WeBid 1.0.6 SQL injection and repair

Title: WeBid 1.0.6 SQL Injection Vulnerability
Author: Life Wasted http://www.webidsupport.com/
Affected Versions: 1.0.6, tested, and other versions may also affect
Testing System: Linux and Windows
 
Defect code:
Line 53 of the validate. php file
Lines 198 through 202 and 234 in the between des/functions_fees.php file
 
Test proof

Validate. php? Toocheckout = asdf cballs the toocheckout_validate () function
Toocheckout_validate () takes unsanitized post input from 2 different parameters (total and cart_order_id)
Toocheckout_validate () CILS callback_process () if the post parameter credit_card_processed is equal to 'y'
The unsanitized parameters are using in an UPDATE query:
$ Query = "UPDATE". $ DBPrefix. "users SET balance = balance +". $ payment_amount. $ addquery. "WHERE id =". $ custom_id;
This allows an attacker to retrieve data using a time-based blind injection technique or by updating a pre-existing value to the output of an embedded query.
 
For example, the attacker cocould send the following post data to extract the name of the current database.
 
Http://www.2cto.com/validate. php? Toocheckout = asdf
Post data: cart_order_id = * Attackers UserID * WEBID1 & credit_card_processed = Y & total = 1, name = (SELECT database ())
 
The resulting query wocould be:
UPDATE users SET balance = balance + 1, name = (SELECT database () WHERE id = * Attackers User ID *
 
Then the attacker cocould sign in to their account and view the requested data by going to the edit_data.php page