[TYPO3-dev] th_mailformlus 4.0.13 by update with authCode

Lee Perry leeperry at slack.de
Tue Mar 3 17:19:35 CET 2009 

Heya,

there is a problem with the extension by saveDB with checkAuth = 1

the form data will be saved in the defined table even if the authCheck 
failed.
There are some reasons in the function send_form of 
class.tx_thmailformplus_pi1.php:

line 1817 and following:

1817: # UPDATE
1818: if(isset($trimmedInsertArray[$this->conf['saveDB']['dbkey']]) && 
$this->conf['saveDB.']['updateInsteadOfInsert'] == 1) {
1819:
1820:     $query = 
$GLOBALS['TYPO3_DB']->UPDATEquery($this->conf['saveDB']['dbTable'],"uid=" 
. $trimmedInsertArray['uid'], $trimmedInsertArray);
1821:     $madeUpdateInsteadOfInsert = true;
1822:     $makequery = true;
1823:
1824:     $authCheckFailed = false;
1825:     $authCode = null;
1826:     if($this->conf['saveDB.']['checkAuth'] == 1) {
1827: 		$TSConf = array(
1828: 		'dbTable' => $this->conf['saveDB']['dbTable'],
1829: 		'where' => 'uid="'.$trimmedInsertArray['uid'].'"',
1830: 	    	);
1831: 		$authCode = user_mailformplusAPI::user_authCode('',$TSConf);
1832: 		$gpFieldname = $this->conf['saveDB.']['checkAuth.']['GPname'];
1833: 		if (!$gpFieldname) $gpFieldname = 'md5';
1834: 		if($authCode != null && isset($this->get_post[$gpFieldname]) && 
$this->get_post[$gpFieldname] == $authCode) {
1835: 	    		$makequery = true;
1836: 		} else {
1837: 	    		$authCheckFailed = true;
1838: 		}
1839: 	  }
1840:
1841: }

if $authCode is not null and not the same as the 
$this->get_post[$gpFieldname] (line 1834) the value $authCheckFailed is 
true (line 1837) but the $makequery is true as well, because it's 
initialized "true" on line 1822. So, the query would be make, even the 
authCheck failed!

And here is a further problem:

1857: if($makequery) $res = $GLOBALS['TYPO3_DB']->sql(TYPO3_db, $query);
1858: if ($res) {
...

on line 1858 $res could be true even if $makequery is false.


those two problems can be solved easily by adding "$makequery = false;" 
  to line 1837 and the other problem of line 1857/1858 by 
(re)initializing  the $res variable before line 1857 with "$res = false;".

with this "patch" it wouldn't be saved if the authCeck failed, but now I 
have a problem the error handling is closed on this point - so what 
should be the best way to handle this problem, completely - because the 
mail would be send and there is no information about the failed authCheck.


anybody can help me? or maybe somebody has to correct me ...

thanx in advanced,
Lee Perry

More information about the TYPO3-dev mailing list