/    Sign up×
Community /Pin to ProfileBookmark

Can you figure out what I’m missing?

Copy linkTweet thisAlerts:
Jul 27.2009

Do you see anything wrong with this script. (connect page is working fine on the other pages and I’m using the same database)
This is an Alertpay IPN page

[CODE]<?php
include_once ‘connect.php’;

$ap_SecurityCode = $_POST[‘ap_securitycode’];
$ap_CustEmailAddress = $_POST[‘ap_custemailaddress’];
$ap_PurchaseType = $_POST[‘ap_purchasetype’];
$ap_Merchant = $_POST[‘ap_merchant’];
$ap_Quantity = $_POST[‘ap_quantity’];
$ap_TotalAmount = $_POST[‘ap_totalamount’];
$ap_Currency = $_POST[‘ap_currency’];
$ap_ReferenceNumber = $_POST[‘ap_referencenumber’];
$ap_Status = $_POST[‘ap_status’];
$ap_ItemCode = $_POST[‘ap_itemcode’];
$ap_Test = $_POST[‘ap_test’];

mysql_query(“INSERT INTO alertpayref VALUES (‘$ap_ReferenceNumber’, ‘$ap_ItemCode’, ‘$ap_TotalAmount’, ‘$ap_CustEmailAddress’)”);

?>[/CODE]

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@MindzaiJul 27.2009 — 2 things wrong that I can see:

  • 1. You are re-assigning post values to new variables for no reason.

  • 2. You are not cleaning any input and are wide open to SQL injection.


    • If you are having a specific problem you will need to give us more details.
    Copy linkTweet thisAlerts:
    @XaldinauthorJul 27.2009 — 2 things wrong that I can see:

  • 1. You are re-assigning post values to new variables for no reason.

  • 2. You are not cleaning any input and are wide open to SQL injection.


    • If you are having a specific problem you will need to give us more details.[/QUOTE]
    a1. I don't see what you are talking about can you please show me.

    a2. I know all the other stuff is confidential. I just don't see why this script is not querying anything
    Copy linkTweet thisAlerts:
    @MindzaiJul 27.2009 — 
  • 1. There is no need to do this. It doens't achieve anything and introduces the possibility for error:


    • [code=php]$ap_SecurityCode = $_POST['ap_securitycode'];
    $ap_CustEmailAddress = $_POST['ap_custemailaddress'];
    $ap_PurchaseType = $_POST['ap_purchasetype'];
    $ap_Merchant = $_POST['ap_merchant'];
    $ap_Quantity = $_POST['ap_quantity'];
    $ap_TotalAmount = $_POST['ap_totalamount'];
    $ap_Currency = $_POST['ap_currency'];
    $ap_ReferenceNumber = $_POST['ap_referencenumber'];
    $ap_Status = $_POST['ap_status'];
    $ap_ItemCode = $_POST['ap_itemcode'];
    $ap_Test = $_POST['ap_test'];
    [/code]

    2: It's nothing to do with confidentiality directly, you should always clean all user input. Currently I could use your script to enter any amount for any customer, or fill your DB with crap, or, depending on your mysql configuration, I could just delete everything.

    As for why the query is not working, you are not checking the result for errors. Try this in place of the last line:

    [code=php]$result = mysql_query("INSERT INTO alertpayref VALUES ('$ap_ReferenceNumber', '$ap_ItemCode', '$ap_TotalAmount', '$ap_CustEmailAddress')");
    if (!$result) {
    echo 'INSERT failed: ' . mysql_error();
    } else {
    echo 'INSERT succeeded!';
    }
    [/code]
    Copy linkTweet thisAlerts:
    @NogDogJul 27.2009 — Or to incorporate Mindzai's other suggestions, too:
    [code=php]
    $query = sprintf(
    "INSERT INTO alertpayref VALUES ('%s', '%s', '%s', '%s')",
    mysql_real_escape_string($_POST['ap_ReferenceNumber']),
    mysql_real_escape_string($_POST['ap_ItemCode']),
    mysql_real_escape_string($_POST['ap_TotalAmount']),
    mysql_real_escape_string($_POST['ap_CustEmailAddress'])
    );
    $result = mysql_query($query);
    if (!$result) {
    user_error(mysql_error()."<br />$query");
    echo 'INSERT failed.';
    } else {
    echo 'INSERT succeeded!';
    }
    [/code]
    Note: to see the detailed error message display_errors must be enabled, else you'll need to check the PHP error log. (This way you can turn off display_errors in the production version and not have to worry about database details being publicly displayed.)
    Copy linkTweet thisAlerts:
    @XaldinauthorJul 27.2009 — Okay I wasn't clear enough sorry about that. I know how to clean everything up. The actual script has a lot of protection before it inserts it into the database, but when I was testing it with alertpay. I think they stopped posting the data back on my website.
    ×

    Success!

    Help @Xaldin spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 5.18,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @AriseFacilitySolutions09,
    tipped: article
    amount: 1000 SATS,

    tipper: @Yussuf4331,
    tipped: article
    amount: 1000 SATS,

    tipper: @darkwebsites540,
    tipped: article
    amount: 10 SATS,
    )...