PDA

View Full Version : Rename adoptables (Security issue fixed!)


kisazeky
04-01-2009, 01:15 AM
Update: I fixed the "hacking" security issue, I think.

Step 1:

Download rename.php and rename2.php and put them in your main folder.

Step 2:

Add this link <a href='rename.php?id=$id'>Rename ".$name."</a> to myadoptables.php. Here is an example:

Find this line with ctrl + f.

//Begin our content output...


Directly below it is

$article_content=$article_content."<p align='center'><b><u>".$name.":</u></b></p>
<p align='center'><img src='".$imageurl."' border='0'></p>
<b>Current level of ".$name.": ".$currentlevel."<br></b><b>Total clicks on ".$name.": ".$totalclicks."<br></b>
<b>Clicks needed until LevelUP ".$name.": ".$neededclicks."<br></b><br>
<a href='levelup.php?id=".$id."'>Click Here to LevelUP ".$name.".</a> (You can do this once per day)<br>
<a href='manage.php?id=".$id."&action=bbcode'>Click Here to get BBCODEs for ".$name.".</a> <br>
<a href='manage.php?id=".$id."&action=delete'>Click Here to Delete (Kill) ".$name.".</a> <br>
<a href='rename.php?id=$id'>Rename ".$name.".</a> <br>";


:)

Now the pages have been updated to display general messages.

Ashje
04-01-2009, 02:17 AM
iluvu =)

zhiichiro
04-01-2009, 04:26 AM
i now have it

gjac1
04-01-2009, 04:57 AM
wow, thanks again for a great mod kisazeky :) , but where exactly do i add "rename.php?id=$id" ??

Can you help us all out with the shop mod though please ?? no-one can get it working :(

rosepose
04-01-2009, 08:59 AM
OH MY GOSH. You are officially a genius ><

gjac1
04-01-2009, 09:06 AM
rosepose, if you got it working, can you tell me where you added the link "rename.php?id=$id" please ??

Rsmiley
04-01-2009, 02:35 PM
In rename.php

Some of you might wanna change this...


if($name == ""){
$article_title = "Oops";
$article_date = date('Y-m-d');
$article_content = "This Digimon does not exist.";
}
else if($owner != $username){
$article_title = "Oops";
$article_date = date('Y-m-d');
$article_content = "You do not own this Digimon!";
}


Some might wanna change digimon to adopable or pet

kisazeky
04-01-2009, 03:10 PM
D'oh! Sorry. I changed it to display general messages.

gjac1
04-01-2009, 05:12 PM
The link you say to add doesnt work, you need to add it like this :

<a href='rename.php?id=".$id."&action=rename'>Click Here to rename ".$name.".</a> <br>

Killgore
04-01-2009, 05:15 PM
You sir, are a genius!

EDIT: It works fine on my site, just the way it is, So maybe you didn't have something right in your script page?

Seapyramid
04-01-2009, 11:11 PM
*****CAUTION********
I used this today.. worked great.. went out, .. came home.., GREY SCREEN!! I call my host for that site & asked.. they found a hack entry from the script!! They fixed the issue on ALL pages & emailed me some info on protection. I will read the email in the morning & give for info. But there is a security issue in the mod.

Sea

Rsmiley
04-02-2009, 10:00 AM
It doesnt filter for SQL injections i bet...

kisazeky
04-02-2009, 01:29 PM
I included this


$id = $_POST["id"];
$id = preg_replace("/[^a-zA-Z0-9s]/", "", $id);
$newname = $_POST["newname"];
$newname = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $newname);


What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:


function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}


Then adding this line in rename2.php:


if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);



What do you think Rsmiley?

It certainly does not hurt anything.

Rsmiley
04-02-2009, 08:34 PM
It should be quite secure. I doubt it would be exploitable after that has been added.

You are safe with that added

Ashje
04-03-2009, 03:58 AM
I included this


$id = $_POST["id"];
$id = preg_replace("/[^a-zA-Z0-9s]/", "", $id);
$newname = $_POST["newname"];
$newname = preg_replace("/[^a-zA-Z0-9\\040.]/", "", $newname);


What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:


function cleanQuery($string)
{
if(get_magic_quotes_gpc()) // prevents duplicate backslashes
{
$string = stripslashes($string);
}
if (phpversion() >= '4.3.0')
{
$string = mysql_real_escape_string($string);
}
else
{
$string = mysql_escape_string($string);
}
return $string;
}


Then adding this line in rename2.php:


if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);



What do you think Rsmiley?

It certainly does not hurt anything.


EDIT: I'm assuming that
if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);
goes here:$newname = $_POST["newname"]; but I get this error: "
PHP Error Message

Parse error: syntax error, unexpected T_IF in /home/---------/public_html/rename2.php on line 78

Free Web Hosting"

kisazeky
04-03-2009, 02:11 PM
No, don't do that.

Add


if (isset($_POST['newname'])) $newname = cleanQuery($_POST['newname']);


below


$newname = $_POST["newname"];


Edit: Wait a minute, I just realized. Rusnak had the post data things before the connect to database script. That makes sense, hijackers can't input manipulative data if they don't have access to the database yet.

Ashje
04-03-2009, 04:30 PM
^
All done, thanks =)

Seapyramid
04-03-2009, 07:05 PM
Cool :) Thanks for the fix
:)
Sea

***EDIT***
**FYI**
This is an edit just because I do tend to hear things. I have just heard a rumor that Soleria stole code, just because they used this script without changing the Digimon reference. I corrected the person before they took this rumor further, but that is how easy rumors can start in this field. So please make sure you offer generic scripts & those using the scripts make sure you check them for issues like this.

Sea

kisazeky
04-04-2009, 04:39 PM
Yes I did change this to be more generic.

Seapyramid
04-04-2009, 09:42 PM
I'm sorry Kisazeky, when I said "you" I really didn't mean YOU. I know you had made the change to be more generic. :) I was just meaning "you" in general to anyone who might offer a script or design so that some unsuspecting site didn't get in trouble for something they didn't do. :)

Sea

Pavic
04-10-2009, 02:32 PM
Nice, but...
...when the box with the name is blank...
...and accepted an empty name...
...Pet will have a bug. You will not be able to see the his card.
My proposal:
When the box is left blank, the name will not change.

Blackmagic
07-02-2009, 06:34 AM
great idea ... thanks

alfieflor
08-25-2009, 09:07 PM
It aswell works accomplished and no problems or errors was found. Thanks.


_________________
Adt security (http://www.protectyourhome.com)

LaniValdez10
10-15-2009, 01:14 AM
You are greatly a genius! By the way, thanks for sharing those steps. I know that you will do more post having an informative message. I am looking forward to it. Thanks a lot!


_________________
Indianapolis Dentist (http://www.edentist.com)