[jherzog]

I ended up implementing my ideas in comment #5 but the code I had in that comment was not exactly right. If anyone cares I have my implementation below. I am still curious your opinions on best practices and security.

in include/func/func.order.php
in function func_process_order() on around line~1200
I changed:

if ($config['Email_Note']['eml_order_p_notif_admin'] == 'Y') {
$to_customer = $config['default_admin_language'];
func_send_mail($config["Company"]["orders_department"], "mail/order_notification_subj.tpl", "mail/order_notification_admin.tpl", $config["Company"]["orders_department"], true, true);
}

TO:

if ($config['Email_Note']['eml_order_p_notif_admin'] == 'Y') {

//query xcart for CC details
$orderForAdvInfo = func_query("SELECT khash, value FROM $sql_tbl[order_extras] WHERE orderid = '$orderid'");
if (!empty($orderForAdvInfo)) {
foreach($orderForAdvInfo as $v)
$orderForAdvInfo[$v["khash"]] = $v["value"];
}
$orderForAdvInfo = text_decrypt($orderForAdvInfo['advinfo']);
$mail_smarty->assign("advOrder", $orderForAdvInfo);

$to_customer = $config['default_admin_language'];
func_send_mail($config["Company"]["orders_department"], "mail/order_notification_subj.tpl", "mail/order_notification_admin.tpl", $config["Company"]["orders_department"], true, true);
}

I then changed
/skin1/mail/order_notification_admin.tpl
and
/skin1/mail/html/order_notification_admin.tpl
from:

{include file="mail/order_invoice.tpl"}

To:

{include file="mail/order_invoice.tpl"}
Authorization Number is {$advOrder}



As far as security, implementing it in this way should only expose that variable while admin notifications are sent. Hence a minimal risk.

Thanks,
Jed