql_update('UPDATE `znote_pagseguro` SET `payment_status` = ' . ($payment->status) . ' WHERE `transaction` = \'' . $payment->code . '\' ');
+
+	// Check that the payment_status is Completed
+	if ($payment->status == 3) {
+
+		// Check that transaction has not been previously processed
+		$transaction = mysql_select_single('SELECT `transaction`, `completed` FROM `znote_pagseguro` WHERE `transaction`= \'' . $payment->code .'\'');
+		$status = true;
+		$custom = (int) $payment->reference;
+
+		if ($transaction['completed'] == '1') {
+			$status = false;
+		}
+
+		if ($payment->grossAmount == 0.0) $status = false; // Wrong ammount of money
+		$item = $payment->items->item[0];
+		if ($item->amount != ($pagseguro['price'] / 100)) $status = false;
+
+		if ($status) {
+			// transaction log
+			mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $payment->code . '\'');
+
+			// Process payment
+			$data = mysql_select_single("SELECT `points` AS `old_points` FROM `znote_accounts` WHERE `account_id`='$custom';");
+
+			// Give points to user
+			$new_points = $data['old_points'] + $item->quantity;
+			mysql_update("UPDATE `znote_accounts` SET `points`='$new_points' WHERE `account_id`='$custom'");
+		}
+	} else if ($payment->status == 7) {
+		mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $payment->code . '\' ');
+	}
+?>
\ No newline at end of file
diff --git a/pagseguro_retorno.php b/pagseguro_retorno.php
new file mode 100644
index 0000000..8b486bb
--- /dev/null
+++ b/pagseguro_retorno.php
@@ -0,0 +1,107 @@
+<?php
+	/*
+		Instalação
+			- Configurando Pagseguro (Acessar https://pagseguro.uol.com.br/preferencias/integracoes.jhtml)
+				- Notificação de Transação:
+					- http://you-site/pagseguro_ipn.php
+				- Página de redirecionamento:
+					- A. Página fixa de redirecionamento
+						- http://you-site/znote/pagseguro_retorno.php
+					- B. Redirecionamento com o código da transação
+						- transaction
+				- Gerar o Token e copiar para a próxima etapa
+
+			- Configurando ZnoteACC
+				- config.php
+					- $config['pagseguro']['email']
+						- Seu email da conta do pagseguro que irá receber o pagamento
+					- $config['pagseguro']['token']
+						- Preencher com o Token que pedi pra copiar na primeira etapa
+					- $config['pagseguro']['product_name']
+						- Nome do Produto
+
+			- Instalando Tabelas
+				CREATE TABLE IF NOT EXISTS `znote_pagseguro` (
+				  `id` int(11) NOT NULL AUTO_INCREMENT,
+				  `transaction` varchar(36) NOT NULL,
+				  `account` int(11) NOT NULL,
+				  `price` decimal(11,2) NOT NULL,
+				  `points` int(11) NOT NULL,
+				  `payment_status` tinyint(1) NOT NULL,
+				  `completed` tinyint(4) NOT NULL,
+				  PRIMARY KEY (`id`),
+				  FOREIGN KEY (account) REFERENCES accounts(id)
+				) ENGINE=MyISAM DEFAULT CHARSET=utf8;
+
+				CREATE TABLE IF NOT EXISTS `znote_pagseguro_notifications` (
+				  `id` int(11) NOT NULL AUTO_INCREMENT,
+				  `notification_code` varchar(40) NOT NULL,
+				  `details` text NOT NULL,
+				  `receive_at` timestamp NULL DEFAULT CURRENT_TIMESTAMP,
+				  PRIMARY KEY (`id`),
+				) ENGINE=MyISAM DEFAULT CHARSET=utf8;
+	*/
+
+	// Require the functions to fetch config values
+	require 'config.php';
+
+	// Require the functions to connect to database
+	require 'engine/database/connect.php';
+
+	$pagseguro = $config['pagseguro'];
+
+	// Fetch and sanitize POST and GET values
+	function getValue($value) {
+		return (!empty($value)) ? sanitize($value) : false;
+	}
+	function sanitize($data) {
+		return htmlentities(strip_tags(mysql_znote_escape_string($data)));
+	}
+
+	// Util function to insert log
+	function report($code, $details = '') {
+		$connectedIp = $_SERVER['REMOTE_ADDR'];
+		$details = getValue($details);
+		$details .= '\nConnection from IP: '. $connectedIp;
+		mysql_insert('INSERT INTO `znote_pagseguro_notifications` VALUES (null, \'' . getValue($code) . '\', \'' . $details . '\', CURRENT_TIMESTAMP)');
+	}
+
+	function VerifyPagseguroIPN($code) {
+		global $pagseguro;
+		$url = $pagseguro['urls']['ws'];
+
+		$cURL = curl_init();
+		curl_setopt($cURL, CURLOPT_SSL_VERIFYPEER, false);
+		curl_setopt($cURL, CURLOPT_SSL_VERIFYHOST, false);
+		curl_setopt($cURL, CURLOPT_URL, 'https://' . $url . '/v3/transactions/' . $code . '?email=' . $pagseguro['email'] . '&token=' . $pagseguro['token']);
+		curl_setopt($cURL, CURLOPT_HEADER, false);
+		curl_setopt($cURL, CURLOPT_RETURNTRANSFER, true);
+		curl_setopt($cURL, CURLOPT_FORBID_REUSE, true);
+		curl_setopt($cURL, CURLOPT_FRESH_CONNECT, true);
+		curl_setopt($cURL, CURLOPT_CONNECTTIMEOUT, 30);
+		curl_setopt($cURL, CURLOPT_TIMEOUT, 60);
+		curl_setopt($cURL, CURLINFO_HEADER_OUT, true);
+		curl_setopt($cURL, CURLOPT_HTTPHEADER, array(
+			'Connection: close',
+			'Expect: ',
+		));
+		$Response = curl_exec($cURL);
+		$Status = (int)curl_getinfo($cURL, CURLINFO_HTTP_CODE);
+		curl_close($cURL);
+
+		return trim($Response);
+	}
+
+	$transactionCode = getValue($_GET['transaction']);
+	$rawTransaction = VerifyPagseguroIPN($transactionCode);
+	$transaction = simplexml_load_string($rawTransaction);
+
+	$completed = ($transaction->status != 7) ? 0 : 1;
+
+	$custom = (int) $transaction->reference;
+	$item = $transaction->items->item[0];
+	$points = $item->quantity;
+	$price = $item->quantity * ($pagseguro['price'] / 100);
+	mysql_insert('INSERT INTO `znote_pagseguro` VALUES (null, \'' . $transaction->code . '\', ' . $custom . ', \'' . $price . '\', \'' . $points . '\', ' . $transaction->status . ', ' . $completed . ')');
+
+	header('Location: shop.php?callback=processing');
diff --git a/shop.php b/shop.php
index e002428..402f803 100644
--- a/shop.php
+++ b/shop.php
@@ -2,6 +2,10 @@
 protect_page();
 include 'layout/overall/header.php'; 
 
+if (isset($_GET['callback']) && $_GET['callback'] === 'processing') {
+	echo '<script>alert("Seu pagamento está sendo processado pelo PagSeguro...");</script>';
+}
+
 // Import from config:
 $shop = $config['shop'];
 $shop_list = $config['shop_offers'];

From 358b16e7482073d720632688ad6732684e88e9f3 Mon Sep 17 00:00:00 2001
From: Gabriel Pedro <gpedro@users.noreply.github.com>
Date: Mon, 2 May 2016 16:27:32 -0400
Subject: [PATCH 3/5] fix: removing comma

---
 pagseguro_retorno.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pagseguro_retorno.php b/pagseguro_retorno.php
index 8b486bb..1efa958 100644
--- a/pagseguro_retorno.php
+++ b/pagseguro_retorno.php
@@ -38,7 +38,7 @@
 				  `notification_code` varchar(40) NOT NULL,
 				  `details` text NOT NULL,
 				  `receive_at` timestamp NULL DEFAULT CURRENT_TIMESTAMP,
-				  PRIMARY KEY (`id`),
+				  PRIMARY KEY (`id`)
 				) ENGINE=MyISAM DEFAULT CHARSET=utf8;
 	*/
 

From 1804fe00594e8875b12a00e406fa69d80af41c1b Mon Sep 17 00:00:00 2001
From: Gabriel Pedro <gpedro@users.noreply.github.com>
Date: Mon, 2 May 2016 17:30:43 -0400
Subject: [PATCH 4/5] fix: missing var, thanks @dalvorsn for testing

---
 buypoints.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/buypoints.php b/buypoints.php
index ba428ed..6b4b275 100644
--- a/buypoints.php
+++ b/buypoints.php
@@ -3,6 +3,7 @@ protect_page();
 include 'layout/overall/header.php'; 
 
 // Import from config:
+$pagseguro = $config['pagseguro'];
 $paypal = $config['paypal'];
 $prices = $config['paypal_prices'];
 
@@ -93,4 +94,4 @@ if ($config['paygol']['enabled'] == true) {
 <?php }
 
 if (!$config['paypal']['enabled'] && !$config['paygol']['enabled'] && !$config['pagseguro']['enabled']) echo '<h1>Buy Points system disabled.</h1><p>Sorry, this functionality is disabled.</p>';
-include 'layout/overall/footer.php'; ?>
\ No newline at end of file
+include 'layout/overall/footer.php'; ?>

From 816801880f4003b8718c74e9aef9da46f1ff49cc Mon Sep 17 00:00:00 2001
From: Gabriel Pedro <gpedro831@gmail.com>
Date: Wed, 4 May 2016 20:30:37 -0400
Subject: [PATCH 5/5] fix: sanitizing pagseguro

---
 pagseguro_ipn.php     | 14 ++++++++------
 pagseguro_retorno.php |  7 ++++---
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/pagseguro_ipn.php b/pagseguro_ipn.php
index 25eb8c5..89af36c 100644
--- a/pagseguro_ipn.php
+++ b/pagseguro_ipn.php
@@ -73,17 +73,19 @@
 
 	$rawPayment = VerifyPagseguroIPN($notificationCode);
 	$payment = simplexml_load_string($rawPayment);
+	$paymentStatus = (int) $paymentStatus;
+	$paymentCode = sanitize($paymentCode);
 
 	report($notificationCode, $rawPayment);
 
 	// Updating Payment Status
-	mysql_update('UPDATE `znote_pagseguro` SET `payment_status` = ' . ($payment->status) . ' WHERE `transaction` = \'' . $payment->code . '\' ');
+	mysql_update('UPDATE `znote_pagseguro` SET `payment_status` = ' . $paymentStatus . ' WHERE `transaction` = \'' . $paymentCode . '\' ');
 
 	// Check that the payment_status is Completed
-	if ($payment->status == 3) {
+	if ($paymentStatus == 3) {
 
 		// Check that transaction has not been previously processed
-		$transaction = mysql_select_single('SELECT `transaction`, `completed` FROM `znote_pagseguro` WHERE `transaction`= \'' . $payment->code .'\'');
+		$transaction = mysql_select_single('SELECT `transaction`, `completed` FROM `znote_pagseguro` WHERE `transaction`= \'' . $paymentCode .'\'');
 		$status = true;
 		$custom = (int) $payment->reference;
 
@@ -97,7 +99,7 @@
 
 		if ($status) {
 			// transaction log
-			mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $payment->code . '\'');
+			mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $paymentCode . '\'');
 
 			// Process payment
 			$data = mysql_select_single("SELECT `points` AS `old_points` FROM `znote_accounts` WHERE `account_id`='$custom';");
@@ -106,7 +108,7 @@
 			$new_points = $data['old_points'] + $item->quantity;
 			mysql_update("UPDATE `znote_accounts` SET `points`='$new_points' WHERE `account_id`='$custom'");
 		}
-	} else if ($payment->status == 7) {
-		mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $payment->code . '\' ');
+	} else if ($paymentStatus == 7) {
+		mysql_update('UPDATE `znote_pagseguro` SET `completed` = 1 WHERE `transaction` = \'' . $paymentCode . '\' ');
 	}
 ?>
\ No newline at end of file
diff --git a/pagseguro_retorno.php b/pagseguro_retorno.php
index 1efa958..a988915 100644
--- a/pagseguro_retorno.php
+++ b/pagseguro_retorno.php
@@ -96,12 +96,13 @@
 	$rawTransaction = VerifyPagseguroIPN($transactionCode);
 	$transaction = simplexml_load_string($rawTransaction);
 
-	$completed = ($transaction->status != 7) ? 0 : 1;
+	$transactionStatus = (int) $transaction->status;
+	$completed = ($transactionStatus != 7) ? 0 : 1;
 
 	$custom = (int) $transaction->reference;
 	$item = $transaction->items->item[0];
 	$points = $item->quantity;
-	$price = $item->quantity * ($pagseguro['price'] / 100);
-	mysql_insert('INSERT INTO `znote_pagseguro` VALUES (null, \'' . $transaction->code . '\', ' . $custom . ', \'' . $price . '\', \'' . $points . '\', ' . $transaction->status . ', ' . $completed . ')');
+	$price = $points * ($pagseguro['price'] / 100);
+	mysql_insert('INSERT INTO `znote_pagseguro` VALUES (null, \'' . sanitize($transaction->code) . '\', ' . $custom . ', \'' . $price . '\', \'' . $points . '\', ' . $transactionStatus . ', ' . $completed . ')');
 
 	header('Location: shop.php?callback=processing');