Jump to content

Recommended Posts

$sql = "SELECT * FROM leads  WHERE accesstoken = '".$_POST["userAc"]."'"; 
                $result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); 
 
                if(mysql_num_rows($result)>0) 
                  {
	
                      while($row = mysql_fetch_array($result))
                      {
	           
                      
	   
	                  $id= $row['id'];
					  $fullname= $row['fullname'];
					  $email= $row['email'];
					  
					  $to = $email;
					  
					    $message .=	$_POST["userMessage"];
		                $subject = $_POST["userSubject"];
						
						$headers = "From: " . $_POST["userEmail"] . "\r\n";
			            $headers .= "Reply-To: ". $_POST["userEmail"] . "\r\n";
			            $headers .= "MIME-Version: 1.0\r\n";
			            $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
						
						if (mail($to, $subject, $message, $headers)) 
			                    {
	
	
	
		                        $output = json_encode(array('type'=>'error', 'text' => '<p>Your Message was sent successfully!</p>'));
		
		                        die($output);
								}
								else
								{
									$output = json_encode(array('type'=>'error', 'text' => '<p>Your Message was not sent!</p>'));
		
		                             die($output);
									
								}
				     }
				  
                  }

I have another table called accounts

that I want to join with this one, I need to select from ref to get the email from account table also!

 

be something like this

$sql = "SELECT * FROM accounts  WHERE ref = '".$_POST["userAc"]."'"; 
                $result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); 

 

 

Link to comment
https://forums.phpfreaks.com/topic/288950-need-help-joining-two-tables-mysql/
Share on other sites

1. Only select the fields you are going to use. Using '*' is inefficient and can lead to problems (especially when JOINing tables)

 

2. NEVER use data from a user directly in a query (e.g. $_POST, $_GET, $_COOKIE, etc.) Either sanitize the data or, better, use prepared statements.

 

3. You are apparently expecting only one record (based on the die() after the first record is processed) So, there is no need to use a while() loop

 

4. You are defining $to and $email from the query, but then use POST values in the email ???

 

5. You are returning an error even if the email is sent ???

 

This will get you started, but is not complete

 

$token = mysql_real_escape_string($_POST['userAc']);
$sql = "SELECT l.fullname, l.email, a.email
        FROM leads l
        JOIN accounts a ON a.ref = l.userAc
        WHERE l.accesstoken = '{$token}'"; 
$result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); 
 
if(mysql_num_rows($result)) 
{
    $row = mysql_fetch_assoc($result);
 
    $id = $row['id']; //Not used
    $to = $row['email'];
    $fullname = $row['fullname']; //Not used
    $email = $row['email']; //Not used
 
    $subject = $_POST["userSubject"];
    $message = $_POST["userMessage"];
 
    $useremail = $_POST["userEmail"];
 
    $headers = "From: {$useremail}\r\n";
    $headers .= "Reply-To: {$useremail}\r\n";
    $headers .= "MIME-Version: 1.0\r\n";
    $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
 
    if (mail($to, $subject, $message, $headers)) 
    {
        $result = array('type'=>'error', 'text' => '<p>Your Message was sent successfully!</p>')
    }
    else
    {
        $result = array('type'=>'error', 'text' => '<p>Your Message was not sent!</p>');
    }
 
    $output = json_encode($result);
    die($output);
}
Edited by Psycho

Besides the SQL injection vulnerability, your code is also vulnerable to mail header injections. This allows any user to send spam mails to arbitrary accounts and should get your IP address blacklisted pretty soon.

 

So the Golden Rule of security applies here as well: Never trust user input.

 

In fact, don't use the mail() function at all unless you have good reasons for that and understand the implications. If you just need to send a bunch of emails, you want a mailing library like PHPMailer.

 

Regarding your original question: What have you tried? Do you generally understand how database joins work?

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.