Need guru eyes to check for security holes here
Posted: Thu Jun 25, 2009 11:22 am
We will soon be implementing an internal auditing mechanism which uses email alerts for certain events. I've settled on the following code and would appreciate any feedback from the group on any obvious MySQL errors or flaws that my eyes may have missed. I am particularly keen on knowing if the last MySQL update statement would in fact be alright for a system that may have thousands of entries in the tables.
Thanks in advance.
Thanks in advance.
Code: Select all
<?php
include 'config.php';
include 'opendb.php';
$mailer = mysql_query("SELECT substring( web1_access_log.request_uri, 9 ) ,
web1_access_log.sent_or_not_sent,
web1_access_log.request_time,
timestampadd(hour,4,from_unixtime(web1_access_log.time_stamp)) AS real_time,
web1_access_log.remote_host,
web1_access_log.id,
access1.access1_subject,
timestampadd(hour,4,from_unixtime(access1.real_epoch_time)) AS time_date ,
access1.access1_widget,
access1.access1_monitored_email,
access1.access1_alert_email_address
FROM web1_access_log JOIN access1 ON substring( web1_access_log.request_uri, 9 ) = access1.access1_widget
where web1_access_log.sent_or_not_sent = '0'") or die (mysql_error());
while($user = @mysql_fetch_array($mailer)){
$original_time=$user[time_date];
$id=$user[id];
$time=$user[real_time];
$ip=$user[remote_host];
$to=$user[access1_alert_email_address];
$subject="Alert";
$original_subject=$user[access1_subject];
$monitored_account=$user[access1_monitored_email];
$body="On " .$time. " UTC, there was a violation from IP address " . $ip . ".\n" . "Subject line of Mail: " ."\"" . $original_subject ."\""."\n". "This message was originally created on ".$original_time." UTC." . "\n" ."Account: " .$monitored_account. "\n" . "Our internal reference ID:" .$id;
mail($to,$subject,$body) ;
mysql_query("UPDATE web1_access_log, access1 set web1_access_log.sent_or_not_sent = 1 where substring( web1_access_log.request_uri, 9 ) = access1.access1_widget") or die (mysql_error());
}
?>