even more reliable multiple-payment/double-click/concurrent-payment-form protection

2 files changed, 8 insertions, 2 deletions

diff --git a/httemplate/misc/payment.cgi b/httemplate/misc/payment.cgi
index 2c889d73b..ce9a48beb 100644
--- a/httemplate/misc/payment.cgi
+++ b/httemplate/misc/payment.cgi
@@ -1,9 +1,10 @@
 <% include( '/elements/header.html', "Process $type{$payby} payment" ) %>
 <% include( '/elements/small_custview.html', $cust_main, '', '', popurl(2) . "view/cust_main.cgi" ) %>
 <FORM NAME="OneTrueForm" ACTION="process/payment.cgi" METHOD="POST" onSubmit="document.OneTrueForm.process.disabled=true">
-<INPUT TYPE="hidden" NAME="custnum" VALUE="<% $custnum %>">
-<INPUT TYPE="hidden" NAME="payby" VALUE="<% $payby %>">
+<INPUT TYPE="hidden" NAME="custnum"   VALUE="<% $custnum %>">
+<INPUT TYPE="hidden" NAME="payby"     VALUE="<% $payby %>">
 <INPUT TYPE="hidden" NAME="payunique" VALUE="<% $payunique %>">
+<INPUT TYPE="hidden" NAME="balance"   VALUE="<% $balance %>">
 
 <SCRIPT TYPE="text/javascript" SRC="../elements/overlibmws.js"></SCRIPT>
 <SCRIPT TYPE="text/javascript" SRC="../elements/overlibmws_iframe.js"></SCRIPT>
diff --git a/httemplate/misc/process/payment.cgi b/httemplate/misc/process/payment.cgi
index 71a4891cf..889670d12 100644
--- a/httemplate/misc/process/payment.cgi
+++ b/httemplate/misc/process/payment.cgi
@@ -56,6 +56,10 @@ $cgi->param('payunique') =~ /^([\w \!\@\#\$\%\&\(\)\-\+\;\:\'\"\,\.\?\/\=]*)$/
   or errorpage(gettext('illegal_text'). " payunique: ". $cgi->param('payunique'));
 my $payunique = $1;
 
+$cgi->param('balance') =~ /^\s*(\-?\s*\d*(\.\d\d)?)\s*$/
+  or errorpage("illegal balance");
+my $balance = $1;
+
 my $payinfo;
 my $paycvv = '';
 if ( $payby eq 'CHEK' ) {
@@ -125,6 +129,7 @@ if ( $cgi->param('batch') ) {
   $error = $cust_main->realtime_bop( $FS::payby::payby2bop{$payby}, $amount,
     'quiet'      => 1,
     'manual'     => 1,
+    'balance'    => $balance,
     'payinfo'    => $payinfo,
     'paydate'    => "$year-$month-01",
     'payname'    => $payname,