Jump to content

need MySQL guru eyes to see if any security flaws in this code

bulgin

By bulgin
in MySQL Help

 Share

Recommended Posts

bulgin Member

bulgin

Posted
Posted

We will soon be implementing an internal auditing mechanism which uses email alerts for certain events.  I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed.  I am particularly keen on knowing if the last MySQL update statement would in fact be alright for a system that may have thousands of entries in the tables.

 

Thanks in advance.

 

<?php
include 'config.php';
include 'opendb.php';


$mailer = mysql_query("SELECT substring( web1_access_log.request_uri, 9 ) , 
web1_access_log.sent_or_not_sent, 
web1_access_log.request_time, 
timestampadd(hour,4,from_unixtime(web1_access_log.time_stamp)) AS real_time, 
web1_access_log.remote_host, 
web1_access_log.id, 
access1.access1_subject, 
timestampadd(hour,4,from_unixtime(access1.real_epoch_time)) AS time_date ,
access1.access1_widget, 
access1.access1_monitored_email, 
access1.access1_alert_email_address

FROM web1_access_log JOIN access1 ON substring( web1_access_log.request_uri, 9 ) = access1.access1_widget 
where web1_access_log.sent_or_not_sent = '0'") or die (mysql_error());

while($user = @mysql_fetch_array($mailer)){
$original_time=$user[time_date];
$id=$user[id];
$time=$user[real_time];
$ip=$user[remote_host];
$to=$user[access1_alert_email_address];
$subject="Alert";
$original_subject=$user[access1_subject];
$monitored_account=$user[access1_monitored_email];
$body="On " .$time. " UTC, there was a violation from IP address " . $ip . ".\n" . "Subject line of Mail: " ."\"" . $original_subject ."\""."\n". "This message was originally created on ".$original_time." UTC." . "\n" ."Account: " .$monitored_account. "\n" .  "Our internal reference ID:" .$id;
mail($to,$subject,$body) ; 


mysql_query("UPDATE web1_access_log, access1 set web1_access_log.sent_or_not_sent = 1 where substring( web1_access_log.request_uri, 9 ) = access1.access1_widget") or die (mysql_error());
}

?>

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.