Can someone please tell me why this “exit” exists in subscribelib2.php? What types of hacks does it avert?
I ask because I’m working on an ajax form (using jquery) to subscribe a user to a phplist newsletter from a distinct website without requiring our user to leave that website. Unfortunately, after my ajax form is submitted to phplist, subscribelib2.php is prematurely exiting at the line above due to “hack attempt”.
I did some debugging. Here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when my ajax form from a distinct domain submits to our phplist site at /lists/index.php?p=asubscribe&id=2:
Array\n(\n  => signup\n  => signup\n)\n
For comparison, here is the print_r() of $_POST[‘list’] as subscribelib2.php sees it when I attempt to subscribe from the form on the phplist site at /lists/index.php?p=subscribe&id=2
Array\n(\n  => signup\n)\n
As you can see, subscribelib2.php sees an additional element in the array whoose index is empty. Then the $key in the code linked above is empty, and therefore subscribelib2.php prematurely exits after the comment “hack attempt”.
My ajax form has a hidden input as follows:
<input type="hidden" name="list" value="signup" />
I do not define an input with name = “list”. I’m not sure where php is getting that input; even my browser’s js console’s Params tab only shows me the one named “list” with value “signup”. Perhaps the “list” is a confused byproduct of the way jquery.ajax() serializes the data from the form before passing it to phplist?
In any case, I’m wondering if the “hack attempt” exit is actually useful. If it is, I’d like to submit a PR to include comments in the code describing what it exactly is for. If it’s not doing anything, then I’d like to submit a PR to remove that exit so that my ajax submission form (which is benevolent) will work.
Please let me know if it’s acceptable to remove the logic linked above from subscribelib2.php or not.