[AAC] Oceanic CMS
- Thread starter Oceanic
- Start date
OP
OP
Oceanic
Php / C++ / MySQL
Im addiding deaths, item auctions, new layout, improving guild code, reduciding image lag.
OP
OP
Oceanic
Php / C++ / MySQL
Updated all code, so here comes a Lite version of the new CMS.
The full version come on Friday.
Post what you think about it, and what you want me to change.
Add in to SQL
The full version come on Friday.
Post what you think about it, and what you want me to change.
Add in to SQL
PHP:
CREATE TABLE `xcms_char_text` (
`char_id` int(11) NOT NULL,
`text` longtext,
PRIMARY KEY (`char_id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;
Last edited:
Is it anything "special" with this, that wants us to use this instead of Gesior's CIP page, or AFS-CMS's version?
Afraid I think you got pretty heavy competition
6 days and 1 view.
Afraid I think you got pretty heavy competition
6 days and 1 view.
OP
OP
Oceanic
Php / C++ / MySQL
Is it anything "special" with this, that wants us to use this instead of Gesior's CIP page, or AFS-CMS's version?
Afraid I think you got pretty heavy competition
Yeah im still working on it, have mutch to do on work
Rickolajten
Member
- Joined
- Jul 21, 2008
- Messages
- 175
- Reaction score
- 16
How about it's safe?
It's harder to SQL-inject it than AFS-CSM and geisors, wich is easy to sql-inject.
It's harder to SQL-inject it than AFS-CSM and geisors, wich is easy to sql-inject.
- Joined
- May 27, 2007
- Messages
- 6,390
- Solutions
- 21
- Reaction score
- 1,472
Found some bugs in this one.
Here you can just tamper the author data and spoof that you are another player in comments, make sure the "author" is on the posters account:
There's probably many other bugs, I just looked thru it quickly. There's also alot of optimizations and cleanups you could do to this CMS, everything in one file is not really good organizing and it makes it all into a mess.
Code:
//Male druid
else if($_POST["sex"] == 1 && $vocation == 2){
mysql_query("INSERT INTO players (name,account_id,level,vocation,health,healthmax,experience,lookbody,lookfeet,lookhead,looklegs,looktype,lookaddons,maglevel,mana,manamax,soul,town_id,posx,posy,posz,cap,sex)
VALUES(,'$char_name','$account_id','$level','$vocation',[B]'$health_knight','$health_knight'[/B],'$experience','$look_body','$look_feet','$look_head','$look_legs','128','$look_addons',[B]'$maglevel_knight','$mana_knight','$mana_knight'[/B],'$soul','$town_id','$posx','$posy','$posz','$cap','1')")
or die(mysql_error());
}
//Male Paladin
else if($_POST["sex"] == 1 && $vocation == 3){
mysql_query("INSERT INTO players (name,account_id,level,vocation,health,healthmax,experience,lookbody,lookfeet,lookhead,looklegs,looktype,lookaddons,maglevel,mana,manamax,soul,town_id,posx,posy,posz,cap,sex)
VALUES('$char_name','$account_id','$level','$vocation',[B]'$health_knight','$health_knight'[/B],'$experience','$look_body','$look_feet','$look_head','$look_legs','128','$look_addons',[B]'$maglevel_knight','$mana_knight','$mana_knight'[/B],'$soul','$town_id','$posx','$posy','$posz','$cap','1')")
or die(mysql_error());
}
Code:
//Female druid
else if($_POST["sex"] == 0 && $vocation == 2){
mysql_query("INSERT INTO players (name,account_id,level,vocation,health,healthmax,experience,lookbody,lookfeet,lookhead,looklegs,looktype,lookaddons,maglevel,mana,manamax,soul,town_id,posx,posy,posz,cap,sex)
VALUES('$char_name','$account_id','$level','$vocation',[B]'$health_knight','$health_knight'[/B],'$experience','$look_body','$look_feet','$look_head','$look_legs','138','$look_addons',[B]'$maglevel_knight','$mana_knight','$mana_knight'[/B],'$soul','$town_id','$posx','$posy','$posz','$cap','0')")
or die(mysql_error());
}
//Frmale Paladin
else if($_POST["sex"] == 0 && $vocation == 3){
mysql_query("INSERT INTO players (name,account_id,level,vocation,health,healthmax,experience,lookbody,lookfeet,lookhead,looklegs,looktype,lookaddons,maglevel,mana,manamax,soul,town_id,posx,posy,posz,cap,sex)
VALUES('$char_name','$account_id','$level','$vocation',[B]'$health_knight','$health_knight'[/B],'$experience','$look_body','$look_feet','$look_head','$look_legs','138','$look_addons',[B]'$maglevel_knight','$mana_knight','$mana_knight'[/B],'$soul','$town_id','$posx','$posy','$posz','$cap','0')")
or die(mysql_error());
}Here you can just tamper the author data and spoof that you are another player in comments, make sure the "author" is on the posters account:
Code:
if(isset($_POST["title"]) && !empty($_POST["title"]) && isset($_POST["text"]) && !empty($_POST["text"]) && isset($_POST["author"]) && !empty($_POST["author"]) && $_SESSION["admin"] == true){
$title = mysql_real_escape_string($_POST["title"]);
$text = mysql_real_escape_string($_POST["text"]);
$author = mysql_real_escape_string($_POST["author"]);
mysql_query("SELECT * FROM `oceanic_cms_text`");
mysql_query("INSERT INTO oceanic_cms_text (title,text,author)
VALUES('$title','$text','$author')")
or die(mysql_error());
header('Location: ?link=news');
}There's probably many other bugs, I just looked thru it quickly. There's also alot of optimizations and cleanups you could do to this CMS, everything in one file is not really good organizing and it makes it all into a mess.
OP
OP
Oceanic
Php / C++ / MySQL
Im not updating this CMS any more, working on a completly new one.
You can try and see the progress at http://kammarfelt.eu/Tibia/
You can try and see the progress at http://kammarfelt.eu/Tibia/
