[RELEASE] Vote 4 AP Script ( 4 Sites )

Hey,

I change something in the released script from Zeus, you only can use 1 voting site and you need to fix something for get this script working.
[Only registered and activated users can see links. Click Here To Register...]

I done some changes and here is it. :o

1. Open config.php and change mssql db_user and db_pass

2. Open vote.php and change vote sites ( line : 36 - 42 )

3. Execute script.sql

4. Done

The script insert all processes in the table user_votes
[Only registered and activated users can see links. Click Here To Register...]

If you have some questions feel free to ask.

Best Regards.

It´s an Sql Injection in it. -.-

where is the sql injection?
i add for every $_POST ,htmlentities and i use magic quotes so what sh*t are you saying?

Wait, the best:
[Only registered and activated users can see links. Click Here To Register...]

The best is: I´ve download this!!!!!!!!!!!!!!!

Look
[Only registered and activated users can see links. Click Here To Register...]

Hmm wayne, where is the sql injection?

It looks like you meant to try to sanitize user input with this code at some point?
There are a few problems with this:
1. get_magic_quotes_gpc() only matters for a MySQL database.
2. The escape character for MSSQL is an apostrophe, not a backslash.
3. Escaping input in fashions such as this is obsolete since the existence of bound queries.
4. Finally this function is never even called, so in a sense it is no relevant.

All of the queries in this script have variables directly concatenated with the query itself, which is how users can do SQL injection.

Quote:

Originally Posted by abrasive It looks like you meant to try to sanitize user input with this code at some point? Code: function clean($str){ return is_array($str) ? array_map('clean', $str) : str_replace("\\", "\\\\", htmlspecialchars((get_magic_quotes_gpc() ? stripslashes($str) : $str), ENT_QUOTES)); } There are a few problems with this: 1. get_magic_quotes_gpc() only matters for a MySQL database. 2. The escape character for MSSQL is an apostrophe, not a backslash. 3. Escaping input in fashions such as this is obsolete since the existence of bound queries. 4. Finally this function is never even called, so in a sense it is no relevant. All of the queries in this script have variables directly concatenated with the query itself, which is how users can do SQL injection.

I don't change this, it was in the script before
[Only registered and activated users can see links. Click Here To Register...]

Quote:

Originally Posted by Sh1nra I don't change this, it was in the script before [Only registered and activated users can see links. Click Here To Register...]

The fact that "it was there" doesn't excuse the fact that it is incorrect and not even being used on the script

I will try to fix this lol

Fatal error: Call to undefined function mssql_connect() in C:\xampp\htdocs\vote\vote.php on line 27 Hello, someone know how to fix this error?

Quote:

Originally Posted by JujiPoli Fatal error: Call to undefined function mssql_connect() in C:\xampp\htdocs\vote\vote.php on line 27 Hello, someone know how to fix this error?

Why you want to add something that is not well done made?
With this script your players are going to get tooooons of DP and you wont know from where

Wait for better version.

have anyone a better version?

Quote:

Originally Posted by accuface35 have anyone a better version?

The Thread is 5 Months old...
#colserequest