gwin
commented
2 years ago Technically he could change the $listing_id and this could potentially have some kind of impact in the adverts_payments_order_create if the listing_id is used there.
Either way, the listing_id is saved in the order or advert information so in the next release, I will pull it from there.
Thanks for the feedback.
I dont know if this a support question or a bug.
First. if you see this line: https://github.com/simpliko/wpadverts/blob/43025dc7cf26ab77db21978595e29c055eee6c88/addons/payments/includes/ajax.php#L53 What is the purpose of this line? Its not used anywhere in that function
Second. What is the difference between this two lines: https://github.com/simpliko/wpadverts/blob/43025dc7cf26ab77db21978595e29c055eee6c88/addons/payments/includes/ajax.php#L54 https://github.com/simpliko/wpadverts/blob/43025dc7cf26ab77db21978595e29c055eee6c88/addons/payments/includes/ajax.php#L57 The first one is useless because its gets replaced by the second. And i'm just curious what is the difference between those two meta? Which one is the real advert cost?
Third. See this two lines: https://github.com/simpliko/wpadverts/blob/43025dc7cf26ab77db21978595e29c055eee6c88/addons/payments/includes/ajax.php#L26 https://github.com/simpliko/wpadverts/blob/43025dc7cf26ab77db21978595e29c055eee6c88/addons/payments/includes/ajax.php#L27 We get Listing ID and payment ID from user's $_REQUEST. Is is possible if user change the advert pricing by tampering combination of this data themself? Is there anyway we verify the user is not tampering this data?