RobPuckett Posted June 2, 2014 Share Posted June 2, 2014 $sql = "SELECT * FROM leads WHERE accesstoken = '".$_POST["userAc"]."'"; $result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); if(mysql_num_rows($result)>0) { while($row = mysql_fetch_array($result)) { $id= $row['id']; $fullname= $row['fullname']; $email= $row['email']; $to = $email; $message .= $_POST["userMessage"]; $subject = $_POST["userSubject"]; $headers = "From: " . $_POST["userEmail"] . "\r\n"; $headers .= "Reply-To: ". $_POST["userEmail"] . "\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n"; if (mail($to, $subject, $message, $headers)) { $output = json_encode(array('type'=>'error', 'text' => '<p>Your Message was sent successfully!</p>')); die($output); } else { $output = json_encode(array('type'=>'error', 'text' => '<p>Your Message was not sent!</p>')); die($output); } } } I have another table called accounts that I want to join with this one, I need to select from ref to get the email from account table also! be something like this $sql = "SELECT * FROM accounts WHERE ref = '".$_POST["userAc"]."'"; $result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); Quote Link to comment Share on other sites More sharing options...
Psycho Posted June 3, 2014 Share Posted June 3, 2014 (edited) 1. Only select the fields you are going to use. Using '*' is inefficient and can lead to problems (especially when JOINing tables) 2. NEVER use data from a user directly in a query (e.g. $_POST, $_GET, $_COOKIE, etc.) Either sanitize the data or, better, use prepared statements. 3. You are apparently expecting only one record (based on the die() after the first record is processed) So, there is no need to use a while() loop 4. You are defining $to and $email from the query, but then use POST values in the email ??? 5. You are returning an error even if the email is sent ??? This will get you started, but is not complete $token = mysql_real_escape_string($_POST['userAc']); $sql = "SELECT l.fullname, l.email, a.email FROM leads l JOIN accounts a ON a.ref = l.userAc WHERE l.accesstoken = '{$token}'"; $result = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error()); if(mysql_num_rows($result)) { $row = mysql_fetch_assoc($result); $id = $row['id']; //Not used $to = $row['email']; $fullname = $row['fullname']; //Not used $email = $row['email']; //Not used $subject = $_POST["userSubject"]; $message = $_POST["userMessage"]; $useremail = $_POST["userEmail"]; $headers = "From: {$useremail}\r\n"; $headers .= "Reply-To: {$useremail}\r\n"; $headers .= "MIME-Version: 1.0\r\n"; $headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n"; if (mail($to, $subject, $message, $headers)) { $result = array('type'=>'error', 'text' => '<p>Your Message was sent successfully!</p>') } else { $result = array('type'=>'error', 'text' => '<p>Your Message was not sent!</p>'); } $output = json_encode($result); die($output); } Edited June 3, 2014 by Psycho Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted June 3, 2014 Share Posted June 3, 2014 Besides the SQL injection vulnerability, your code is also vulnerable to mail header injections. This allows any user to send spam mails to arbitrary accounts and should get your IP address blacklisted pretty soon. So the Golden Rule of security applies here as well: Never trust user input. In fact, don't use the mail() function at all unless you have good reasons for that and understand the implications. If you just need to send a bunch of emails, you want a mailing library like PHPMailer. Regarding your original question: What have you tried? Do you generally understand how database joins work? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.