Jump to content

scott.timlock

New Members
 View Profile  See their activity

  • Posts

    4

  • Joined

  • Last visited

 Content Type 

Everything posted by scott.timlock

  1. scott.timlock
    Hello, I have this registration script in php... and was recently compromised. I was hoping for some help in identifying any potential security issues that would allow a person to get userid, email, and password hash's from it. <?php define('NO_INCLUDE', 1); $phpEx = "php"; $php_root_path = "./"; include($php_root_path . 'includes/common.'.$phpEx); if ( isset($HTTP_POST_VARS['mode']) ) $mode = $HTTP_POST_VARS['mode']; elseif ( isset($HTTP_GET_VARS['mode']) ) $mode = $HTTP_GET_VARS['mode']; else $mode = 'register'; function show_coppa() { global $template, $php_root_path, $phpEx; $template->set_filenames(array( 'body' => 'agreement_body.tpl') ); $template->pparse('body'); } $error = FALSE; $error_msg = ''; $page_title = ( $mode == 'register' ) ? "Register" : "Activate"; session_start(); if ( $mode == 'activate' ) { if( ( isset($HTTP_POST_VARS['activate']) || isset($HTTP_GET_VARS['activate']) ) && !$_SESSION['logged_in'] ) { $username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : ''; $activation_code = isset($HTTP_POST_VARS['activation_code']) ? $HTTP_POST_VARS['activation_code'] : $HTTP_GET_VARS['act_code']; $sql = "SELECT JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { if( md5($password) == $row['password'] ) { if( $activation_code == $row['activation_code'] ) { if($row['certificate_num'] != "") $row['certificate_num'] = "'".$row['certificate_num']."'"; else $row['certificate_num'] = "NULL"; if($row['address'] != "") $row['address'] = "'".$row['address']."'"; else $row['address'] = "NULL"; if($row['postcode'] != "") $row['postcode'] = "'".$row['postcode']."'"; else $row['postcode'] = "NULL"; if($row['phone'] != "") $row['phone'] = "'".$row['phone']."'"; else $row['phone'] = "NULL"; if($row['mobile'] != "") $row['mobile'] = "'".$row['mobile']."'"; else $row['mobile'] = "NULL"; $sql = "INSERT INTO TB_User (StrUserID, password, Status, GMrank, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, Time_log, sec_primary, sec_content) VALUES ('" . $row['StrUserID'] . "', '" . $row['password'] . "', '1', '0', '" . $row['Name'] . "', '" . $row['Email'] . "', '" . $row['sex'] . "', " . $row['certificate_num'] . ", " . $row['address'] . ", " . $row['postcode'] . ", " . $row['phone'] . ", " . $row['mobile'] . ", '" . $row['regtime'] . "', '" . $row['reg_ip'] . "', NULL, '3', '3') "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into users table<br />'.$sql); } else { $message = 'Congratulations!!! Your account has successfuly been activated!<br /><br />You are now logged into the website and you can use your account information to login to any of our servers!<br /><br />Now would be a good time to visit our <a href="viewforum.php?f=12">Introduction & Recruitment Section</a> on our Community page and introduce yourself!<br /><br />We hope you enjoy your time with us at Silkroad Universe!'; $sql = "DELETE FROM TB_User_Info WHERE JID = ".$row['JID']; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not delete temp activation data'); } $sql = "SELECT JID, StrUserID, Name, Email, Status, sec_content FROM TB_User WHERE StrUserID = '" . $row['StrUserID'] . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } $new_user = $db_account->sql_fetchrow($result); $_SESSION['JID'] = $new_user['JID']; $_SESSION['StrUserID'] = $new_user['StrUserID']; $_SESSION['Name'] = $new_user['Name']; $_SESSION['Email'] = $new_user['Email']; $_SESSION['Status'] = $new_user['Status']; $_SESSION['sec_content'] = $new_user['sec_content']; $_SESSION['session_id'] = session_id(); $_SESSION['tracking_topics'] = array(); $_SESSION['tracking_forums'] = array(); $_SESSION['last_visit'] = ($_SESSION['last_pagevisit']+10800)<=time()?time():$_SESSION['last_visit']; $_SESSION['last_pagevisit'] = time(); $_SESSION['logged_in'] = TRUE; } $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message_title = 'Your activation code did not match our records.'; } } else { $message_title = 'You have specified an incorrect password.'; } } else { $message_title = 'You have specified an incorrect username.'; } $page_title = "Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { if ( empty($_SESSION['logged_in']) ) { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_body.tpl') ); if( isset($HTTP_POST_VARS['act_code']) || isset($HTTP_GET_VARS['act_code']) ) { $activation_code = isset($HTTP_GET_VARS['act_code']) ? $HTTP_GET_VARS['act_code'] : $HTTP_POST_VARS['act_code']; $s_hidden_fields = '<input type="hidden" name="activation_code" value="' . $activation_code . '" />'; } else { $template->assign_block_vars('switch_enter_activation_code', array()); } if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $page_title = "Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_title = 'You must log out to activate your account'; $message_text = sprintf('Click %sHere%s to log out', '<a href="login.'.$phpEx.'?logout=true'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } } elseif ( $mode == 'resend' ) { if( isset($HTTP_POST_VARS['resend']) || isset($HTTP_GET_VARS['resend']) ) { $user_email = isset($HTTP_POST_VARS['user_email']) ? $HTTP_POST_VARS['user_email'] : ''; $sql = "SELECT JID, StrUserID, Email, activation_code FROM TB_User_Info WHERE StrUserID = '" . $user_email . "' OR Email = '" . $user_email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { $message = 'Your activation code has been resent to the account email you specified.'; include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('[email protected]'); $emailer->replyto('[email protected]'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($row['Email']); $emailer->set_subject('Resend Activation'); $emailer->assign_vars(array( 'USERNAME' => $row['StrUserID'], 'PASSWORD' => '************', 'ACTIVATION_CODE' => $row['activation_code'], 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code']) ); $emailer->send(); $emailer->reset(); $message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />'; $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Activation Resend Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message_title = 'You have specified an incorrect username or email.'; } $page_title = "Resend Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=activate'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_resend.tpl') ); if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } elseif ( $mode == 'bademail' ) { if( isset($HTTP_POST_VARS['bademail']) || isset($HTTP_GET_VARS['bademail']) ) { $Email = isset($HTTP_POST_VARS['Email']) ? $HTTP_POST_VARS['Email'] : ''; $Email_new = isset($HTTP_POST_VARS['Email_new']) ? $HTTP_POST_VARS['Email_new'] : ''; $Email_con = isset($HTTP_POST_VARS['Email_con']) ? $HTTP_POST_VARS['Email_con'] : ''; $username = isset($HTTP_POST_VARS['StrUserID']) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = isset($HTTP_POST_VARS['password']) ? $HTTP_POST_VARS['password'] : ''; $sql = "SELECT JID, StrUserID, Name, Email, password, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining user data'); } if( $row = $db_account->sql_fetchrow($result) ) { if( md5($password) == $row['password'] ) { if( $Email == $row['Email'] && $Email_new == $Email_con ) { $sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining email data'); } if( $row = $db_account->sql_fetchrow($result) ) { $message_title = 'The new email you entered is taken, please enter a new email.'; } else { $message = 'Your activation code has been resent to the new email you specified and your old email has been updated.'; $sql = "SELECT JID, StrUserID, Name, Email, password, activation_code FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; $sql = "UPDATE TB_User_Info SET Email = '".$Email_new."' WHERE StrUserID = '".$username."' AND Email = '".$Email."' AND password = '".md5($password)."'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in updating user data'); } include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('[email protected]'); $emailer->replyto('[email protected]'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($Email_new); $emailer->set_subject('Resend Activation'); $emailer->assign_vars(array( 'USERNAME' => $row['StrUserID'], 'PASSWORD' => '************', 'ACTIVATION_CODE' => $row['activation_code'], 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $row['activation_code']) ); $emailer->send(); $emailer->reset(); $message = $message . sprintf('Click %sHere%s to manually enter your activation code', '<a href="register.'.$phpEx.'?mode=activate">', '</a>') . '<br /><br />'; $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Activation Resend Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } else { $message_title = 'The old email you entered does not match the one we have on record, or your new emails did not match.'; } } else { $message_title = 'You have specified an incorrect password, or your account has been blocked.'; } } else { $message_title = 'You have specified an incorrect user name, or that account does not exist.'; } $page_title = "Update Activation Error"; include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); if( isset($HTTP_POST_VARS['redirect']) ) $redir = '&redirect='.$HTTP_POST_VARS['redirect']; else $redir = ''; $message_text = sprintf('Click %sHere%s to try again', '<a href="register.'.$phpEx.'?mode=bademail'.$redir.'">', '</a>') . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); $template->assign_vars(array( 'MESSAGE_TITLE' => $message_title, 'MESSAGE_TEXT' => $message_text) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'activate_bademail.tpl') ); if( isset($HTTP_POST_VARS['redirect']) || isset($HTTP_GET_VARS['redirect']) ) { $forward_page = isset($HTTP_GET_VARS['redirect']) ? $HTTP_GET_VARS['redirect'] : $HTTP_POST_VARS['redirect']; $s_hidden_fields .= '<input type="hidden" name="redirect" value="' . $forward_page . '" />'; } $template->assign_vars(array( 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } if ( $mode == 'register' && !isset($HTTP_POST_VARS['agreed']) && !isset($HTTP_GET_VARS['agreed']) ) { include($php_root_path . 'includes/page_header.'.$phpEx); show_coppa(); include($php_root_path . 'includes/page_footer.'.$phpEx); } $coppa = ( empty($HTTP_POST_VARS['coppa']) && empty($HTTP_GET_VARS['coppa']) ) ? 0 : TRUE; if ($mode == 'register') { $username = ( !empty($HTTP_POST_VARS['StrUserID']) ) ? $HTTP_POST_VARS['StrUserID'] : ''; $password = ( !empty($HTTP_POST_VARS['password']) ) ? $HTTP_POST_VARS['password'] : ''; $password_confirm = ( !empty($HTTP_POST_VARS['password_confirm']) ) ? $HTTP_POST_VARS['password_confirm'] : ''; $Email = ( !empty($HTTP_POST_VARS['Email']) ) ? $HTTP_POST_VARS['Email'] : ''; $Email_confirm = ( !empty($HTTP_POST_VARS['Email_confirm']) ) ? $HTTP_POST_VARS['Email_confirm'] : ''; $Name = ( !empty($HTTP_POST_VARS['Name']) ) ? $HTTP_POST_VARS['Name'] : ''; $sex = ( !empty($HTTP_POST_VARS['sex']) ) ? $HTTP_POST_VARS['sex'] : ''; $certificate_num = ( !empty($HTTP_POST_VARS['certificate_num']) ) ? $HTTP_POST_VARS['certificate_num'] : "NULL"; $address = ( !empty($HTTP_POST_VARS['address']) ) ? $HTTP_POST_VARS['address'] : "NULL"; $postcode = ( !empty($HTTP_POST_VARS['postcode']) ) ? $HTTP_POST_VARS['postcode'] : "NULL"; $phone = ( !empty($HTTP_POST_VARS['phone']) ) ? $HTTP_POST_VARS['phone'] : "NULL"; $mobile = ( !empty($HTTP_POST_VARS['mobile']) ) ? $HTTP_POST_VARS['mobile'] : "NULL"; } if ($mode == 'register' && $_SESSION['logged_in'] && $username == $_SESSION['StrUserID']) { die("That username has already been taken"); } if ( isset($HTTP_POST_VARS['submit']) && $registration_enabled ) { if ( $mode == 'register' ) { if ( getenv("REMOTE_ADDR") == "84.25.0.224" || getenv("REMOTE_ADDR") == "95.154.230.191" || getenv("REMOTE_ADDR") == "66.90.101.217" || strpos("tunay", strtolower($Email)) != false || strpos("tunay", strtolower($Name)) != false ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You have been banned from this website.'; } } $passwd_sql = ''; if ( $mode == 'register' ) { if ( empty($username) || empty($password) || empty($password_confirm) || empty($Email) || empty($Email_confirm) || empty($Name) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'You must fill in all the required fields.'; } } $passwd_sql = ''; if ( !empty($password) && !empty($password_confirm) ) { if ( $password != $password_confirm ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.'; } elseif ( strlen($password_confirm) < 6 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no less than 6 characters.'; } elseif ( strlen($password_confirm) > 32 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password must be no more than 32 characters.'; } elseif(!ctype_alnum($password)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your password should be characters and numbers only.'; } else { if ( !$error ) { $password = md5($password); $passwd_sql = "password = '$password', "; } } } else if ( ( empty($password) && !empty($password_confirm) ) || ( !empty($password) && empty($password_confirm) ) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The passwords you entered did not match.'; } $username_sql = ''; $email_sql = ''; if ( $mode == 'register' ) { if ( empty($username) ) { $error = TRUE; } else if ( $username != $_SESSION['StrUserID'] || $mode == 'register') { $sql = "SELECT StrUserID FROM TB_User WHERE StrUserID = '" . $username . "' UNION ALL SELECT StrUserID FROM TB_User_Info WHERE StrUserID = '" . $username . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining username data'); } if( $row = $db_account->sql_fetchrow($result) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please pick another username, that username has already been taken.'; } elseif ( strlen($username) < 6 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no less than 6 characters.'; } elseif ( strlen($username) > 32 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username must be no more than 32 characters.'; } elseif(!ctype_alnum($username)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your username should be characters and numbers only.'; } if (!$error) { $username_sql = "StrUserID = '" . $username . "', "; } } if ( empty($Email) || empty($Email_confirm) ) { $error = TRUE; } elseif ( $Email != $_SESSION['Email'] || $mode == 'register' ) { $sql = "SELECT Email FROM TB_User WHERE Email = '" . $Email . "' UNION ALL SELECT Email FROM TB_User_Info WHERE Email = '" . $Email . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining email data'); } if( $row = $db_account->sql_fetchrow($result) ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Please use another email, that email has already been taken.'; } elseif(!filter_var($Email, FILTER_VALIDATE_EMAIL) || !filter_var($Email_confirm, FILTER_VALIDATE_EMAIL)) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The email you entered is not a valid format.'; } elseif( $Email != $Email_confirm ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The emails you entered did not match.'; } elseif( strpos($Email, '@walla.com') ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'invalid email address.'; } if (!$error) { $email_sql = "Email = '" . $Email . "', "; } } if ( $mode == 'register' ) { $sql = "SELECT COUNT(reg_ip) AS Cnt FROM TB_User WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "' UNION ALL SELECT COUNT(reg_ip) AS Cnt FROM TB_User_Info WHERE reg_ip = '" . getenv("REMOTE_ADDR") . "'"; if ( !($result = $db_account->sql_query($sql)) ) { die('Error in obtaining reg_ip data'); } $row = $db_account->sql_fetchrow($result); if( $row['Cnt'] > 2 ) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'The account limit has been reached for this IP address.'; } } if ( empty($Name) ) { $error = TRUE; } elseif ( $Name != $_SESSION['Name'] || $mode == 'register' ) { if(substr_count($Name, ' ') > 1) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name can contain only 1 space.'; } if(!ctype_alnum(str_replace(' ','x', $Name))) { $error = TRUE; $error_msg .= ( ( isset($error_msg) ) ? '<br />' : '' ) . 'Your display name should be characters and numbers only.'; } if (!$error) { $name_sql = "Name = '" . $Name . "', "; } } } if ( !$error ) { if($email_activation_enabled && $mode == 'register') { $sql = "SELECT MAX(JID) AS total FROM TB_User_Info"; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not obtain next user_id information'); } $row = $db_account->sql_fetchrow($result); $user_id = $row['total'] + 1; $activation_code = sha1("" . getenv("REMOTE_ADDR") . $Email . ""); if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'"; if($address != "NULL") $address = "'".$address."'"; if($postcode != "NULL") $postcode = "'".$postcode."'"; if($phone != "NULL") $phone = "'".$phone."'"; if($mobile != "NULL") $mobile = "'".$mobile."'"; $sql = "INSERT INTO TB_User_Info (JID, StrUserID, password, Name, Email, sex, certificate_num, address, postcode, phone, mobile, regtime, reg_ip, activation_code) VALUES ('" . $user_id . "', '" . $username . "', '" . $password . "', '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', '" . $activation_code . "') "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into temp users table<br /><br />' . $sql); } $message = 'Your account has been created. However, this site requires account activation. An activation key has been sent to the e-mail address you provided.<br />Please check your e-mail for further information'; include($php_root_path . 'includes/emailer.'.$phpEx); $emailer = new emailer(true); $emailer->from('[email protected]'); $emailer->replyto('[email protected]'); $emailer->use_template('user_welcome_inactive'); $emailer->email_address($Email); $emailer->set_subject('Welcome to Silkroad Underground'); $emailer->assign_vars(array( 'USERNAME' => $username, 'PASSWORD' => $password_confirm, 'ACTIVATION_CODE' => $activation_code, 'U_ACTIVATE' => $server_addr . $server_script . 'register.php?mode=activate&act_code=' . $activation_code) ); $emailer->send(); $emailer->reset(); } elseif ($mode == 'register') { if($certificate_num != "NULL") $certificate_num = "'".$certificate_num."'"; if($address != "NULL") $address = "'".$address."'"; if($postcode != "NULL") $postcode = "'".$postcode."'"; if($phone != "NULL") $phone = "'".$phone."'"; if($mobile != "NULL") $mobile = "'".$mobile."'"; $sql = "INSERT INTO TB_User (StrUserID, password, Status,GMrank,Name,Email,sex,certificate_num,address,postcode,phone,mobile ,regtime,reg_ip,sec_primary,sec_content,AccPlayTime,LatestUpdateTime_ToPlayTime) VALUES ('" . $username . "', '" . $password . "', 1, 0, '" . $Name . "', '" . $Email . "', '" . $sex . "', " . $certificate_num . ", " . $address . ", " . $postcode . ", " . $phone . ", " . $mobile . ", GETDATE(), '" . getenv("REMOTE_ADDR") . "', 3, 3, 0, 0) "; if ( !($result = $db_account->sql_query($sql)) ) { die('Could not insert data into users table<br /><br />' . $sql); } $message = 'Your account has been created.'; } $message = $message . '<br /><br />' . sprintf('Click %sHere%s to return to the Index', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration Successful", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } } if ( $error ) { $password = ''; $password_confirm = ''; } if ( $registration_enabled ) { include($php_root_path . 'includes/page_header.'.$phpEx); if ( !isset($coppa) ) { $coppa = FALSE; } $s_hidden_fields = '<input type="hidden" name="mode" value="' . $mode . '" /><input type="hidden" name="agreed" value="true" /><input type="hidden" name="coppa" value="' . $coppa . '" />'; if ( $error ) { $template->set_filenames(array( 'reg_header' => 'error_body.tpl') ); $template->assign_vars(array( 'ERROR_MESSAGE' => $error_msg) ); $template->assign_var_from_handle('ERROR_BOX', 'reg_header'); } $template->set_filenames(array( 'body' => 'register_body.tpl') ); $template->assign_vars(array( 'USERNAME' => isset($username) ? $username : '', 'PASSWORD' => isset($password) ? $password : '', 'PASSWORD_CONFIRM' => isset($password_confirm) ? $password_confirm : '', 'NAME' => isset($Name) ? $Name : '', 'EMAIL' => isset($Email) ? $Email : '', 'EMAIL_CONFIRM' => isset($Email_confirm) ? $Email_confirm : '', 'SEX_M' => ( $sex=="M" ) ? '<option value="M" selected="selected">Male</option>' : '<option value="M">Male</option>', 'SEX_F' => ( $sex=="F" ) ? '<option value="F" selected="selected">Female</option>' : '<option value="F">Female</option>', 'ADDRESS' => $address!="NULL" ? $address : '', 'POSTCODE' => $postcode!="NULL" ? $postcode : '', 'PHONE' => $phone!="NULL" ? $phone : '', 'MOBILE' => $mobile!="NULL" ? $mobile : '', 'S_HIDDEN_FIELDS' => $s_hidden_fields) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } else { $message = '<br /><br />' . sprintf('Click %sHere%s to return to the Index<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />', '<a href="index.'.$phpEx.'">', '</a>'); include($php_root_path . 'includes/page_header.'.$phpEx); $template->set_filenames(array( 'body' => 'message_body.tpl') ); $template->assign_vars(array( 'MESSAGE_TITLE' => "Registration is Closed", 'MESSAGE_TEXT' => $message) ); $template->pparse('body'); include($php_root_path . 'includes/page_footer.'.$phpEx); } ?>
  2. scott.timlock
    Column 'SRO_VT_LOG.dbo._LogEventChar.CharID' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. SELECT s.CharID, MAX(s.EventTime) as lastLogout
  3. scott.timlock
    Hello, I have recieved some decent assistant from these forums before, so I am back. I have this query... SELECT l.EventTime, c.CharName16, c.CurLevel, g.ID, g.Name FROM [sRO_VT_LOG].[dbo].[_LogEventChar] AS l, [sRO_VT_SHARD].[dbo].[_Char] AS c, [sRO_VT_SHARD].[dbo].[_Guild] AS g WHERE c.CharID = l.CharID AND g.ID = c.GuildID AND l.EventID = 4 AND l.EventTime > (SELECT TOP 1 s.EventTime FROM [sRO_VT_LOG].[dbo].[_LogEventChar] AS s WHERE s.CharID = l.CharID AND s.EventID = 6 ORDER BY s.EventTime DESC) ORDER BY l.EventTime DESC here is an example from the log table CharID EventTime EventID Data1 Data2 Data3 8572 2012-09-13 13:43:40.757 4 0 1583623721 NULL NULL 8572 2012-09-13 13:44:19.570 6 0 1583623721 NULL NULL Which, while referencing other tables for name data, gives me a list of users currently online... however I cannot for the life of me solve the issue of the query not displaying users who are online but for the first time, never creating the logout row (id 6). Also, Im looking for a seperate query for finding the total time a user has been online by subtracting the login times from the logout times, but I dont know where to start. I know its possible, maybe not exactly how I think it is, and thats the other half of the reason i am here.
  4. scott.timlock
    $sql = "SELECT invoice_id, vehicle_id, type, date FROM invoice_haul WHERE date > ".$time; if ( !($result = $db->sql_query($sql)) ) { die('Error in obtaining haul data'); } while($haul = $db->sql_fetchrow($result)) { $row[] = $haul; } I cannot for the life of me figure out how to sort $row by the key $row[]['date'].... i know i can just ORDER BY the sql query but there are other queries that add to $row and i need to sort by the date after the fact.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.