Codice PHP:
$q = "INSERT INTO #__{vm}_orders \n";
$q .= "(user_id, vendor_id, order_number, user_info_id, ship_method_id, \n";
$q .= "order_total, order_subtotal, order_tax, order_tax_details, order_shipping, \n";
$q .= "order_shipping_tax, order_discount, coupon_discount,order_currency, order_status, cdate, \n";
$q .= "mdate,customer_note,ip_address) \n";
$q .= "VALUES (";
$q .= "'" . $auth["user_id"] . "', ";
$q .= $ps_vendor_id . ", ";
$q .= "'" . $order_number . "', '";
$q .= $d["ship_to_info_id"] . "', '";
if (!empty($d["shipping_rate_id"])) {
$q .= urldecode($d["shipping_rate_id"]) . "', '";
}
else {
$q .= "', '";
}
$q .= $order_total . "', '";
$q .= $order_subtotal . "', '";
$q .= $order_tax . "', '";
$q .= serialize($order_tax_details). "', '";
$q .= $order_shipping . "', '";
$q .= $order_shipping_tax . "', '";
$q .= $payment_discount . "', '";
$q .= $coupon_discount . "', '";
$q .= $_SESSION['vendor_currency']."', "; /* Currency is at the product level - line item */
$q .= "'P', '";
$q .= $timestamp . "', '";
$q .= $timestamp. "', '";
$q .= $db->getEscaped( htmlspecialchars(strip_tags($d['customer_note']))) . "', '";
if (!empty($_SERVER['REMOTE_ADDR'])) {
$q .= $_SERVER['REMOTE_ADDR'] . "') ";
}
else {
$q .= "unknown') ";
}
$q = "INSERT INTO #__{vm}_order_payment ";
$q .= "(order_id, order_payment_code, payment_method_id, order_payment_number, ";
$q .= "order_payment_expire, order_payment_log, order_payment_name, order_payment_trans_id) ";
$q .= "VALUES ('$order_id', ";
$q .= "'" . $d["order_payment_code"] . "', ";
$q .= "'" . $d["payment_method_id"] . "', ";
$q .= "ENCODE(\"$payment_number\",\"" . ENCODE_KEY . "\"), ";
$q .= "'" . @$_SESSION["ccdata"]["order_payment_expire"] . "',";
$q .= "'" . @$d["order_payment_log"] . "',";
$q .= "'" . @$_SESSION["ccdata"]["order_payment_name"] . "',";
$q .= "'" . $vmInputFilter->safeSQL( @$d["order_payment_trans_id"] ). "'";
$q .= ")";
$q = "INSERT INTO #__{vm}_order_history ";
$q .= "(order_id,order_status_code,date_added,customer_notified,comments) VALUES (";
$q .= "'$order_id', 'P', '" . $mysqlDatetime . "', 1, '')";
$q = "INSERT INTO `#__{vm}_order_user_info` ";
$q .= "SELECT '', '$order_id', '".$auth['user_id']."', address_type, address_type_name, company, title, last_name, first_name, middle_name, phone_1, phone_2, fax, address_1, address_2, city, state, country, zip, user_email, extra_field_1, extra_field_2, extra_field_3, extra_field_4, extra_field_5,bank_account_nr,bank_name,bank_sort_code,bank_iban,bank_account_holder,bank_account_type FROM #__{vm}_user_info WHERE user_id='".$auth['user_id']."' AND address_type='BT'";