Issue inside subscribelib2.php about phplist3 HOT 5 CLOSED

@asdr45fsd35fdf So exit() is not being called, but commenting it out makes your custom ajax subscription process work?

It sounds like exit() must be called, but perhaps you are not detecting it. You could try logging an error (using trigger_error()) every time it is called (assuming PHP errors are being logged and you can access that log). You could also try using xdebug() to step through the code, if your IDE supports this, e.g. add a break point to that line so you can pause execution and check what logical sequence led to that point.

@xh3n1 may also have ideas.

from phplist3.

               $key = sprintf('%d', $key);
                if (!empty($key)) {

The %d forces the key to be numerical. If that evaluates to 0, it meant the original key was not numerical, which means someone has tried to push some other kind of code in, ergo "hack attempt".

Check that your ajax code doesn't push the "lists" variable to the page, and if it does, make sure the keys of the key-value pairs are numerical.

The asubscribe parameter expects only an email address and will fetch the rest (including which lists to subscribe to) from the subscribe page definition.

@samtuke I guess it could be useful to document the asubscribe call for everyone. It is currently only documented in the hosted account pages.

from phplist3.

by the way @asdr45fsd35fdf we would be able to be more serious if your handle wasn't some keysmash.

from phplist3.

@samtuke correct! I don't understand why. I used
Fatal_Error('Some info plus var value'); exit;
Line by line in that area of the code. I could see in the ajax response what the values are for the vars and my custom text. The above mentioned if-statement always evaluates as true, in my case. I checked it multiple times. I might be crazy but that's what I see.

@michield it does push the list value and the key is numeric in the following way:

HTML part

<form method="post" name="subform" id="subform" enctype="multipart/form-data">
                            <input type=hidden name="htmlemail" value="1">
                            <input type="hidden" name="list[2]" value="signup"/>
                            <input type="hidden" name="subscribe" value="subscribe"/>
                            <input type="email" name="email" id="email" required>
                            <button class="btn" type="button" onclick="if (checkForm()) {submitForm();} return false;"></button>
                            <div class="alert alert-success" id="success" style="display:none"></div>
                            <div class="alert alert-danger" id="danger" style="display:none"></div>
                        </form>

JS part

function checkForm(){
     re = /^(([^<>()[\]\.,;:\s@\"]+(\.[^<>()[\]\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;

    if (!(re.test(jQuery("#email").val()))) {
        jQuery("#success").empty().hide();
        jQuery("#danger").empty().append("Please enter a valid email.").show();
        jQuery("#email").focus();
        return false;
    }
    return true;
}
function submitForm() {
    successMsg = 'Thank you for your registration.';
    failMsg = 'Sorry, we were unable to register you.';
    data = jQuery('#subform').serialize();
    jQuery.ajax( {
        type: 'POST',
        data: data,
        url: '/phplist/?p=asubscribe',
        dataType: 'html',
        success: function (data, status, request) {
            if(data==='FAIL'){
                jQuery("#success").empty().hide();
                jQuery("#danger").empty().append(failMsg).show(); 
            }else{
                jQuery("#danger").empty().hide();
                jQuery("#success").empty().append(successMsg).show();
                jQuery('#email').val('');
            }
        },
        error: function (request, status, error) { 
            jQuery("#success").empty().hide();
            jQuery("#danger").empty().append(failMsg).show(); 
        }
    });
}

I borrowed and adapted this code from this thread https://discuss.phplist.org/t/ajax-subscribe-api/974/2
There they push the list the same way.

I will try not to push the list value as you suggested and see if it works better. Last thing I want to do is to modify phpList code in any way, complicating future updates.

@michield your wish is my command. I do keysmash for all my accounts so that I not only don't know the randomly generated password but the username cannot be tied to any other accounts that uses the same username. It is a habit that I recommend to anyone given the perpetual hacking that's going on. But I can see how it might go against GitHub policy or invoke prejudice.

*Update: trying to fix code formatting

from phplist3.

It seems that there are no updates on this issue for more than a year. For future questions/proposals, I would recommend the community forum or Mantis, the phpList bug tracker.

Closing this.

from phplist3.