<%
' Comersus Shopping Cart
' Comersus Open Technologies
' United States
' Software License can be found at License.txt
' http://www.comersus.com
%>

<%
' if it's a cancel request, go to cancel script.
if request.form("Cancel") <> "" then
 response.redirect "comersus_checkOutCancelOrder.asp"
end if

%>
<!--#include file="../includes/settings.asp"-->
<!--#include file="../includes/getSettingKey.asp"-->
<!--#include file="../includes/sessionFunctions.asp"-->
<!--#include file="../includes/databaseFunctions.asp"-->
<!--#include file="../includes/currencyFormat.asp"-->
<!--#include file="../includes/screenMessages.asp"-->
<!--#include file="../includes/encryption.asp"-->
<!--#include file="../includes/cartFunctions.asp"-->
<!--#include file="../includes/dateFunctions.asp"-->
<!--#include file="../includes/stringFunctions.asp"-->
<!--#include file="../includes/miscFunctions.asp"-->
<!--#include file="../includes/discountFunctions.asp"-->
<!--#include file="../includes/creditCardFunctions.asp"-->
<!--#include file="../includes/paymentMethodFunctions.asp"-->
<!--#include file="../includes/sendMail.asp"-->
<!--#include file="../includes/chargebackprotection.asp"-->
<!--#include file="../includes/fraudPrevention.asp"-->
<!--#include file="../includes/customerTracking.asp"-->
<!--#include file="../includes/preCharge.asp"-->
<!--#include file="../includes/maxMind.asp"-->
<!--#include file="comersus_optDes.asp"-->

<%

on error resume next

dim mySQL, connTemp, rsTemp, pTotal, pTaxAmount, rsTemp3

' get settings.
pDefaultLanguage = getSettingKey("pDefaultLanguage")
pStoreFrontDemoMode = getSettingKey("pStoreFrontDemoMode")
pCurrencySign = getSettingKey("pCurrencySign")
pDecimalSign = getSettingKey("pDecimalSign")
pMoneyDontRound = getSettingKey("pMoneyDontRound")
pCompany = getSettingKey("pCompany")
pCompanyCountryCode = getSettingKey("pCompanyCountryCode")
pApplyGST = getSettingKey("pGST")
pGSTRate = getSettingKey("pGSTRate")

pEmailSender = getSettingKey("pEmailSender")
pEmailAdmin = getSettingKey("pEmailAdmin")
pSmtpServer = getSettingKey("pSmtpServer")
pEmailComponent = getSettingKey("pEmailComponent")
pDebugEmail = getSettingKey("pDebugEmail")
pEncryptionPassword = getSettingKey("pEncryptionPassword")
pFraudPreventionMode = getSettingKey("pFraudPreventionMode")
pOrderPrefix = getSettingKey("pOrderPrefix")
pUseEncryptedTotal = getSettingKey("pUseEncryptedTotal")
pDisableSaveOrderEmail = getSettingKey("pDisableSaveOrderEmail")
pDateFormat = getSettingKey("pDateFormat")
pEncryptionMethod = getSettingKey("pEncryptionMethod")

pChargebackProtectionMerchant = getSettingKey("pChargebackProtectionMerchant")
pChargebackProtectionPassword = getSettingKey("pChargebackProtectionPassword")
pChargebackProtectionRegDate = getSettingKey("pChargebackProtectionRegDate")

pPreChargeMerchant = getSettingKey("pPreChargeMerchant")
pMaxMindLicenseKey = getSettingKey("pMaxMindLicenseKey")
pMaxMindScoreApproved = getSettingKey("pMaxMindScoreApproved")
pMaxMindScoreAlert = getSettingKey("pMaxMindScoreAlert")

pCardType = getUserInput(request.form("cardType"),8)
pCardNumber = getUserInput(request.form("cardNumber"),20)
pExpirationMonth = getUserInput(request.form("expMonth"),2)
pExpirationYear = getUserInput(request.form("expYear"),4)
pExpiration = pExpirationMonth & "/" & pExpirationYear
pSeqCode = getUserInput(request.form("cvv2"),4)

' IP request to server variables.
pBrowserIp = request.ServerVariables("REMOTE_HOST")

' get idDbSession in order to retrieve fields from the session.
pIdDbSession = getSessionVariable("idDbSession", 0)
pWishListIdCustomer = getSessionVariable("wishListIdCustomer", 0)

if sessionLost() then
 response.redirect "comersus_message.asp?message=" & Server.UrlEncode(getMsg(477,"It seems that your session was lost due to inactivity. Please try again from store home. Sorry for the inconvenience."))
end if

pIdDbSessionCart = checkDbSessionCartOpen()

' check if the cart is empty.
if countCartRows(pIdDbSessionCart) = 0 then
 response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(478,"Your cart is empty, you cannot save the order."))
end if

call customerTracking("comersus_checkoutSaveOrder.asp", request.querystring)

' get session variables.
pIdCustomer = getSessionVariable("idCustomer",0)
pIdCustomerType = getSessionVariable("idCustomerType",1)
pIdAffiliate = getSessionVariable("idAffiliate",1)

' get all fields from dbSession.

mySQL = "SELECT sessionData FROM dbSession WHERE idDbSession=" & pIdDbSession
call getFromDatabase(mySQL, rstemp, "orderVerify")

if rstemp.eof then
 response.redirect "comersus_supportError.asp?error=" & Server.Urlencode("Cannot get dbSession data at saveOrder for " & pIdDbSession)
end if

pSessionData = rstemp("sessionData")

if len(pSessionData) = 0 or pSessionData = "*" then
 response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(682,"It seems that you have reloaded or pressed twice the save order button. Please use the store navigation links."))
end if

pArraySessionData = split(pSessionData,"||")
 
' reloaded verification? (a reload may cause sessionData to have different number of values)
if uBound(pArraySessionData) <> 12 then
 response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(682,"It seems that you have reloaded the saveorder script. Please use the store navigation links."))
end if

pShipmentDetails = pArraySessionData(0)
pPaymentDetails = pArraySessionData(1)
pComments = pArraySessionData(2)
pBonusPoints = Cdbl(pArraySessionData(3))
pVatNumber = pArraySessionData(4)
pUser1 = pArraySessionData(5)
pUser2 = pArraySessionData(6)
pUser3 = pArraySessionData(7)
pDiscountCode = pArraySessionData(8)
pDiscountAmount = pArraySessionData(9)
pTaxAmount = pArraySessionData(10)
pTotal = pArraySessionData(11)
pIdPayment = pArraySessionData(12)

if isOffLinePayment(pIdPayment) then
 ' validates expiration.
 if DateDiff("d", Month(Now) & "/" & Year(now), pExpirationMonth & "/" & pExpirationYear) < 0 then
  response.redirect "comersus_message.asp?message=" & Server.UrlEncode(getMsg(515,"Credit card expired") & ". " & getMsg(615,"go back"))
 end if
 ' validates card.
 if not ValidateCreditCard(pCardNumber, pCardType) then
  response.redirect "comersus_message.asp?message=" & Server.UrlEncode(getMsg(516,"Invalid card number") & ". " & getMsg(615,"go back"))
 end if
end if

' call fraud prevention.
pFiltersReturned = rejectOrder()
if pFraudPreventionMode <> "none" and pFiltersReturned <> "" then
 response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(716,"You cannot checkout ") & " " & pFiltersReturned)
end if

' send precharge request.
if pPreChargeMerchant <> "0" then
 if preChargeApproved(pCardNumber, pExpirationMonth, pExpirationYear, pResponse) = 0 then
  response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(513,"This transaction has been rejected. Please verify your information and try again. Response details: ") & pResponse)
 end if
end if

' send MaxMind request.
if pMaxMindLicenseKey <> "0" then
 pScore = 10
 if MaxMindApproved(pIdCustomer, pBrowserIp, pScore) = 0 then
  response.redirect "comersus_message.asp?message=" & Server.Urlencode(getMsg(717,"This transaction has been rejected. Please verify your information and try again. Score : ") & pScore)
 end if
end if ' maxmind

' get customer data.
mySQL = "SELECT * FROM customers WHERE idCustomer=" & pIdCustomer
call getFromDatabase(mySQL, rstemp, "saveOrder")

if not rstemp.eof then
 pName = formatForDb(rstemp("name"))
 pLastName = formatForDb(rstemp("lastName"))
 pCustomerCompany = formatForDb(rstemp("customerCompany"))
 pEmail = rstemp("email")
 pPassword = rstemp("password")
 pPhone = rstemp("phone")

 pAddress = formatForDb(rstemp("address"))
 pZip = formatForDb(rstemp("zip"))
 pStateCode = rstemp("stateCode")
 pState = formatForDb(rstemp("state"))
 pCity = formatForDb(rstemp("city"))
 pCountryCode = rstemp("countryCode")

 pShippingName = formatForDb(rstemp("shippingName"))
 pShippingLastName = formatForDb(rstemp("shippingLastName"))
 pShippingAddress = formatForDb(rstemp("shippingAddress"))
 pShippingZip = formatForDb(rstemp("shippingZip"))
 pShippingStateCode = rstemp("shippingStateCode")
 pShippingState = formatForDb(rstemp("shippingState"))
 pShippingCity = formatForDb(rstemp("shippingCity"))
 pShippingCountryCode = rstemp("shippingCountryCode")

 if isNull(pCustomerCompany) then
  pCustomerCompany = ""
 end if
end if

' call chargeback protection API.
if pChargebackProtectionMerchant <> "0" and pChargebackProtectionMerchant <> "" then
 pChargeBackMSG = checkChargeProtection(pChargebackProtectionMerchant, pChargebackProtectionPassword, pName, pLastName, pCountryCode)
else
 pChargeBackMSG = "Not enabled"
end if

' create date, fix 0 if day or month has one place.
pOrderDate = fixDate(Date())

' compile order contents snapshot field (contents are still linked through cartRows).
mySQL = "SELECT idCartRow, cartRows.idProduct, quantity, unitPrice, unitGST, description, sku, deliveringTime, emailText, personalizationDesc FROM cartRows, products WHERE cartRows.idProduct=products.idProduct AND cartRows.idDbSessionCart=" & pIdDbSessionCart
call getFromDatabase(mySQL, rsTemp, "saveorder 4")

do while not rsTemp.eof
 pIdCartRow = rsTemp("idCartRow")
 pIdProduct = rsTemp("idProduct")
 pSku = rsTemp("sku")
 pQuantity = rsTemp("quantity")
 pUnitPrice = Cdbl(rsTemp("unitPrice"))
 pUnitGST = Cdbl(rstemp("unitGST"))
 pDescription = rsTemp("description")
 pPersonalizationDesc = rsTemp("personalizationDesc")

 ' get optionals.
 pOptionGroupsTotal = 0
 ' get optionals for current cart row.
 mySQL = "SELECT optionDescrip, priceToAdd FROM cartRowsOptions WHERE idCartRow=" & pIdCartRow
 call getFromDatabase(mySQL, rsTemp2, "saveorder 5")
 pOptionsDescripCompound = ""
 do while not rsTemp2.eof
  pPriceToAdd = Cdbl(rsTemp2("priceToAdd"))
  pOptionsDescripCompound = pOptionsDescripCompound & rsTemp2("optionDescrip") & " "
  if pPriceToAdd > 0 then
   pOptionsDescripCompound = pOptionsDescripCompound & pCurrencySign & money(pPriceToAdd)
  end if
  pOptionGroupsTotal = pOptionGroupsTotal + pPriceToAdd
  rsTemp2.movenext
 loop

 pRowPrice = Cdbl(pQuantity * (pOptionGroupsTotal + pUnitPrice))
 ' compile order details `snapshot` (items are also saved into cartRows table)
 pDetails = pDetails & pQuantity & "x #" & pSku & "/" & pIdProduct & " " & pDescription
 if pPersonalizationDesc <> "" then
  pDetails = pDetails & "(" & pPersonalizationDesc & ")"
 end if
 if pCompanyCountryCode = "AU" and pApplyGST = "-1" then
  pRowGST = Cdbl(pQuantity * pUnitGST)
  pTotalGST = pTotalGST + pRowGST
 end if
 pDetails = pDetails & " " & getMsg(479,"variations") & " " & pOptionsDescripCompound & "= " & pCurrencySign & money(pRowPrice + pRowGST) & Vbcrlf
 rsTemp.movenext
loop

if pBonusPoints > 0 then
 ' set bonus details in discount field.
 pDiscountDetails = getMsg(480,"Bonus points") & ": " & pCurrencySign & money(pBonusPoints)
end if

' compile discount and mark discount as used.
if pDiscountCode<> "" then
 pDiscountDetails = Cstr("")
 pDiscountDetails = pDiscountDetails & Vbcrlf & getMsg(481,"disc code") & ": " & pDiscountCode & " " & pCurrencySign & money(pDiscountAmount)
 call markDiscountAsUsed(pDiscountCode)
end if ' discount code active

' get selected payment.
mySQL = "SELECT redirectionUrl, emailText FROM payments WHERE idPayment=" & pIdPayment
call getFromDatabase(mySQL, rsTemp, "saveorder 7")

if rsTemp.eof then
 response.redirect "comersus_supportError.asp?error=" & Server.Urlencode("Cannot locate selected payments in database.")
end if

' load redirection and email text for payment method selected.
pRedirectionUrl = rsTemp("redirectionUrl")
pEmailText = rsTemp("emailText")

' if idAffiliate is not valid, set generic affiliate.
if affiliateValid(pIdAffiliate) = 0 then pIdAffiliate = 1

' random number to locate inserted record without using specific DB engine methods.
pRandomNumber = randomNumber(99999)

' format fields for database.
pTotalToSave = replace(pTotal,",",".")
pTaxAmountToSave = replace(pTaxAmount,",",".")
pDetails = formatForDb(pDetails)
'pRowGST = formatForDB(pRowGST)
pUser1 = formatForDb(pUser1)
pUser2 = formatForDb(pUser2)
pUser3 = formatForDb(pUser3)

mySQL = "INSERT INTO orders (orderDate, idCustomer, details, total, taxAmount, obs, gst, address, zip, state, stateCode, city, countryCode, shippingName, shippingLastName, shippingAddress, shippingZip, shippingState, shippingStateCode, shippingCity, shippingCountryCode, shipmentDetails, paymentDetails, discountDetails, nroRan, orderStatus, idAffiliate, viewed, idCustomerType, digitalEmailText, browserIp, vatNumber, idStore, wishListIdCustomer, user1, user2, user3) VALUES ('" & pOrderDate  & "','" & Cstr(pIdCustomer) & "','" & pDetails & "'," & pTotalToSave & "," & pTaxAmountToSave & ",'" & pComments & "','" & pRowGST & "','" & pAddress & "','" & pZip & "','" & pState & "','" & pStateCode & "','" & pCity & "','" & pCountryCode & "','" & pShippingName & "','" & pShippingLastName & "','" & pShippingAddress & "','" & pShippingZip & "','" & pShippingState & "','" & pShippingStateCode & "','" & pShippingCity & "','" & pShippingCountryCode & "','" & pShipmentDetails & "','" & pPaymentDetails & "','" & pDiscountDetails & "'," & pRandomNumber & ",1," & pIdAffiliate & ",0," & pIdCustomerType & ",'','" & pBrowserIp & "','" & pVatNumber & "'," & pIdStore & "," & pWishListIdCustomer & ",'" & pUser1 & "','" & pUser2 & "','" & pUser3 & "')"
call updateDatabase(mySQL, rsTemp, "saveorder 9")

' get id of the saved order.
mySQL1 = "SELECT idOrder FROM orders WHERE nroRan=" & pRandomNumber & " AND idCustomer=" & pIdCustomer & " AND orderDate='" & pOrderDate & "'"
call getFromDatabase(mySQL1, rsTemp, "saveorder 10")

if rsTemp.eof then
 response.redirect "comersus_supportError.asp?error=" & Server.Urlencode("Error in saveorder 11. Cannot locate generated order with ran: " & pRandomNumber&", customer: " & pIdCustomer & " - Previous SQL: " & mySQL)
end if

pIdOrder = rsTemp("idOrder")

' save orderItems - assign idOrder to dbSessionCart and close the order.
mySQL = "UPDATE dbSessionCart SET idOrder=" & pIdOrder & ", cartOpen=0, idDbSession=NULL WHERE idDbSessionCart=" & pIdDbSessionCart
call updateDatabase(mySQL, rsTemp, "saveorder 11")    

' delete dbSessionData inside dbSession.
mySQL = "UPDATE dbSession SET sessionData='*' WHERE idDbSession=" & pIdDbSession
call updateDatabase(mySQL, rsTemp, "saveorder 12")

' rest bonus points used.
if pBonusPoints > 0 then
 call restBonusPoints(pBonusPoints, pIdCustomer)
end if

if isOffLinePayment(pIdPayment) then
 ' encrypt CC data.
 pECardNumber = EnCrypt(pCardNumber, pEncryptionPassword)
 ' save credit card info.
 mySQL = "INSERT INTO creditCards (idOrder, cardType, cardNumber, expiration, seqCode) VALUES (" & pIdOrder & ",'" & pCardType & "','" & pECardNumber & "','" & pExpiration & "','" & pSeqCode & "')"
 call updateDatabase(mySQL, rstemp, "optOffLinePaymentExec")
end if

' compile email details text
customerEmail = Cstr("")
customerEmail = getMsg(482,"dear") & " "& pName & " " & pLastName & vbCrLf & vbCrLf
customerEmail = customerEmail & "Thanks you for shopping with Design-A-Candy." & vbCrLf & vbCrLf
customerEmail = customerEmail & "Order No. : " & pOrderPrefix & pIdorder & vbCrLf & vbCrLf
customerEmail = customerEmail & "Your details :" & vbCrLf
customerEmail = customerEmail & pName & " " & pLastName & vbCrLf
if pCustomerCompany <> "" then
 customerEmail = customerEmail & pCustomerCompany & vbCrLf
end if
customerEmail = customerEmail & pAddress & vbCrLf
customerEmail = customerEmail & pCity & " " & pStateCode & " " & pZip & vbCrLf
customerEmail = customerEmail & getCountryName(pCountryCode) & vbCrLf & vbCrLf
customerEmail = customerEmail & "Deliver to :" & vbCrLf & vbCrLf
if pShippingAddress = pAddress or isNull(pShippingAddress) then
 customerEmail = customerEmail & "Same as billing address." & vbCrLf & vbCrLf
else
 customerEmail = customerEmail & pShippingAddress & vbCrLf
 customerEmail = customerEmail & pShippingCity & " " & pShippingStateCode & " " & pShippingZip & vbCrLf
 customerEmail = customerEmail & getCountryName(pShippingCountryCode) & vbCrLf & vbCrLf
end if
customerEmail = customerEmail & getMsg(484,"order details") & vbCrLf & vbCrLf & pDetails & vbCrLf
customerEmail = customerEmail & "Payment Details : " & pPaymentDetails & vbCrLf & vbCrLf
customerEmail = customerEmail & "Shipment Details : Australia Post " & pShipmentDetails & vbCrLf & vbCrLf
if pDiscountCode <> "" or pBonusPoints > 0 then
 customerEmail = customerEmail & vbCrLf & pDiscountDetails
end if
customerEmail = customerEmail & "-------------------" & vbCrLf & getMsg(486,"total") & " : " & " " & pCurrencySign & money(pTotal) & vbCrLf & vbCrLf
if pCompanyCountryCode = "AU" and pApplyGST = "-1" then
 customerEmail = customerEmail & "The total price includes GST of : " & pCurrencySign & money(pTotalGST) & vbCrLf & vbCrLf
else
 customerEmail = customerEmail & getMsg(485,"taxes") & ": " & pCurrencySign & money(pTaxAmount) & vbCrLf
 customerEmail = customerEmail & vbCrLf & getMsg(485,"taxes") & ": " & pCurrencySign & money(pTaxAmount) & vbCrLf & vbCrLf
end if
if trim(pEmailText) <> "" then 
 customerEmail = customerEmail & VBcrlf & VBcrlf & getMsg(487,"payment info") & ": " & pEmailText
end if

' clear header cart variables.
session("cartSubTotal") = 0
session("cartItems") = 0

' clead discount code.
session("discountCode")	= ""

if pUseEncryptedTotal = "-1" then
 pGatewayTotal = EnCrypt(pTotal, pEncryptionPassword)
else
 pGatewayTotal = pTotal
end if

pCustomerSubject = getMsg(488,"order at") & " " & pCompany & ", " &  " #" & pOrderPrefix & pIdorder

customerEmail = customerEmail & vbCrLf & vbCrLf & pCompany & vbCrLf & pEmailAdmin & vbCrLf & vbCrLf & getMsg(489,"payment confirm in other email") & vbCrLf & vbCrLf

if pDisableSaveOrderEmail <> "-1" then
 ' send default customer email.
 call sendmail (pCompany, pEmailSender, pEmail, pCustomerSubject, customerEmail)
end if

adminEmail = Cstr("")
adminEmail = "New order #" & pOrderPrefix & pIdorder & "." & vbCrLf & vbCrLf
adminEmail = adminEmail & "Customer details :" & vbCrLf
adminEmail = adminEmail & pName & " " & pLastName & vbCrLf
if pCustomerCompany <> "" then
 adminEmail = adminEmail & pCustomerCompany & vbCrLf
end if
adminEmail = adminEmail & pAddress & vbCrLf
adminEmail = adminEmail & pCity & " " & pStateCode & " " & pZip & vbCrLf
adminEmail = adminEmail & getCountryName(pCountryCode) & vbCrLf & vbCrLf
adminEmail = adminEmail & "Deliver to :" & vbCrLf & vbCrLf
if pShippingAddress = pAddress or isNull(pShippingAddress) then
 adminEmail = adminEmail & "Same as billing address." & vbCrLf & vbCrLf
else
 adminEmail = adminEmail & pShippingAddress & vbCrLf
 adminEmail = adminEmail & pShippingCity & " " & pShippingStateCode & " " & pShippingZip & vbCrLf
 adminEmail = adminEmail & getCountryName(pShippingCountryCode) & vbCrLf & vbCrLf
end if
adminEmail = adminEmail & "Please supply" & vbCrLf & vbCrLf & pDetails & vbCrLf
adminEmail = adminEmail & "Payment Details : " & pPaymentDetails & vbCrLf & vbCrLf
adminEmail = adminEmail & "Shipment Details : Australia Post " & pShipmentDetails & vbCrLf & vbCrLf
if pDiscountCode <> "" or pBonusPoints > 0 then
 adminEmail = adminEmail & vbCrLf & pDiscountDetails
end if
aminEmail = adminEmail & "-------------------" & vbCrLf & getMsg(486,"total") & " : " & " " & pCurrencySign & money(pTotal) & vbCrLf & vbCrLf
if pCompanyCountryCode = "AU" and pApplyGST = "-1" then
 adminEmail = adminEmail & "The total price includes GST of : " & pCurrencySign & money(pTotalGST) & vbCrLf & vbCrLf
else
 adminEmail = adminEmail & getMsg(485,"taxes") & ": " & pCurrencySign & money(pTaxAmount) & vbCrLf
 adminEmail = adminEmail & vbCrLf & getMsg(485,"taxes") & ": " & pCurrencySign & money(pTaxAmount) & vbCrLf & vbCrLf
end if

' send email notification to the store admin.
call sendmail (pCompany, pEmailSender, pEmailAdmin, "New order #" & pOrderPrefix & pIdorder & " in your store.", adminEmail)

' go to a payment form if is not offline payment.
if trim(pRedirectionUrl) <> "" and pRedirectionUrl <> "comersus_offLinePaymentForm.asp" then
 response.redirect pRedirectionUrl & "?idOrder=" & pOrderPrefix & pIdorder & "&OrderTotal=" & pGatewayTotal & "&name=" & Server.UrlEncode(pName) & "&lastName=" & Server.UrlEncode(pLastName) & "&address=" & Server.UrlEncode(pAddress) & "&city=" & Server.UrlEncode(pCity) & "&state=" & Server.UrlEncode(pState & pStateCode) & "&zip=" & Server.UrlEncode(pZip) & "&country=" & Server.UrlEncode(pCountryCode) & "&phone=" & Server.UrlEncode(pPhone) & "&email=" & Server.UrlEncode(pEmail) & "&orderDetails=" & Server.UrlEncode(pDetails) & "&company=" & Server.UrlEncode(pCustomerCompany)
else 
 ' redirect to default order confirmation.
 response.redirect "comersus_defaultOrderConfirmation.asp?idOrder=" & pOrderPrefix & pIdOrder
end if

call closeDb()
%>