[Req Help] Php / Sql Vote script

Knindza · June 10, 2017, 6:53pm

Greetings,

Last few days i’m trying to complete simple Vote script based on php and sql query.

There is no errors in php (At least i’m not able to find them), but sql query not working for some reason.

Here’s the script

<?php $host=""; $user=""; $password=""; $database="characters"; //Your character database if(($_COOKIE['vote']) != '0') //Will add later - Knindza { if(!empty($_POST['name'])) { mysql_connect($host,$user,$password); @mysql_select_db($database) or die( "Unable to select database"); $name = mysql_real_escape_string($_POST['name']); $query="SELECT * FROM characters WHERE name='$name' LIMIT 1"; $result = mysql_query($query); if($row = mysql_fetch_array($result)) { @@ $guid = $row['guid']; @@ $item = 20815; @@ mysql_query("INSERT INTO mail(sender, receiver, subject, body, stationary, money, item_id, item_stack) VALUES ($guid, $guid, 'Thankyou for voting!', 'Use this item to get vote rewards from the votereward vendors in the malls. Vote again in 12 hours', 0, 0, $item, 1)"); echo "Thank you for voting!"; echo ""; } else { echo "A char with that name was not found."; } mysql_close(); } else { ?>

    Vote for us and get rewards! <br />
    <form method='post' action='vote1.php'>
        Character Name:<input type='text' name='name' />
        <input type='submit' value='Vote!' />
    </form>
    <p>
      <?php
    }
}
else
{
    echo "You already voted! You can vote once every 12 hours. Thank you :)";
}
?>
</p>

Any ideas what’s wrong or how to make it happen?

Regards, Knindza.

darki73 · June 11, 2017, 4:15pm

More like, can help, but wont do it. (actually i did, point #3 explains what is wrong, intro written after creating the list)

[ol][li]Start using PDO already, please[/li]
[li]Never use @, it hides all errors (there might be few serious and you will never know)[/li]
[li]The SQL query seems to be outdated (comparing to latest rev)[/li]
[li]Also, user sends mail to himself?[/li]
[li]Just a note, i can make a script which removes cookies on every request and basically receive infinite amount of ‘tokens’[/li]
[/ol]

Aokromes · June 11, 2017, 6:17pm

Nor to say " [COLOR=rgb(39,42,52)]INSERT INTO mail" it’s a really really really really really really bad idea.

CDawg · June 11, 2017, 6:49pm

So that’s what the at symbols were?!.. Interesting. I have never seen that in PhP.

@Knindza You can use SOAP in the backend to give the player rewarded items in their in-game mailbox. To add what Aok mentioned, never inject directly to the DB from the web.

Also, create a memory table or temp table to store sessions from the user that is “logged into” that session for reward info or voting, etc… It’s a bit of work to trap their sessions, but you can use their game login data then trap their vote, then reward.

To add what Darki73 mentioned. Web cookies can be easily modified, giving a major exploit to the web user.

By Using the login from game table method, then trapping a simple integer if they have voted or not, and also store data on their reward. Never ever ever use cookies to store that info. Iv’e seen that before and modified the cookies and was able to reward myself with pretty much everything in the item_template table

darki73 · June 12, 2017, 12:47am

Well, i mean why not? still works kinda the same, and if person is not familiar with SOAP, he wont be able to do it.

Regarding the query itself… There is a huge chance of being able to wipe all of the characters DB without even having access to it. SQL injection to be specific on the character name field

codeman3518 · June 12, 2017, 3:24am

SOAP isn’t hard to understand really.

darki73 · June 12, 2017, 3:39am

So, you’ve (why i think it is you? there were no down-votes after i’ve written my last message) decided to down-vote me for not writing the script for you? Nice attitude there, what else can i say. My advise to you is to avoid posting on forums with that type of expectations. People here are helping to solve the problem, not solving it for you.

Knindza · June 12, 2017, 2:53pm

Hey,

Cheers for answers guys.

“Script” itself is very very old (Since 2007).

@darki73 I did not vote or down-vote at all - There’s no need to attack me or anyone else who haven’t posted an reply to u, which shows your attitude. Just came home and saw / read answers. As i said before, all scripts i have on my old website are old, and i’m trying to update them slowly. Configs for login are there, but will remove later to main one which i use for Login to Panel. About mail sender yea, was working before, but at the moment in mail and mail_items inside DB there’s ID for them, but nothing inside in-game email. I don’t expect from people to solve my problem by making it for me, just to gimme directions where and what i did wrong.

@codeman8214 I guess it’s not. I’m pretty much ‘newbie’ to Php and Sql as well and i’m trying to learn slowly.

@CDawg Cheers for tip, will avoid @ from now on. Was wondering why there’s no errors in Cpanel logs.

@AokromesThanks for tip about INSERT.

Regards, Knindza.