Jump to content

MOVED: PHP injecting into SQL database problem

fallen00sniper

By fallen00sniper
in Third Party Scripts

Recommended Posts

fallen00sniper Newbie

fallen00sniper

Posted
Posted

having a problem with this code and getting it to work properly with my database, someone else coded it up and gave it out freely, but i need to make one change to it and also it isn't communicating with my database properly with one table ExtWareHouse. Thanks to anyone that can help. Edit: no error it just doesn't copy the warehouse table to extwarehouse, this is for a MMORPG game MuOnline. thanks brian for letting me know to put it here in 3rd party you can del the other post if you want.

 

My Alteration

<table align="center" width="450" border="0" class="text_little">
  <tr>
    <td align="center"><?php
echo "Still debugging. :smile:";
?></td>
  </tr>
</table>
<form id="form1" name="form1" method="post" action="">
<table align="center" width="450" border="0" cellspacing="0" cellpadding="0" style="visibility:collapse;">
  <tr>
    <td>
<table align="center" width="450" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td align="center" width="450" class="text_little">For security purposes please verify your account.</td>
  </tr>
  <tr>
    <td height="5px"></td>
  </tr>
</table>
<table align="center" width="135" border="0" cellspacing="0" cellpadding="0" class="text_little">
  <tr>
    <td class="text_little">Anti-Dupe System:</td>
    <td style="color:#00ff00;">Enabled</td>
    <td class="text_little">.</td>
  </tr>
</table>
<table align="center" width="150" border="0" class="text">
  <tr>
    <td align="left">Username</td>
  </tr>
    <td align="left"><div><input name="id" type="text"  class="field" size="20" /></div></td>
  </tr>
  <tr>
    <td align="left">Password</td>
  </tr>
    <td align="left"><div><input name="clave" type="password" class="field" size="20" /></div></td>
  </tr>
  <tr>
    <td align="left"><div><input name="Submit" type="submit" value="Change Vault" class="button" /></div></td>
  </tr>
</table>
<table align="center" width="450" border="0" class="text_little">
  <tr>
    <td align="center"><?php
$conection = mssql_connect("127.0.0.1","sa","28772877") or die("SQL connection fail, verify your connection config.");
mssql_select_db("MuOnline",$conection);
function anti_injection( $mensaje )
{
$banlist = array
("insert","select","drop","update","delete","distinct","having","truncate","replace",
"handler","like","procedure","limit","order by","group by","<",">","/","'"," ","=","*",",","-");
if ( eregi ( "[a-zA-Z0-9]+", $mensaje ) )
{
$mensaje = trim ( str_replace ( $banlist, '', strtolower ( $mensaje ) ) );
}
else
{
$mensaje = NULL;
}
return $mensaje;
}
if(trim($HTTP_POST_VARS["id"]) != "" && trim($HTTP_POST_VARS["clave"]) != "")
{
$sql = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."' and memb__pwd='".anti_injection($HTTP_POST_VARS["clave"])."'";
$result = mssql_query($sql);
if($row = mssql_fetch_array($result))
{
  $sqlexiste = "SELECT AccountID FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'";
  $resultexiste = mssql_query($sqlexiste);
  if($rowexiste = mssql_fetch_array($resultexiste))
  {
   $sqlchar = mssql_query("SELECT ConnectStat FROM MEMB_STAT WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."'");
   $rschar = mssql_fetch_array($sqlchar);
   if(($rschar['ConnectStat'])==0)
   {
    $sqlbaul = mssql_query("SELECT number FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'");
    $rsbaul = mssql_fetch_array($sqlbaul);
    if(($rsbaul['number'])==1)
    {
     /* If I want my original vault */
     /* Save 2nd vault in extwarehouse table */
     $sql ="update extwarehouse set items=(select items from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update extwarehouse set money=(select money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Update main vault to original content */
     $sql ="update warehouse set items=(select items from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update warehouse set money=(select money from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Set vault number */
     $sql ="update warehouse set number=0 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Clean main vault last data  */
     $sql ="delete charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
    }
    if(($rsbaul['number'])==0)
    {
     /* If I want 2nd vault */
     /* Save main vault data into charbaul table */
     $sql ="insert into charbaul(accountid, items, money)(select accountid, items, money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."')";
     mssql_query($sql);
     /* Update main vault to 2nd vault data */
     $sql ="update warehouse set items=(select items from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update warehouse set money=(select money from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Set vault number */
     $sql ="update warehouse set number=1 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
    }
    echo "Your vault was changed successfully to";
   if(($rsbaul['number'])==0) echo " Vault 2.";
   if(($rsbaul['number'])==1) echo " Vault 1.";
   }
   else
   {
    echo "You must be offline to do this. vault change did not proceed!";
   }
  }
  else
  {
   echo "You don't have extravault, Please contact your Administrator!";
  }
}
else
{
  echo "Invalid Username or Password!";
}
mssql_free_result($result);
}
else
{
echo "You must complete all fields to change vault.";
}
mssql_close();
?></td>
  </tr>
</table>
    </td>
  </tr>
</table>
</form>

Original Script

<?
$conection = mssql_connect("127.0.0.1","sa","28772877") or die("SQL connection fail, verify your connection config.");
mssql_select_db("MuOnline",$conection);
function anti_injection( $mensaje )
{
$banlist = array
("insert","select","drop","update","delete","distinct","having","truncate","replace",
"handler","like","procedure","limit","order by","group by","<",">","/","'"," ","=","*",",","-");
if ( eregi ( "[a-zA-Z0-9]+", $mensaje ) )
{
$mensaje = trim ( str_replace ( $banlist, '', strtolower ( $mensaje ) ) );
}
else
{
$mensaje = NULL;
}
return $mensaje;
}
if(trim($HTTP_POST_VARS["id"]) != "" && trim($HTTP_POST_VARS["clave"]) != "")
{
$sql = "SELECT memb___id FROM MEMB_INFO WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."' and memb__pwd='".anti_injection($HTTP_POST_VARS["clave"])."'";
$result = mssql_query($sql);
if($row = mssql_fetch_array($result))
{
  $sqlexiste = "SELECT AccountID FROM EXTWAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'";
  $resultexiste = mssql_query($sqlexiste);
  if($rowexiste = mssql_fetch_array($resultexiste))
  {
   $sqlchar = mssql_query("SELECT ConnectStat FROM MEMB_STAT WHERE memb___id='".anti_injection($HTTP_POST_VARS["id"])."'");
   $rschar = mssql_fetch_array($sqlchar);
   if(($rschar['ConnectStat'])==0)
   {
    $sqlbaul = mssql_query("SELECT number FROM WAREHOUSE WHERE AccountID='".anti_injection($HTTP_POST_VARS["id"])."'");
    $rsbaul = mssql_fetch_array($sqlbaul);
    if(($rsbaul['number'])==1)
    {
     /* If I want my original vault */
     /* Save 2nd vault in extwarehouse table */
     $sql ="update extwarehouse set items=(select items from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update extwarehouse set money=(select money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Update main vault to original content */
     $sql ="update warehouse set items=(select items from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update warehouse set money=(select money from charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Set vault number */
     $sql ="update warehouse set number=0 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Clean main vault last data  */
     $sql ="delete charbaul where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
    }
    if(($rsbaul['number'])==0)
    {
     /* If I want 2nd vault */
     /* Save main vault data into charbaul table */
     $sql ="insert into charbaul(accountid, items, money)(select accountid, items, money from warehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."')";
     mssql_query($sql);
     /* Update main vault to 2nd vault data */
     $sql ="update warehouse set items=(select items from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     $sql ="update warehouse set money=(select money from extwarehouse where accountid='".anti_injection($HTTP_POST_VARS["id"])."') where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
     /* Set vault number */
     $sql ="update warehouse set number=1 where accountid='".anti_injection($HTTP_POST_VARS["id"])."'";
     mssql_query($sql);
    }
    echo "-".anti_injection($HTTP_POST_VARS["id"])." vault changed successfully!";
   }
   else
   {
    echo "You must be offline, vault change did not proceed!";
   }
  }
  else
  {
   echo "You don't have extravault, contact your administrator!";
  }
}
else
{
  echo "Login fail!";
}
mssql_free_result($result);
}
else
{
echo "You must to complete all field to login!";
}
mssql_close();
?>

fallen00sniper Newbie

fallen00sniper

Posted
  • Author
Posted

so no one knows about php and mssql  ???

 

the combo box isn't important so i'm not looking for help with that as much as the script needing a little help since it doesn't communicate with my ExtWareHouse table as it should.

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.