Re: [PHP] Help Defending against Email Injection Attacks

2006-02-06 Thread Liam Delahunty 
> On 2/6/06, Jim Moseby  wrote:
> Is it time to abandon using mail() for all user contributed data?

Sort of. Don't write any user input to the headers.

Send the data to a default address, don't include anything in the
subject or the headers from the input and you'll avoid the problems.


--
Kind regards,
Liam

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Store a variable name in a database field.

2005-10-10 Thread Liam Delahunty 
I'm sure this is a pretty basic question, but I have searched for a
decent answer and can't find one.

I have a client that want to be able to write newsletters
(newsleters_tbl.email_body) and use fields from his contact table, so
as we grind through the contact list for newsletters subscribers it
may pull out $first_name, or $last_name, or perhaps the address and so
on, and send an individual email and have it in the $email_body field
from another table.

$email_body is a free form text field, and he wants to be able to type
in anything he desires and have it pulled from the contact table.

I've tried with and without addslashes, and htmlentities. Is there a
solution or I will I have to resort to getting him to use
{{$first_name}} etc.

Lastly, if I have to use {{whatever}} then what's the reason I can't
use $field_name in the database?

--
Kind regards,
Liam Delahunty

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Store a variable name in a database field.

2005-10-13 Thread Liam Delahunty 
On 10/10/05, Richard Lynch <[EMAIL PROTECTED]> wrote:
> > $email_body is a free form text field, and he wants to be able to type
> > in anything he desires and have it pulled from the contact table.
> >

Firstly please accept my aplogies for the deay in responding to your
questions, I;ve had the most terrible flu.

pseudo code (ish), as I've completely bastardised what I had when I
posed the question.

// insert newsletter into newsleter_tbl in database ...
from a form, body in a textarea field, client wants to type in
whatever he likes with database column names as varibles, eg $email,
$first_name


this is the newsletter write on newsletter_new.php

if ($submit){
// removed error checking etc

$email_subject = htmlentities(addslashes($email_subject));
// tried various combintions of htmlentities, addslashes and nothing
when writting field to DB
if ($email_style == "1"){
  $email_body = htmlentities(addslashes($email_body));
}else{
  $email_body = addslashes($email_body);
}
$email_style = htmlentities(addslashes($email_style));

$query = "INSERT INTO newsletters_tbl (email_subject, email_body,
email_date, email_style) VALUES ('$email_subject', '$email_body',
NOW(), '$email_style')";
if ($result = mysql_query($query, $connection)) {
  $newsletter_id= mysql_insert_id($connection);
  print ("Success Add newsletter (# $newsletter_id)
successful. \n");
  print ("CLICK
HERE TO TEST\n");
} else {
  printf ("Error: %s\n", mysql_errno () . "");
  printf ("%s\n", mysql_error () . "");
  print ("$query\n");
}
  }
}

// BTW the contact details are in another table in database already.

// Sending out the newsletter
$nquery=" SELECT c.id, first_name, email FROM contact_tbl c LEFT OUTER
JOIN newsletters_contacts_tbl nct ON nct.contact_id =c.id AND
newsletter_id = '$this_nid' WHERE nct.contact_id IS NULL AND
newsletter = '$email_style' GROUP BY email LIMIT 1";
if ($nresult = mysql_query($nquery, $connection)){
  if (mysql_num_rows($nresult) > 0){
while ($myrow = mysql_fetch_row($nresult)) {
  $uid=$myrow[0];
  $first_name=stripslashes($myrow[1]);
  $email=stripslashes($myrow[2]);

  $query = "SELECT * FROM newsletters_tbl WHERE id = '$this_nid' ";
  $result = mysql_query($query, $connection);
  if($result){
while ($myrow = mysql_fetch_row($result)){
  $newsletter_id = $myrow[0];
  $email_subject = stripslashes($myrow[1]);
  $email_body = stripslashes($myrow[2]);
  $email_date = $myrow[3];
  $email_style = $myrow[4];
  $email_status = $myrow[5];
}
if ($email_status == "0"){
  print ("Requires Confirmation");
}elseif($email_status == "1"){

  /*
  // NOW USING {{ }} as in many templating systems
  // so familar to those sorts of users.
  // would prefer if I could just use $columnName from
  // contact_tbl.
  // Why doesn't it just know the var as we've already
  // got it above...?
  */

  $email_body = ereg_replace ("\{\{uid\}\}", $uid, $email_body);
  $email_body = ereg_replace ("\{\{email\}\}", $email, $email_body);
  $email_body = ereg_replace ("\{\{first_name\}\}",
$first_name, $email_body);

  if ($email_style == "1"){
// INSERT PLAIN TEXT HEADER
  }elseif ($email_style == "2"){
// INSERT HTML MIME HEADERS
  }

  $outquery="INSERT INTO newsletters_contacts_tbl
(newsletter_id, contact_id, sent_date) VALUES ('$newsletter_id',
'$uid', NOW())";
  if ($outresult = mysql_query($outquery, $connection)) {
// SEND IT CODE
  } else {
// ERROR CODE
  }
  }
}
  }
}else{
  // ERROR CODE
}


Many thanks for your help on this mater.

--
Kind regards,
Liam

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php