[RELEASE] Vote 4 AP Script ( 4 Sites )

[Sh1nra]

Hey,

I change something in the released script from Zeus, you only can use 1 voting site and you need to fix something for get this script working.


I done some changes and here is it.

1. Open config.php and change mssql db_user and db_pass

2. Open vote.php and change vote sites ( line : 36 - 42 )

3. Execute script.sql

4. Done

The script insert all processes in the table user_votes

Code:

select * from PS_UserData.dbo.user_votes

If you have some questions feel free to ask.

Best Regards.

[Coolie_85]

It´s an Sql Injection in it. -.-

[Sh1nra]

where is the sql injection?
i add for every $_POST ,htmlentities and i use magic quotes so what sh*t are you saying?

Wait, the best:

[Coolie_85]

The best is: I´ve download this!!!!!!!!!!!!!!!

Look

[Sh1nra]

Hmm wayne, where is the sql injection?

[abrasive]

It looks like you meant to try to sanitize user input with this code at some point?

Code:

		function clean($str){
			return is_array($str) ? array_map('clean', $str) : str_replace("\\", "\\\\", htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str), ENT_QUOTES));
		}

There are a few problems with this:
1. get_magic_quotes_gpc() only matters for a MySQL database.
2. The escape character for MSSQL is an apostrophe, not a backslash.
3. Escaping input in fashions such as this is obsolete since the existence of bound queries.
4. Finally this function is never even called, so in a sense it is no relevant.

All of the queries in this script have variables directly concatenated with the query itself, which is how users can do SQL injection.

[Sh1nra]

Quote:

Originally Posted by abrasive

It looks like you meant to try to sanitize user input with this code at some point?

Code:

		function clean($str){
			return is_array($str) ? array_map('clean', $str) : str_replace("\\", "\\\\", htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str), ENT_QUOTES));
		}

There are a few problems with this:
1. get_magic_quotes_gpc() only matters for a MySQL database.
2. The escape character for MSSQL is an apostrophe, not a backslash.
3. Escaping input in fashions such as this is obsolete since the existence of bound queries.
4. Finally this function is never even called, so in a sense it is no relevant.

All of the queries in this script have variables directly concatenated with the query itself, which is how users can do SQL injection.

I don't change this, it was in the script before

[JohnHeatz]

Quote:

Originally Posted by Sh1nra

I don't change this, it was in the script before

The fact that "it was there" doesn't excuse the fact that it is incorrect and not even being used on the script

[Sh1nra]

I will try to fix this lol

[JujiPoli]

Fatal error: Call to undefined function mssql_connect() in C:\xampp\htdocs\vote\vote.php on line 27 Hello, someone know how to fix this error?

[[ADM]SpyRow]

Quote:

Originally Posted by JujiPoli

Fatal error: Call to undefined function mssql_connect() in C:\xampp\htdocs\vote\vote.php on line 27 Hello, someone know how to fix this error?

Why you want to add something that is not well done made?
With this script your players are going to get tooooons of DP and you wont know from where

Wait for better version.

[accuface35]

have anyone a better version?

[H.A.Z.E]

Quote:

Originally Posted by accuface35

have anyone a better version?

The Thread is 5 Months old...
#colserequest