fallen00sniper Posted December 11, 2008 Share Posted December 11, 2008 having a problem with this code and getting it to work properly with my database, someone else coded it up and gave it out freely, but i need to make one change to it and also it isn't communicating with my database properly with one table ExtWareHouse. Thanks to anyone that can help. My alteration <table align="center" width="450" border="0" class="text_little"> <tr> <td align="center"><?php echo "Still debugging. :smile:"; ?></td> </tr> </table> <form id="form1" name="form1" method="post" action=""> <table align="center" width="450" border="0" cellspacing="0" cellpadding="0" style="visibility:collapse;"> <tr> <td> <table align="center" width="450" border="0" cellspacing="0" cellpadding="0"> <tr> <td align="center" width="450" class="text_little">For security purposes please verify your account.</td> </tr> <tr> <td height="5px"></td> </tr> </table> <table align="center" width="135" border="0" cellspacing="0" cellpadding="0" class="text_little"> <tr> <td class="text_little">Anti-Dupe System:</td> <td style="color:#00ff00;">Enabled</td> <td class="text_little">.</td> </tr> </table> <table align="center" width="150" border="0" class="text"> <tr> <td align="left">Username</td> </tr> <td align="left"><div><input name="id" type="text" class="field" size="20" /></div></td> </tr> <tr> <td align="left">Password</td> </tr> <td align="left"><div><input name="clave" type="password" class="field" size="20" /></div></td> </tr> <tr> <td align="left"><div><input name="Submit" type="submit" value="Change Vault" class="button" /></div></td> </tr> </table> <table align="center" width="450" border="0" class="text_little"> <tr> <td align="center"><? $conection = mssql_connect("127.0.0.1","sa","28772877") or die("SQL connection fail, verify your connection config."); mssql_select_db("MuOnline",$conection); function anti_injection( $mensaje ) { $banlist = array ("insert","select","drop","update","delete","distinct","having","truncate","replace", "handler","like","procedure","limit","order by","group by","<",">","/","'"," ","=","*",",","-"); if ( eregi ( "[a-zA-Z0-9]+", $mensaje ) ) { $mensaje = trim ( str_replace ( $banlist, '', strtolower ( $mensaje ) ) ); } else { $mensaje = NULL; } return $mensaje; } if(trim($HTTP_POST_VARS["id"]) != "" && trim($HTTP_POST_VARS["clave"]) != "") { $sql = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."' and memb__pwd='".anti_injection($HTTP_POST_VARS["clave"])."'"; $result = mssql_query($sql); if($row = mssql_fetch_array($result)) { $sqlexiste = "SELECT AccountID FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'"; $resultexiste = mssql_query($sqlexiste); if($rowexiste = mssql_fetch_array($resultexiste)) { $sqlchar = mssql_query("SELECT ConnectStat FROM MEMB_STAT WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."'"); $rschar = mssql_fetch_array($sqlchar); if(($rschar['ConnectStat'])==0) { $sqlbaul = mssql_query("SELECT number FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'"); $rsbaul = mssql_fetch_array($sqlbaul); if(($rsbaul['number'])==1) { /* If I want my original vault */ /* Save 2nd vault in extwarehouse table */ $sql ="update extwarehouse set items=(select items from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update extwarehouse set money=(select money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Update main vault to original content */ $sql ="update warehouse set items=(select items from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update warehouse set money=(select money from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Set vault number */ $sql ="update warehouse set number=0 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Clean main vault last data */ $sql ="delete charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); } if(($rsbaul['number'])==0) { /* If I want 2nd vault */ /* Save main vault data into charbaul table */ $sql ="insert into charbaul(accountid, items, money)(select accountid, items, money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."')"; mssql_query($sql); /* Update main vault to 2nd vault data */ $sql ="update warehouse set items=(select items from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update warehouse set money=(select money from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Set vault number */ $sql ="update warehouse set number=1 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); } echo "Your vault was changed successfully to"; if(($rsbaul['number'])==0) echo " Vault 2."; if(($rsbaul['number'])==1) echo " Vault 1."; } else { echo "You must be offline to do this. vault change did not proceed!"; } } else { echo "You don't have extravault, Please contact your Administrator!"; } } else { echo "Invalid Username or Password!"; } mssql_free_result($result); } else { echo "You must complete all fields to change vault."; } mssql_close(); ?></td> </tr> </table> </td> </tr> </table> </form> Original Inject <? $conection = mssql_connect("127.0.0.1","sa","28772877") or die("SQL connection fail, verify your connection config."); mssql_select_db("MuOnline",$conection); function anti_injection( $mensaje ) { $banlist = array ("insert","select","drop","update","delete","distinct","having","truncate","replace", "handler","like","procedure","limit","order by","group by","<",">","/","'"," ","=","*",",","-"); if ( eregi ( "[a-zA-Z0-9]+", $mensaje ) ) { $mensaje = trim ( str_replace ( $banlist, '', strtolower ( $mensaje ) ) ); } else { $mensaje = NULL; } return $mensaje; } if(trim($HTTP_POST_VARS["id"]) != "" && trim($HTTP_POST_VARS["clave"]) != "") { $sql = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."' and memb__pwd='".anti_injection($HTTP_POST_VARS["clave"])."'"; $result = mssql_query($sql); if($row = mssql_fetch_array($result)) { $sqlexiste = "SELECT AccountID FROM EXTWAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'"; $resultexiste = mssql_query($sqlexiste); if($rowexiste = mssql_fetch_array($resultexiste)) { $sqlchar = mssql_query("SELECT ConnectStat FROM MEMB_STAT WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."'"); $rschar = mssql_fetch_array($sqlchar); if(($rschar['ConnectStat'])==0) { $sqlbaul = mssql_query("SELECT number FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'"); $rsbaul = mssql_fetch_array($sqlbaul); if(($rsbaul['number'])==1) { /* If I want my original vault */ /* Save 2nd vault in extwarehouse table */ $sql ="update extwarehouse set items=(select items from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update extwarehouse set money=(select money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Update main vault to original content */ $sql ="update warehouse set items=(select items from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update warehouse set money=(select money from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Set vault number */ $sql ="update warehouse set number=0 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Clean main vault last data */ $sql ="delete charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); } if(($rsbaul['number'])==0) { /* If I want 2nd vault */ /* Save main vault data into charbaul table */ $sql ="insert into charbaul(accountid, items, money)(select accountid, items, money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."')"; mssql_query($sql); /* Update main vault to 2nd vault data */ $sql ="update warehouse set items=(select items from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); $sql ="update warehouse set money=(select money from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); /* Set vault number */ $sql ="update warehouse set number=1 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'"; mssql_query($sql); } echo "-".anti_injection($HTTP_POST_VARS["id"])." vault changed successfully!"; } else { echo "You must be offline, vault change did not proceed!"; } } else { echo "You don't have extravault, contact your administrator!"; } } else { echo "Login fail!"; } mssql_free_result($result); } else { echo "You must to complete all field to login!"; } mssql_close(); ?> Link to comment https://forums.phpfreaks.com/topic/136561-php-injecting-into-sql-database-problem/ Share on other sites More sharing options...
Brian W Posted December 11, 2008 Share Posted December 11, 2008 move to 3rd party scripts board and secondly, be more descriptive on your problem (what errors, whats is it doing exactly, what do you intend for it to do) and, short tags are bad practice <? use <?php Link to comment https://forums.phpfreaks.com/topic/136561-php-injecting-into-sql-database-problem/#findComment-712829 Share on other sites More sharing options...
fallen00sniper Posted December 12, 2008 Author Share Posted December 12, 2008 topic moved thanks brian. Link to comment https://forums.phpfreaks.com/topic/136561-php-injecting-into-sql-database-problem/#findComment-713232 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.