5

The following PHP should determine if there ?purpose=email and then if it is determine the sting contains ?emailaddress or not. If there is an emailaddress then it triggers one set of scripts and if not another. But regardless it is acting as if emailaddress !== ''; Any idea why.

<?php if($_GET['purpose'] == 'email') {?>
<?php   if($_GET['emailaddress'] !== '') {?>
  <script type="text/javascript">
    alert('<?php echo $_GET['emailaddress'];?>');
    window.setTimeout(function(){
      $('.dirops .loadpanel div span', window.parent.document).html('Complete');
      $('.dirops .loadpanel', window.parent.document).removeClass('slideup');
    },1000);
  </script>
<?php } else { ?>
  <script type="text/javascript">
    window.setTimeout(function(){
      $('.dirops .loadpanel div span', window.parent.document).html('Loading');
      $('.dirops .confirmemail', window.parent.document).addClass('slideup');
    },1000);
    $('#confirmemail', window.parent.document).attr('href', 'http://www.golfbrowser.com/A4/directions.php?purpose=email&start=<?php echo $_GET['start'];?>&end=<?php echo $_GET['end'];?>')
  </script>
<?php   } ?> 
<?php } ?>

Any ideas?

Marvellous

Improve this question
4
  • 3
    This is example code, right? you wouldn't directly print a query-string variable into the page without escaping, right? "echo $_GET['emailaddress'];" --shudder-- Commented Sep 21, 2011 at 13:46
  • What url are you using to access the script? Commented Sep 21, 2011 at 13:48
  • $_GET['emailaddress'] might contain, for example, '<script type="text/javascript">(arbitrary JavaScript)</script>' Commented Sep 21, 2011 at 14:08
  • @RobinKnight The danger comes from me sending you a link to ?purpose=email&emailaddress=Hi')%3B%20alert('This%202nd%20alert%20is%20a%20XSS%20attack. or something like that Commented Sep 21, 2011 at 23:48

5 Answers 5

Reset to default
3

Try if($_GET['emailaddress'] != ''), i.e. != instead of !==

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

To clarify: when emailaddress is missing, it's probably set to null, and null !== '', causing your "success" condition to run.
better to use if ( empty( $_GET['emailaddress'] ) )
3

Use: array_key_exists('emailaddress', $_GET) instead of $_GET['emailaddress'] !== ''

Improve this answer

Comments

1 
if (isset($_GET['emailaddress'])) { ....
Improve this answer

1 Comment

+1. I imagine his if is failing because he's using type comparison as well, and if the GET parameters is absent, the array value is null, and null !== '' is true.
1

Somehow I don't think that if/else is not working...

try var_dump($_GET) maybe isset($_GET['emailaddress']) can help you.

Improve this answer

Comments

0

Try this changing the first two lines:

<?php if(array_key_exists('purpose', $_GET) && $_GET['purpose'] == 'email') {?>
<?php   if(array_key_exsist('emailaddress', $_GET) && $_GET['emailaddress'] != '') {?>
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.