[TYPO3-dev] th_mailformlus 4.0.13 by update with authCode
Lee Perry
leeperry at slack.de
Tue Mar 3 17:19:35 CET 2009
Heya,
there is a problem with the extension by saveDB with checkAuth = 1
the form data will be saved in the defined table even if the authCheck
failed.
There are some reasons in the function send_form of
class.tx_thmailformplus_pi1.php:
line 1817 and following:
1817: # UPDATE
1818: if(isset($trimmedInsertArray[$this->conf['saveDB']['dbkey']]) &&
$this->conf['saveDB.']['updateInsteadOfInsert'] == 1) {
1819:
1820: $query =
$GLOBALS['TYPO3_DB']->UPDATEquery($this->conf['saveDB']['dbTable'],"uid="
. $trimmedInsertArray['uid'], $trimmedInsertArray);
1821: $madeUpdateInsteadOfInsert = true;
1822: $makequery = true;
1823:
1824: $authCheckFailed = false;
1825: $authCode = null;
1826: if($this->conf['saveDB.']['checkAuth'] == 1) {
1827: $TSConf = array(
1828: 'dbTable' => $this->conf['saveDB']['dbTable'],
1829: 'where' => 'uid="'.$trimmedInsertArray['uid'].'"',
1830: );
1831: $authCode = user_mailformplusAPI::user_authCode('',$TSConf);
1832: $gpFieldname = $this->conf['saveDB.']['checkAuth.']['GPname'];
1833: if (!$gpFieldname) $gpFieldname = 'md5';
1834: if($authCode != null && isset($this->get_post[$gpFieldname]) &&
$this->get_post[$gpFieldname] == $authCode) {
1835: $makequery = true;
1836: } else {
1837: $authCheckFailed = true;
1838: }
1839: }
1840:
1841: }
if $authCode is not null and not the same as the
$this->get_post[$gpFieldname] (line 1834) the value $authCheckFailed is
true (line 1837) but the $makequery is true as well, because it's
initialized "true" on line 1822. So, the query would be make, even the
authCheck failed!
And here is a further problem:
1857: if($makequery) $res = $GLOBALS['TYPO3_DB']->sql(TYPO3_db, $query);
1858: if ($res) {
...
on line 1858 $res could be true even if $makequery is false.
those two problems can be solved easily by adding "$makequery = false;"
to line 1837 and the other problem of line 1857/1858 by
(re)initializing the $res variable before line 1857 with "$res = false;".
with this "patch" it wouldn't be saved if the authCeck failed, but now I
have a problem the error handling is closed on this point - so what
should be the best way to handle this problem, completely - because the
mail would be send and there is no information about the failed authCheck.
anybody can help me? or maybe somebody has to correct me ...
thanx in advanced,
Lee Perry
More information about the TYPO3-dev
mailing list