Mailcow-dockerized: Pdo query

Created on 9 Aug 2019 · 2Comments · Source: mailcow/mailcow-dockerized

I'm developing a signup but i'm getting a problem with query, it always return true (username doesn't exist).Query and db connection is copied from source files.
What should I do?

<?php

    //db connection  pdo
    $database_type = 'mysql';
    $database_sock = '/var/run/mysqld/mysqld.sock';
    $database_host = 'mysql';
    $database_user = getenv('DBUSER');
    $database_pass = getenv('DBPASS');
    $database_name = getenv('DBNAME');


    $dsn = $database_type . ":unix_socket=" . $database_sock . ";dbname=" . $database_name;
    $opt = [
    PDO::ATTR_ERRMODE            => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
    PDO::ATTR_EMULATE_PREPARES   => false,
    //PDO::MYSQL_ATTR_INIT_COMMAND => "SET time_zone = '" . $offset . "', group_concat_max_len = 3423543543;",
    ];
    try {
    $pdo = new PDO($dsn, $database_user, $database_pass, $opt);
    }
    catch (PDOException $e) {
    // Stop when SQL connection fails
    ?>
    <center style='font-family:sans-serif;'>Connection to database failed.<br /><br />The following error was reported:<br/>  <?=$e->getMessage();?></center>
    <?php

    exit;
    }

    $request = $_GET['username'];

    $domain='mmsecurity.pt';
    $name= $username . '@' . $domain;
    $stmt = $pdo->prepare("SELECT * FROM `alias` WHERE address= :name");
    $stmt->execute(array(':name' => $name));
    $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
    if ($num_results != 0) {
        $valid = "false";
    }else{
        $valid = "true";
    }
    echo $valid;
?>

Source

jose123455587

Most helpful comment

Welcome, just fo reference, docs are located here https://mailcow.docs.apiary.io/#

feldsam on 9 Aug 2019

👍4

All 2 comments

Hi,

    $username= $_GET['username'];
    // instead of
    $request = $_GET['username'];

You could also use the API and try to read the mailbox details.

<?php

$username = $_GET['username'];

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://mx.mailcow.email/api/v1/get/mailbox/" . $username);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_HTTPHEADER, array(
  "Content-Type: application/json",
  "X-API-Key: xyz-xyz-xyz-xyz-xyz"
));
$response = curl_exec($ch);
curl_close($ch);

if ($response && $response == '{}') {
  echo "user $username does not exist";
}
else {
  echo "user exists";
}

Edit: You should also read get/alias/$username and check if it's an alias. Or even a spam alias.

Damn, thanks @feldsam for the API docs, again.