So many problems and unsecure code

  • wooody

    (@wooody)


    9 years, 5 months ago

    Hi
    I think you need to review the plugin code again and stop direct access for files:
    /wp-content/plugins/mail-subscribe-list/index.php
    /wp-content/plugins/mail-subscribe-list/sml.php

    Regards

Viewing 2 replies - 1 through 2 (of 2 total)
  • SandyRig

    (@sandyrig)

    9 years, 5 months ago

    Please add nonce to your form. My list got flooded with spam.

    I have made the following changes.

    on line 71
    $return = '<form class="sml_subscribe" method="post" id="sml_subscribe" action="/#sml_subscribe"><input class="sml_hiddenfield" name="sml_subscribe" type="hidden" value="1">'.wp_nonce_field( 'creating_email_subscription', 'email_subscription' );

    on line 273

    // Handle form Post
add_action('init', 'sml_post_action');
function sml_post_action(){
	global $wpdb;
	if ($_POST['sml_subscribe'] &&(isset( $_POST['email_subscription'] ) && wp_verify_nonce( $_POST['email_subscription'], 'creating_email_subscription' )  )) {
	
		$name = $_POST['sml_name'];
		$email = $_POST['sml_email'];
		if (is_email($email)) {

			$exists = mysql_query("SELECT * FROM ".$wpdb->prefix."sml where sml_email like '".$wpdb->escape($email)."' limit 1");
			if (mysql_num_rows($exists) <1) {
				$wpdb->query("insert into ".$wpdb->prefix."sml (sml_name, sml_email) values ('".$wpdb->escape($name)."', '".$wpdb->escape($email)."')");
			}
		}
	}
}
    Thread Starter wooody

    (@wooody)

    9 years, 4 months ago

    Hi SandyRig,
    Thanks for the fixing and please if you can update the plugin code and make it as updates.

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘So many problems and unsecure code’ is closed to new replies.