#8 is_athorized check needs to exit after failure

[Jim Plush]

There is a large error in the mybic server code: the $revsponse ariable is called after it may or my not be conditionally created. This is probably overlooked because 99% of the requests are authenticated: here is the fix:

if(is_file(INFOS_BIC_PATH.$file)) {
include_once(INFOS_BIC_PATH.$file);

$xmlhttp_response = new $php_class($_REQUEST);
if($xmlhttp_response->is_authorized()) {
$response = $xmlhttp_response->return_response();

/********* BEGIN DAVE MOVE ***************/

// if you want xml or text returned just pass in json=false will be passed in the query
if(isset($_REQUEST['json']) && $_REQUEST['json'] === 'false') {
echo $response;
} else {
if (function_exists('json_encode')) {
echo json_encode($response); // uses the C extension for encoding JSON
} else {
require_once(SERVER_ROOT.'mybic_json.php');
$JSON = new Services_JSON();
echo $JSON->encode($response);
}
}
/*************** END DAVE MOVE *************/
} else {
// log failed authorization to file
logErrorToFile("Authorization Failed- IP:{$_SERVER['REMOTE_ADDR']} QueryVars:".serialize($_REQUEST));
echo 'ajax_msg_failed|notauth';
}

/************* ORIGINAL LOCATION OF MOVED BLOCK *****************/

} else {
// log no action found
logErrorToFile("No PHP Class Found for Action: {$_REQUEST['action']}. Failed- IP:{$_SERVER['REMOTE_ADDR']}");
echo "ajax_msg_failed|No Action Found that matches query string: {$_REQUEST['action']}. This means the server cannot find your PHP class file, check your paths";
}

[Jim Plush]

Logged In: YES
user_id=1491998
Originator: YES

this is fixed, checked in and will be sent out in the next release. thank you