if (!empty($_GET['order'])) {
// Order number placed, is he also logged in?
- if(IS_LOGGED_IN()) {
+ if(IS_MEMBER()) {
// Ok, test passed... :)
- $result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%d AND sender=%d AND data_type='TEMP' LIMIT 1",
+ $result = SQL_QUERY_ESC("SELECT subject, url FROM "._MYSQL_PREFIX."_pool WHERE id=%s AND sender=%s AND data_type='TEMP' LIMIT 1",
array(bigintval($_GET['order']), $GLOBALS['userid']), __FILE__, __LINE__);
// Finally is the entry valid?
}
if ((!empty($_POST['url'])) || (!empty($_GET['url'])) || (!empty($_GET['frame']))) {
+ // Default URL is ours
$url = URL;
- if (!empty($_POST['url'])) $url = $_POST['url'];
- // Decode URL if set
+ // Decode URL if set in GET parameters
if (!empty($_GET['url'])) $url = COMPILE_CODE(gzuncompress(base64_decode(urldecode($_GET['url']))));
+ // Use URL from POST data if set
+ if (!empty($_POST['url'])) $url = $_POST['url'];
+
// Add missing element
$frame = "";
if (!empty($_GET['frame'])) $frame = SQL_ESCAPE($_GET['frame']);