ClicShopping #355

            $redis = $redis_client;
            $raw = $redis->get($cache_key);
            // phpredis ne sérialise pas les tableaux : la valeur est stockée via serialize()
            if ($raw !== false) {
              $decoded = @unserialize($raw);
unserialize() is called without the allowed_classes option, which can lead to PHP object injection attacks.
Time to fix: about 15 minutes
Read doc Permalink Copy Prompt

                                    Last edited Sun, 31 May 2026 07:32:01 +0000 by clicshopping
                    
              if (is_array($decoded)) {
                $cached_config = $decoded;
              }
            }

            $module_active = $modules_shipping;
            $include_modules = [];
            foreach ($modules_shipping as $value) {
              if (strpos($value, '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                $class = Apps::getModuleClass($value, 'Shipping');
                $include_modules[] = ['class' => $value,
                  'file' => $class
                ];

                ];
              }
            }
            for ($i = 0, $n = \count($include_modules); $i < $n; $i++) {
              if (strpos($include_modules[$i]['class'], '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                Registry::set('Payment_' . str_replace('\\', '_', $include_modules[$i]['class']), new $include_modules[$i]['file']);
                $module = Registry::get('Payment_' . str_replace('\\', '_', $include_modules[$i]['class']));
                ?>
                <div class="row">
                  <div class="col-md-12">

            $module_active = $modules_payment;
            $include_modules = [];
            foreach ($modules_payment as $value) {
              if (strpos($value, '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                $class = Apps::getModuleClass($value, 'Payment');
                $include_modules[] = ['class' => $value,
                  'file' => $class
                ];

                ];
              }
            }
            for ($i = 0, $n = \count($include_modules); $i < $n; $i++) {
              if (strpos($include_modules[$i]['class'], '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                Registry::set('Shipping_' . str_replace('\\', '_', $include_modules[$i]['class']), new $include_modules[$i]['file']);
                $module = Registry::get('Shipping_' . str_replace('\\', '_', $include_modules[$i]['class']));
                ?>
                <div class="row">
                  <div class="col-md-5">

      $sessionId = $checkoutIdParam;
    }
    if ($method === 'POST' && ($hasCheckoutParam || strpos($path, '/checkout_sessions') !== false)) {
      if ($sessionId) {
        if ($hasCompleteParam || strpos($path, '/complete') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
          $validation = $CLICSHOPPING_getRetailers->validateAcpInput($input, 'complete', $input['items'] ?? []);
          if (!empty($validation)) {
            http_response_code(400);
            echo json_encode(['messages' => $validation], JSON_UNESCAPED_SLASHES);
            exit;

              echo json_encode($result['checkout_session'], JSON_UNESCAPED_SLASHES);
            } else {
              echo json_encode($result, JSON_UNESCAPED_SLASHES);
            }
          }
        } elseif ($hasCancelParam || strpos($path, '/cancel') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
          $result = $CLICSHOPPING_getRetailers->cancelSession($sessionId);
          if ($result === null) {
            http_response_code(404);
            echo json_encode(['error' => 'Session not found']);
          } else {

// --------------------------------------------------------------------------------
// GET /products - Returns product catalog
// --------------------------------------------------------------------------------
    if ($method === 'GET' && ($hasProductsParam || strpos($path, '/products') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      // Return full product catalog
      $products = $CLICSHOPPING_getRetailers->getProducts();
      echo json_encode(['products' => $products], JSON_UNESCAPED_SLASHES);
      exit;

// POST /complete_and_order - Complete session then create order
// --------------------------------------------------------------------------------
    $hasCompleteAndOrderParam = isset($_GET['complete_and_order']);
    $completeSessionIdParam = isset($_GET['session_id']) ? (string)$_GET['session_id'] : null;
    if ($method === 'POST' && ($hasCompleteAndOrderParam || strpos($path, '/complete_and_order') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      if (empty($completeSessionIdParam)) {
        http_response_code(400);
        echo json_encode(['error' => 'Session ID required']);
        exit;
      }

// POST /create_order - Create ClicShopping order from session
// --------------------------------------------------------------------------------
    $hasCreateOrderParam = isset($_GET['create_order']);
    $orderSessionIdParam = isset($_GET['session_id']) ? (string)$_GET['session_id'] : null;
    if ($method === 'POST' && ($hasCreateOrderParam || strpos($path, '/create_order') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      if (empty($orderSessionIdParam)) {
        http_response_code(400);
        echo json_encode(['error' => 'Session ID required']);
        exit;
      }

    } elseif (!empty($checkoutIdParam)) {
      // Fallback ou prise en compte du paramètre 'id' si l'ID n'est pas dans le chemin
      $sessionId = $checkoutIdParam;
    }
    if ($method === 'POST' && ($hasCheckoutParam || strpos($path, '/checkout_sessions') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      if ($sessionId) {
        if ($hasCompleteParam || strpos($path, '/complete') !== false) {
          $validation = $CLICSHOPPING_getRetailers->validateAcpInput($input, 'complete', $input['items'] ?? []);
          if (!empty($validation)) {
            http_response_code(400);

// Simple routing
// --------------------------------------------------------------------------------
// POST /agentic_commerce/delegate_payment - Handle delegated payment vaulting
// --------------------------------------------------------------------------------
    if ($method === 'POST' && ($hasDelegatePaymentParam || strpos($path, '/agentic_commerce/delegate_payment') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      $headers = [
        'idempotency_key' => $_SERVER['HTTP_IDEMPOTENCY_KEY'] ?? null,
        'request_id' => $_SERVER['HTTP_REQUEST_ID'] ?? null
      ];
      $result = $CLICSHOPPING_getRetailers->handleDelegatePayment($input, $headers);

      exit;
    }
// --------------------------------------------------------------------------------
// POST /stripe_webhook - Handle Stripe webhooks
// --------------------------------------------------------------------------------
    if ($method === 'POST' && ($hasStripeWebhookParam || strpos($path, '/stripe_webhook') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 05 Feb 2026 20:48:49 +0000 by clicshopping
                    
      $CLICSHOPPING_getRetailers->handleStripeWebhook();
      exit;
    }
// --------------------------------------------------------------------------------

// Simple routing
// --------------------------------------------------------------------------------
// GET /products - Returns product catalog
// --------------------------------------------------------------------------------
    if ($method === 'GET' && ($hasProductsParam || strpos($path, '/products') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Tue, 17 Feb 2026 13:08:46 +0000 by clicshopping
                    
      // Return full product catalog
      $products = $CLICSHOPPING_getRetailers->getProducts();
      echo json_encode(['products' => $products], JSON_UNESCAPED_SLASHES);
      exit;

// POST /create_order - Create ClicShopping order from session
// --------------------------------------------------------------------------------
    $hasCreateOrderParam = isset($_GET['create_order']);
    $orderSessionIdParam = isset($_GET['session_id']) ? (string)$_GET['session_id'] : null;
    if ($method === 'POST' && ($hasCreateOrderParam || strpos($path, '/create_order') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Tue, 17 Feb 2026 13:08:46 +0000 by clicshopping
                    
      if (empty($orderSessionIdParam)) {
        http_response_code(400);
        echo json_encode(['error' => 'Session ID required']);
        exit;
      }

    } elseif (!empty($checkoutIdParam)) {
      // Fallback ou prise en compte du paramètre 'id' si l'ID n'est pas dans le chemin
      $sessionId = $checkoutIdParam;
    }
    if ($method === 'POST' && ($hasCheckoutParam || strpos($path, '/checkout_sessions') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Tue, 17 Feb 2026 13:08:46 +0000 by clicshopping
                    
      if ($sessionId) {
        // Completion: POST /checkout_sessions/{id}
        // Choose Delegated Payment or Stripe based on payload
        if (!empty($input['delegated_payment'])) {
          $session = $CLICSHOPPING_getRetailers->completeSessionWithDelegatedPayment($sessionId, $input);

// POST /complete_and_order - Complete session then create order
// --------------------------------------------------------------------------------
    $hasCompleteAndOrderParam = isset($_GET['complete_and_order']);
    $completeSessionIdParam = isset($_GET['session_id']) ? (string)$_GET['session_id'] : null;
    if ($method === 'POST' && ($hasCompleteAndOrderParam || strpos($path, '/complete_and_order') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Tue, 17 Feb 2026 13:08:46 +0000 by clicshopping
                    
      if (empty($completeSessionIdParam)) {
        http_response_code(400);
        echo json_encode(['error' => 'Session ID required']);
        exit;
      }

      exit;
    }
// --------------------------------------------------------------------------------
// POST /stripe_webhook - Handle Stripe webhooks
// --------------------------------------------------------------------------------
    if ($method === 'POST' && ($hasStripeWebhookParam || strpos($path, '/stripe_webhook') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Tue, 17 Feb 2026 13:08:46 +0000 by clicshopping
                    
      $CLICSHOPPING_getRetailers->handleStripeWebhook();
      exit;
    }
// --------------------------------------------------------------------------------

        'action' => 'products'
      ]);
      exit;
    }
    if ($method === 'POST' && ($hasCheckoutParam || strpos($path, '/checkout_sessions') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Fri, 13 Feb 2026 13:11:31 +0000 by clicshopping
                    
      if (($hasCompleteParam || strpos($path, '/complete') !== false) && (($checkoutIdParam !== null) || preg_match('#/checkout_sessions/([^/]+)/complete#', $path, $matches))) {
        $sessionId = $checkoutIdParam ?? $matches[1] ?? null;
        if (!$sessionId) {
          $errorResponse('VALIDATION_ERROR', 'Missing session id');
        }

      ]);
      exit;
    }
    if ($method === 'POST' && ($hasCheckoutParam || strpos($path, '/checkout_sessions') !== false)) {
      if (($hasCompleteParam || strpos($path, '/complete') !== false) && (($checkoutIdParam !== null) || preg_match('#/checkout_sessions/([^/]+)/complete#', $path, $matches))) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Fri, 13 Feb 2026 13:11:31 +0000 by clicshopping
                    
        $sessionId = $checkoutIdParam ?? $matches[1] ?? null;
        if (!$sessionId) {
          $errorResponse('VALIDATION_ERROR', 'Missing session id');
        }
        $result = $ucp->completeSession($sessionId, $input);

    $hasCheckoutParam = isset($_GET['checkout_sessions']) || isset($_GET['retailers/checkout_sessions']);
    $checkoutIdParam = isset($_GET['id']) ? (string)$_GET['id'] : null;
    $hasCompleteParam = isset($_GET['complete']);
    $hasWebhookParam = isset($_GET['webhook']);
    if ($method === 'GET' && ($hasProductsParam || strpos($path, '/products') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Fri, 13 Feb 2026 13:11:31 +0000 by clicshopping
                    
      $filters = [
        'page' => $_GET['page'] ?? 1,
        'limit' => $_GET['limit'] ?? 100,
        'category' => $_GET['category'] ?? null,
        'min_price' => $_GET['min_price'] ?? null,

        'action' => 'checkout_sessions.update'
      ]);
      exit;
    }
    if ($method === 'POST' && ($hasWebhookParam || strpos($path, '/webhook') !== false)) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Fri, 13 Feb 2026 13:11:31 +0000 by clicshopping
                    
      $result = $ucp->handleWebhook($input);
      echo json_encode($result, JSON_UNESCAPED_SLASHES);
      $logger->info('UCP response', [
        'request_id' => $requestId,
        'status' => 200,

                ];
              }
            }
            for ($i = 0, $n = \count($include_modules); $i < $n; $i++) {
              if (strpos($include_modules[$i]['class'], '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                Registry::set('Shipping_' . str_replace('\\', '_', $include_modules[$i]['class']), new $include_modules[$i]['file']);
                $module = Registry::get('Shipping_' . str_replace('\\', '_', $include_modules[$i]['class']));
                ?>
                <div class="row">
                  <div class="col-md-12">

            $modules_payment = explode(';', $Qconfiguration_payment->value('configuration_value'));
            $include_modules = [];
            foreach ($modules_payment as $value) {
              if (strpos($value, '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                $class = Apps::getModuleClass($value, 'Payment');
                $include_modules[] = ['class' => $value,
                  'file' => $class
                ];

                ];
              }
            }
            for ($i = 0, $n = \count($include_modules); $i < $n; $i++) {
              if (strpos($include_modules[$i]['class'], '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                Registry::set('Payment_' . str_replace('\\', '_', $include_modules[$i]['class']), new $include_modules[$i]['file']);
                $module = Registry::get('Payment_' . str_replace('\\', '_', $include_modules[$i]['class']));
                ?>
                <div class="row">
                  <div class="col-md-12">

            $modules_shipping = explode(';', $Qconfiguration_shipping->value('configuration_value'));
            $include_modules = [];
            foreach ($modules_shipping as $value) {
              if (strpos($value, '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 19:47:42 +0000 by ClicShopping
                    
                $class = Apps::getModuleClass($value, 'Shipping');
                $include_modules[] = ['class' => $value,
                  'file' => $class
                ];

            if ((substr($spider, strlen($spider) - 1, 1) == ' ') || (substr($spider, strlen($spider) - 1, 1) == "\n")) {
              $spider = substr($spider, 0, strlen($spider) - 1);
            }
            if (!empty($spider)) {
              if (strpos($user_agent, $spider) !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 18:17:38 +0000 by ClicShopping
                    
                $parameters['can_start'] = false;
                break;
              }
            }
          }

        $content = file($spiders_file, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
        foreach ($content as $line) {
          $line = trim($line);
          // Ignore empty lines and comments starting with '#'
          if (!empty($line) && strpos($line, '#') !== 0) {
Consider replacing strpos() with str_starts_with() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Fri, 10 Apr 2026 14:08:10 +0000 by clicshopping
                    
            $spiders_array[] = strtolower($line);
          }
        }
        // Save processed list to cache for future requests

                    'text' => $Qproducts->valueInt('customers_basket_quantity') . ' x ' . $Qproducts->value('products_name')
                  ];
                  $attributes = [];
                  if (strpos($Qproducts->valueInt('products_id'), '{') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Thu, 31 Aug 2023 00:24:19 +0000 by ClicShopping
                    
                    $combos = [];
                    preg_match_all('/(\{[0-9]+\}[0-9]+){1}/', $Qproducts->valueInt('products_id'), $combos);
                    foreach ($combos[0] as $combo) {
                      $att = [];

      while ($Qcols->fetch()) {
        if ($Qcols->hasValue('Collation') && !\is_null($Qcols->value('Collation'))) {
          // Skip VECTOR columns - they are binary data and cannot be converted to UTF8
          $columnType = strtolower($Qcols->value('Type'));
          if (strpos($columnType, 'vector') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Sun, 11 Jan 2026 20:57:01 +0000 by clicshopping
                    
            continue;
          }
          if ($_POST['from_charset'] == 'auto') {
            $old_charset = substr($Qcols->value('Collation'), 0, strpos($Qcols->value('Collation'), '_'));

    $module_key = $CLICSHOPPING_CfgModule->get($set, 'key');
    $appModuleType = $CLICSHOPPING_ModulesAdmin->getSwitchModules($module_type);
    if (strpos($_GET['module'], '\\') !== false) {
Consider replacing strpos() with str_contains() for improved readability.
Time to fix: about 1 hour
Read doc Permalink Copy Prompt

                                    Last edited Wed, 30 Aug 2023 23:52:27 +0000 by ClicShopping
                    
      $class = Apps::getModuleClass($_GET['module'], $appModuleType);
      if (class_exists($class)) {
        $file_extension = '';
        $module = new $class();