bulgin Posted June 25, 2009 Share Posted June 25, 2009 We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last MySQL update statement would in fact be alright for a system that may have thousands of entries in the tables. Thanks in advance. <?php include 'config.php'; include 'opendb.php'; $mailer = mysql_query("SELECT substring( web1_access_log.request_uri, 9 ) , web1_access_log.sent_or_not_sent, web1_access_log.request_time, timestampadd(hour,4,from_unixtime(web1_access_log.time_stamp)) AS real_time, web1_access_log.remote_host, web1_access_log.id, access1.access1_subject, timestampadd(hour,4,from_unixtime(access1.real_epoch_time)) AS time_date , access1.access1_widget, access1.access1_monitored_email, access1.access1_alert_email_address FROM web1_access_log JOIN access1 ON substring( web1_access_log.request_uri, 9 ) = access1.access1_widget where web1_access_log.sent_or_not_sent = '0'") or die (mysql_error()); while($user = @mysql_fetch_array($mailer)){ $original_time=$user[time_date]; $id=$user[id]; $time=$user[real_time]; $ip=$user[remote_host]; $to=$user[access1_alert_email_address]; $subject="Alert"; $original_subject=$user[access1_subject]; $monitored_account=$user[access1_monitored_email]; $body="On " .$time. " UTC, there was a violation from IP address " . $ip . ".\n" . "Subject line of Mail: " ."\"" . $original_subject ."\""."\n". "This message was originally created on ".$original_time." UTC." . "\n" ."Account: " .$monitored_account. "\n" . "Our internal reference ID:" .$id; mail($to,$subject,$body) ; mysql_query("UPDATE web1_access_log, access1 set web1_access_log.sent_or_not_sent = 1 where substring( web1_access_log.request_uri, 9 ) = access1.access1_widget") or die (mysql_error()); } ?> Link to comment https://forums.phpfreaks.com/topic/163648-need-mysql-guru-eyes-to-see-if-any-security-flaws-in-this-code/ Share on other sites More sharing options...
corbin Posted June 25, 2009 Share Posted June 25, 2009 I don't see any security flaws.... You should, however, not do $array[key]. It should be $array['key'] unless key is a constant. Link to comment https://forums.phpfreaks.com/topic/163648-need-mysql-guru-eyes-to-see-if-any-security-flaws-in-this-code/#findComment-863511 Share on other sites More sharing options...
bulgin Posted June 25, 2009 Author Share Posted June 25, 2009 Thanks I made that change! Link to comment https://forums.phpfreaks.com/topic/163648-need-mysql-guru-eyes-to-see-if-any-security-flaws-in-this-code/#findComment-863649 Share on other sites More sharing options...
bulgin Posted June 25, 2009 Author Share Posted June 25, 2009 Are you referring to the $mailer array or the ones below in the "while" loop? Thank you. Link to comment https://forums.phpfreaks.com/topic/163648-need-mysql-guru-eyes-to-see-if-any-security-flaws-in-this-code/#findComment-863775 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.