Closed rainworm closed 13 years ago
ivannovak
commented
13 years ago Can you explain this a bit more. The mail.php file uses $_POST so I'm not sure how you'd manipulate the action with url params.
I'm going to update the sql, adding the deleted field to the mail table structure and modifed the delete sequence as you've described.
rainworm
commented
13 years ago There's no warranty about $_POST requests. They don't have to come from a browser, they can easily be sent from a javascript or using cURL or the http_request class (pear) or plain old fsockopen().. imagination is the limit. So don't coun't on it when security is an issue. You have to do a server side checking to make sure, the correct person is deleting messages.
I have put together some short movie (sorry for the quality), where you can see how easy it is to manipulate with posted parameters; http://www.youtube.com/watch?v=MNXEPxVWkYI
I don't know if this project is still alive or not but anyway.. I checked this code and first thing I have noticed is that anyone (even not logged users) can delete any message as long as the right mail ID is guessed (one javascript for sentance and every message in system is gone permanently).
Advice: only recipient or sender should be able to delete message. I would also recomend not physically delete the message from table but mark it as deleted. This way you can always restore it in case of "accident".
greetings, rainworm