TIBIACOM acc. maker by Gesior for TFS!

[Gesior.pl]

Actually acc. maker doesn't send e-mails (only show "e-mail sent").
You can't set custom acc. number. Maybe I'll add it.
News/access rights will work fine in version 1.4.
Actually:
-spells + admin panel for spells [100% ready]
-news + admin panel for news [100% ready]
-creatures [30% ready - load monsters from OTS data and save in database (mysql/sqlite)]

------------------------------------------

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [14] unable to open database file' in C:\Archivos de programa\xampp\htdocs\pot\OTS_DB_SQLite.php:54 Stack trace: #0 C:\Archivos de programa\xampp\htdocs\pot\OTS_DB_SQLite.php(54): PDO->__construct('sqlite:C:\Docum...') #1 C:\Archivos de programa\xampp\htdocs\pot\OTS.php(453): OTS_DB_SQLite->__construct(Array) #2 C:\Archivos de programa\xampp\htdocs\install.php(18): POT->connect(2, Array) #3 {main} thrown in C:\Archivos de programa\xampp\htdocs\pot\OTS_DB_SQLite.php on line 54

....
What are the error?

ADDED TO FAQ!
4. When I open "install.php" or main page I see (mysql):

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'ODBC'@'localhost' (using password: NO)' in C:\xampp165\htdocs\pot\OTS_DB_MySQL.php:96 Stack trace: #0 C:\xampp165\htdocs\pot\OTS_DB_MySQL.php(96): PDO->__construct('mysql:', NULL, NULL) #1 C:\xampp165\htdocs\pot\OTS.php(448): OTS_DB_MySQL->__construct(Array) #2 C:\xampp165\htdocs\config-and-functions.php(32): POT->connect(1, Array) #3 C:\xampp165\htdocs\index.php(5): include('C:\xampp165\htd...') #4 {main} thrown in C:\xampp165\htdocs\pot\OTS_DB_MySQL.php on line 96

OR (if you try to use SQLite):

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [14] unable to open database file' in C:\xampp165\htdocs\pot\OTS_DB_SQLite.php:54 Stack trace: #0 C:\xampp165\htdocs\pot\OTS_DB_SQLite.php(54): PDO->__construct('sqlite:C:\Docum...') #1 C:\xampp165\htdocs\pot\OTS.php(453): OTS_DB_SQLite->__construct(Array) #2 C:\xampp165\htdocs\config-and-functions.php(38): POT->connect(2, Array) #3 C:\xampp165\htdocs\index.php(5): include('C:\xampp165\htd...') #4 {main} thrown in C:\xampp165\htdocs\pot\OTS_DB_SQLite.php on line 54

You use old version of TFS. Acc. maker work fine with 0.2.6 and new versions.
Copy this lines and paste somewhere in "config.lua":

	-- MySQL
	mysqlHost = "localhost"
	mysqlUser = "root"
	mysqlPass = ""
	mysqlDatabase = "otserv"
	mysqlPort = 3306
	-- SqLite
	sqliteDatabase = "forgottenserver.s3db"

	-- SQL
	sqlType = "mysql"
	passwordType = "plain"

Now set good mysqlhost,mysqluser,mysqlpass,mysqldatabase,sqlitedatabase,sqltype to access database. OTS and page should work fine
In version 0.1.4 script will check OTS config version and read needed information to connect database.
@Pietia - down
Read text /\ to fix it or wait for version 0.1.4

-----------------------------------------------------------
//modified HTML code work in "news" (only with MySQL ), HTML DOESN'T work in "tickers" - you can give access to "tickers" for Tutors and they can't SQL inject.

 

[Pietia]

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'ODBC'@'localhost' (using password: NO)' in C:\xampp\htdocs\pot\OTS_DB_MySQL.php:96 Stack trace: #0 C:\xampp\htdocs\pot\OTS_DB_MySQL.php(96): PDO->__construct('mysql:', NULL, NULL) #1 C:\xampp\htdocs\pot\OTS.php(448): OTS_DB_MySQL->__construct(Array) #2 C:\xampp\htdocs\install.php(12): POT->connect(1, Array) #3 {main} thrown in C:\xampp\htdocs\pot\OTS_DB_MySQL.php on line 96

Help Please

what version of fts u use ?

 

[Gesior.pl]

//added Monsters + admin panel for monsters [100% ready]
//added admin panel options to configure site
//modified acc. maker work fine with old versions of TFS (like 0.2.4)
//modified much easier installation
@down
99% of users dont care about code.. work fine? is safe? easy and fast config? (today I installed and configured my acc. maker in 2 minutes) enought. Each new script is better than last. I'm learing PHP :>

 

[elf]

Well, once again p)
Everything would be great, if not fact, the code is very dirty...

 

[Gesior.pl]

//added "load vocations" in admin panel - it load vocations from "vocations.xml", save in server config, show table where you can select vocations to 'create character' form and set names of characters to copy when someone create character with selected vocation.

 

[Nottinghster]

@Gesior.pl

Try to fix the vulnerabilities that the Website has, as XSS Attack (Cross Site Scripting) and SQL Injection as yourself said...

As you for updating the Website, post for us


---------- EDIT ----------

Website: http://warots-pl.hopto.org/index.php?subtopic=houses

Error:

Parse error: syntax error, unexpected T_CONSTANT_ENCAPSED_STRING in C:\xampp165\htdocs\houses.php on line 27

Check it!

 

[Gesior.pl]

I store in houses.php some data, but it's not php/html code..
I think acc. maker is safe from SQL injections (only ADMIN can try sql inject, but why someone with highest admin rights try to hack server? ).
I'll post new version when admin panel and fast installation will be ready (version 1.4).

 

[Nottinghster]

@Gesior.pl

I think acc. maker is safe from SQL injections (only ADMIN can try sql inject, but why someone with highest admin rights try to hack server? ).

But if you ever have any discussion and a staff member is related to destroy the server, it will can.

Therefore, it is better to prevent....

 

[Xemi]

Oh i found a bug, you need to add sword in the highscores.

 

[Gesior.pl]

@Gesior.pl


But if you ever have any discussion and a staff member is related to destroy the server, it will can.

Therefore, it is better to prevent....

I'm writing new scripts slowly becouse I check everything 10 times. Script doesn't check only data posted by admin. If admin try to "hack" server or press on links from hacker I can't help him.. Scripts only verify data to don't let him destroy database or crash acc. maker when he use "normal" functions of acc. maker. He can also delete database or shutdown PC without my acc. maker..
If you can report where is possibility of any XSS attack post in this thread. I don't understand how work XSS attack and where are 24 bugs in my index.php code..

Oh i found a bug, you need to add sword in the highscores.

Thanks for report. Fixed.

 

[Nottinghster]

First of all: Credits 100% Acunetix

What is Cross site Scripting?
Hackers are constantly experimenting with a wide repertoire of hacking techniques to compromise websites and web applications and make off with a treasure trove of sensitive data including credit card numbers, social security numbers and even medical records.

Cross Site Scripting (also known as XSS or CSS) is generally believed to be one of the most common application layer hacking techniques.

In general, cross-site scripting refers to that hacking technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.

Today, websites rely heavily on complex web applications to deliver different output or content to a wide variety of users according to set preferences and specific needs. This arms organizations with the ability to provide better value to their customers and prospects. However, dynamic websites suffer from serious vulnerabilities rendering organizations helpless and prone to cross site scripting attacks on their data.

"A web page contains both text and HTML markup that is generated by the server and interpreted by the client browser. Web sites that generate only static pages are able to have full control over how the browser interprets these pages. Web sites that generate dynamic pages do not have complete control over how their outputs are interpreted by the client. The heart of the issue is that if mistrusted content can be introduced into a dynamic page, neither the web site nor the client has enough information to recognize that this has happened and take protective actions." (CERT Coordination Center).

Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data. The use of XSS might compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems. The data is usually formatted as a hyperlink containing malicious content and which is distributed over any possible means on the internet.

As a hacking tool, the attacker can formulate and distribute a custom-crafted CSS URL just by using a browser to test the dynamic website response. The attacker also needs to know some HTML, JavaScript and a dynamic language, to produce a URL which is not too suspicious-looking, in order to attack a XSS vulnerable website.

Any web page which passes parameters to a database can be vulnerable to this hacking technique. Usually these are present in Login forms, Forgot Password forms, etc…

N.B. Often people refer to Cross Site Scripting as CSS or XSS, which is can be confused with Cascading Style Sheets (CSS).

Is your site vulnerable to Cross Site Scripting?
Our experience leads us to conclude that the cross-site scripting vulnerability is one of the most highly widespread flaw on the Internet and will occur anywhere a web application uses input from a user in the output it generates without validating it. Our own research shows that over a third of the organizations applying for our free audit service are vulnerable to Cross Site Scripting. And the trend is upward.

Example of a Cross Site Scripting attack
As a simple example, imagine a search engine site which is open to an XSS attack. The query screen of the search engine is a simple single field form with a submit button. Whereas the results page, displays both the matched results and the text you are looking for.

Example:
Search Results for "XSS Vulnerability"

To be able to bookmark pages, search engines generally leave the entered variables in the URL address. In this case the URL would look like:

http://test.searchengine.com/search.php?q=XSS

Vulnerability

Next we try to send the following query to the search engine:

<script type="text/javascript"> alert('This is an XSS Vulnerability') </script>

By submitting the query to search.php, it is encoded and the resulting URL would be something like:

http://test.searchengine.com/search.php?q=<script%3

Ealert%28%91This%20is%20an%20XSS%20Vulnerability%92%2

9%3C%2Fscript%3E

Upon loading the results page, the test search engine would probably display no results for the search but it will display a JavaScript alert which was injected into the page by using the XSS vulnerability.

Preventing Cross Site Scripting attacks
To prevent these attacks, dangerous characters must be filtered out from the web application inputs. These should be filtered out both in their ASCII and HEX values.

---------- EDIT ----------

@Gesior.pl

I have the Acunetix 4.0 cracked, this version check for SQL INJECTION, CROSS SITE SCRIPTING, RCI (PHP Injection)

Download Acunetix 4.0 cracked: http://rapidshare.com/files/331155/...canner.v4.0.Consultant.Edition.WinALL-TBE.rar

 

[Mark]

Holy Sh** haha ^^
Liked it?
Want me to make for you?

@Fenomenoide

Good work, what the name of this font?

I doubt you made it fenomenoide, it's called Martel.

 

[tatu hunter]

Gesior, I found a bug... forgotten now use "passwordType" instead of "useMD5Passwords"... and the types are: plain, md5, sha1
In your config-and-functions.php at this part:

if($server_config['useMD5Passwords'] == "yes") {
    $md5passwords = TRUE;
}

replate with:

$passwordType = strtolower($server_config['passwordType']); //Added this coz some people in config put PLAIN, MD5 or SHA1 in uppercase.
if($passwordType == "md5") {
    $md5passwords = TRUE;
}

I think you understand =]

 

[Gesior.pl]

Gesior, I found a bug... forgotten now use "passwordType" instead of "useMD5Passwords"... and the types are: plain, md5, sha1
In your config-and-functions.php at this part:

if($server_config['useMD5Passwords'] == "yes") {
    $md5passwords = TRUE;
}

replate with:

$passwordType = strtolower($server_config['passwordType']); //Added this coz some people in config put PLAIN, MD5 or SHA1 in uppercase.
if($passwordType == "md5") {
    $md5passwords = TRUE;
}

I think you understand =]

Thanks for report. Now is:

if(strtolower($server_config['useMD5Passwords']) == 'yes' || strtolower($server_config['passwordType']) == 'md5') {
	$md5passwords = TRUE;
}

work with old and new config.

can you send me a tibiahomepage work

Account maker is not ready yet.
EDIT:
//added custom account number - you can set in admin panel.. "custom" (1-8 chars from user) or "random" (6-8 random chars[100000-99999999])
//added button "Check" in Create Account - it check "is number" and "is number in database" and show "Select other account number." or "It's good account number."
Now I only must add all options (load towns, load vocations) to admin panel and I'll post version 0.1.4
//added load/reload vocations - it load vocations from vocations.xml, let you select what vocations will be avilable in 'create character' and what characters will be copied when someone select vocation.

 

[Nottinghster]

@Gesior.pl

When u finish everything??

I need ur Website to my Server, I'll change some things!!!

 

[Gesior.pl]

I'll try to post 0.1.4 version now. What will you change?
Tell me, maybe I'll add this modifications to my version as an option.

 

[ntmr]

@Gesior.pl

Omg, the best "real tibia based" aac I've seen ever!

It will be good if you add a "Power Gamers" statistics page, that show the players that earned more experience.

 

[Gesior.pl]

@Gesior.pl

Omg, the best "real tibia based" aac I've seen ever!

It will be good if you add a "Power Gamers" statistics page, that show the players that earned more experience.

"Power Gamers" need special LUA or CRON script. After version 0.3 I'll make special LUA scripts for my acc. maker with functions "play time" couter, "kick player" (button in admin panel), "broadcast message" and maybe "power gamers".
Version 0.1.4 is ready!
Last update(0.1.3A >> 0.1.4):
-added "Spells" (list with info, you can sort and select spells for only one vocation)
-added "Creatures" (Monsters - list and page for each monster)
-added "Admin Panel" - now here is configuration, you don't have to modify any file
-added "Install" page, fast and easy installation (~1 min)
-added "Custom" OR "Random" account number (select in admin panel)
-modified now work fine with old and new TFS
-modified if you use MySQL database HTML code will work in "News"
------------------------
Now time for "guilds"

 

[Xemi]

I have problem in creatures:

Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\creatures.php on line 65

And spells:

Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\spells.php on line 52

 

[Gesior.pl]

I have problem in creatures:

Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\creatures.php on line 65

And spells:

Warning: Invalid argument supplied for foreach() in C:\xampp\htdocs\spells.php on line 52

Did you load "spells" and "monsters" in "admin panel" without errors? If not, first you have to login to your admin account (you select admin account number when you install acc. maker) and on right side of screen you will see "admin panel", open "admin panel" site, select "reload monsters" and "reload spells". If it show any errors post is this thread.
---------------------------------------------------
//added guilds list
Why should you use pot? It's code of "guild list" with tibia.com tables style.

$guilds_list = $ots->createObject('Guilds_List');
$main_content .= '<TABLE BORDER=0 CELLSPACING=1 CELLPADDING=4 WIDTH=100%>
<TR BGCOLOR=#'.$config_ini['vdarkborder'].'><TD COLSPAN=3 CLASS=white><B>Active Guilds on '.$server_config['serverName'].'</B></TD></TR>
<TR BGCOLOR=#'.$config_ini['darkborder'].'><TD WIDTH=64><B>Logo</B></TD>
<TD WIDTH=100%><B>Description</B></TD>
<TD WIDTH=56><B> </B></TD></TR>';
$showed_guilds = 1;
foreach($guilds_list as $guild) {
if(is_int($showed_guilds / 2)) { $bgcolor = $config_ini['darkborder']; } else { $bgcolor = $config_ini['lightborder']; } $showed_guilds++;
$main_content .= '<TR BGCOLOR=#'.$bgcolor.'><TD><IMG SRC="images/guildlogos/'.$guild->getCustomField('logo_gfx_name').'" WIDTH=64 HEIGHT=64></TD>
<TD><B>'.$guild->getName().'</B><BR/>'.$guild->getCustomField('description').'</TD>
<TD><TABLE BORDER=0 CELLSPACING=0 CELLPADDING=0><FORM ACTION="index.php?subtopic=guilds&action=show&guild='.$guild->getName().'" METHOD=post><TR><TD>
<INPUT TYPE=image NAME="View" ALT="View" SRC="images/buttons/sbutton_view.gif" BORDER=0 WIDTH=120 HEIGHT=18>
</TD></TR></FORM></TABLE>
</TD></TR>';
}
$main_content .= '</TABLE><br><br>';

Short?