Enhance security

diff --git a/lib/db_implementation.php b/lib/db_implementation.php
index 430432838498280041415a98bc1b73f662c3cf7f..0ef791ac460c0b373f3ad23a9be3c7b9e5c285d7 100644 (file)
--- a/lib/db_implementation.php
+++ b/lib/db_implementation.php
@@ -9,6 +9,7 @@ abstract class DBImpl {
     abstract protected function getMarked($recipient = 'all');
     abstract protected function numRows();
     abstract protected function getMail($id);
+    abstract protected function getRecipient($id);
     abstract protected function setCharset($charset = 'utf8');
     abstract protected function update($sql);
 }

diff --git a/lib/db_mysqli.inc.php b/lib/db_mysqli.inc.php
index 584e843cb8af804beae73aa4a72febd62932a552..9203f6db3ac2f5ad817d6b30902a9a11779cf529 100644 (file)
--- a/lib/db_mysqli.inc.php
+++ b/lib/db_mysqli.inc.php
@@ -146,6 +146,26 @@ class DBMysqli extends DBImpl {
         return $row;
     }
 
+    public function getRecipient($id) {
+        $recipient = false;
+
+        $query = "SELECT recipient.email as recipient FROM quarantine q LEFT JOIN msgrcpt ";
+        $query .= "ON msgrcpt.mail_id = q.mail_id LEFT JOIN msgs ON ";
+        $query .= "msgs.mail_id = q.mail_id LEFT JOIN maddr AS recipient ";
+        $query .= "ON msgrcpt.rid = recipient.id LEFT JOIN maddr AS sender ON ";
+        $query .= "msgs.sid = sender.id WHERE q.mail_id = '$id'";
+
+        if ($result = $this->con->query($query, MYSQLI_USE_RESULT)) {
+            $obj = $result->fetch_object();
+            if ($obj) {
+                $recipient = $obj->recipient;
+            }
+            $result->free();
+        }
+
+        return $recipient;
+    }
+
 }
 
 ?>