TalkAction Message system in Website!

[EmmaA]

fucking shit scripts!

 

[Master-m]

I see at step 4 that it is for gesiorAAC?

why are u using this way then?:

mysql_connect("localhost", "YourNickToDatebase", "PASS");
mysql_select_db("DATEBASE");

 

[Technic]

good one

 

[EmmaA]

Master !?
I was just so I can / Sorry for my bad english ;D

 

[Sync]

EmmaA, In all your threads you use Quote Tags use code tags dude! But besides that very nice script =P

 

[HeberPcL]

Nice

=p

 

[5mok3]

cant get it to work

 

[Saj]

Great one! Good job I will use it

 

[Aleh]

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42S02]: Base table or view not found: 1146 Table 'stary.messages' doesn't exist' in /var/www/message.php:26 Stack trace: #0 /var/www/message.php(26): PDO->query('SELECT * FROM `...') #1 /var/www/index.php(94): include('/var/www/messag...') #2 {main} thrown in /var/www/message.php on line 26

You do not have time to add something to the database?

 

[vDk]

you need "message" table with `id` `name` `text` in your database ;d

 

[Ecstacy]

Could someone please post the query I have to add in my database?

 

[Azi]

very big security holes!!!

 

[Saj]

) Good idea man. ; )

Lol you said you can hack the site due to this, hahahah what the..? XD

 

[EvulMastah]

Lol you said you can hack the site due to this, hahahah what the..? XD

And he is right with what he said, this doesnt have even SINGLE function that would protect your database. You can write everything as a param. (Just an example: <script>alert("l0al")</script>)

Check now: http://loriaot.net/index.php?subtopic=message

Just to prove that I dont lie, you can input everything. x)

 

[Saj]

And he is right with what he said, this doesnt have even SINGLE function that would protect your database. You can write everything as a param. (Just an example: <script>alert("l0al")</script>)

Check now: LoriaOT - Message players

Just to prove that I dont lie, you can input everything. x)

Why bother to post it then, I don't want to get hacked..

 

[Azi]

Im testing on loria : )i can have 100000 lvll

 

[EvulMastah]

Why bother to post it then, I don't want to get hacked..

Lol. If I wouldnt post it then you could get hacked, now that you are aware of the security leaks, dont use it.

 

[Azi]

very danger holes, don't use it if you dont need to lost your otserver, i'm warned loria administration!

 

[Saj]

Lol. If I wouldnt post it then you could get hacked, now that you are aware of the security leaks, dont use it.

I won't.

 

[Azi]

If you wanna to make it safe:

db.executeQuery("INSERT INTO `messages` (`id`, `name`, `text`) VALUES (NULL, '".. playerName .."', '".. message .."')")

replace with:

db.executeQuery("INSERT INTO `messages` (`id`, `name`, `text`) VALUES (NULL, '".. db.escapeString(playerName) .."', '".. db.escapeString(message) .."')")

and

<td align=\"center\">".$msg['name']."</td>
<td align=\"center\">".$msg['text']."</td>
<td align=\"center\">".$msg['id']."</td>

replace with:

<td align=\"center\">".htmlspecialchars($msg['name'])."</td>
<td align=\"center\">".htmlspecialchars($msg['text'])."</td>
<td align=\"center\">".htmlspecialchars($msg['id'])."</td>

and it's safe!

if i helped you - rep me!