[Tiny release] Some PHP Files from Shaiya Legacy

[Trayne01]

Hello, i made this script some times ago, so have fun with it.
Send to bankteller php script (please secure yourself, or add it in your admin panel)

 Spoiler

Credits goes to [Dev]HoaX for the sql query

Bye!

[{Skrillex}]

Don´t use this Scripts. There are many kinds of SQL Injection in it. In the next days the comes an secured release.

Regards

[_Diavolino_]

just because some got obvious way to share something
before to use any php just check EVERY file ...

I don't where the bad could be if you CHeck the files...

regards

EDIT :

Missing on bank teller or desactivate it

include "../PowerAuth.php";// Database configuration parameters

Out of that the files look Clean...
After there is maybe other kinda to write ! but that it's nice

So thank you for contribution on Shaiya and then Update your Post to repair the missing files ...

[Trayne01]

You can simply remove this part, so, the script will look like:
form:

 Spoiler

PHP Code:

<!DOCTYPE html>

<html>
    <head>
        <meta charset="UTF-8">
        <title>Send to bankteller</title>
    </head>
    <body>
    
    <center>Envoyez un objets à la banque
        <h1>Send to bankteller</h1>
        <small>Vous devrez au préalable trouver l'id de l'objets et le nom du compte</small>
        <br/>
        <br/>    
            <form action = "proc.php" method="post">
                <p>Nom de l'utilisateur* <input type = "text" name = "Var1"><br /></p>
                <p>ID de l'objet* <input type = "text" name = "Var2"><br /></p>
                <p>Nombre d'objets  <input type = "text" name = "Var3"><br /></p>
                <p>Description du produit <input type = "text" name = "Var4"><br /><strong>20 caractères maximum</strong></p>
                <br/>
                <input type="submit" name="send_price" value="Envoyer">
            </form>
            <br/>
            <br/>
            <small>(c)2015 FAUSSURIER Marc</small></center>
    </body>
</html> 


proc:

 Spoiler

PHP Code:

<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8">
        <title>Send to bankteller</title>
    </head>
    <body>
<?
include ('db.php');
//include    ('query.php');
Echo ('Retour au <a href="form.php">formulaire</a><br/>');
//Par Marc Faussurier, Copie interdite
if (isset($_POST['Var1']) && isset($_POST['Var2']))//Champs obligatoires
 {
                    //On déclare les variables
$UserID=$_POST['Var1'];
$ItemID=$_POST['Var2'];
$ItemCount=$_POST['Var3'];
$ProductDesc=$_POST['Var4'];

    if ($ItemCount==0)://Si le nombre d'objet n'est pas défini
        {
        $ItemCount=1;//On le remplace par 1
        }
    endif;
    
    if ($ProductDesc==0)://Si la description n'est pas définie
        {
        $ProductDesc='Envoyé_Par_GM';//On la remplace par Envoyé_Par_GM
        }
    endif;

$sql="DECLARE @UserID varchar(18), @UserUID bigint, @ItemID int, @ItemCount tinyint, @OrderNumber int, @BuyDate datetime, @ProductCode varchar(20), @Slot tinyint, @empty smallint

-- ****** SHAIYA SYFY / SHAIYA ALLIANCE / SHAIYA RELOADED  ****** --
-- Send Item to User Bank 
-- By [Dev]HoaX 2011
-- ************************************************************** --

-- ----------- CONFIG  ------------------
-- UserID:
SET @UserID = '$UserID'

-- ItemID:
SET @ItemID = '$ItemID'

-- Item Count:
SET @ItemCount = '$ItemCount'

-- Produkt Description (max. 20 char.)
SET @ProductCode = '$ProductDesc'

-- --------------------------------------
SET @OrderNumber = 1
SET @BuyDate = GETDATE()

SET @UserUID = (SELECT UserUID FROM PS_UserData.dbo.Users_Master WHERE UserID = @UserID)

SET @Slot = 0
SET @empty = -1

WHILE (@Slot <= 239)
BEGIN 

    SET @empty = (SELECT COUNT(Slot) FROM PS_Billing.dbo.Users_Product WHERE UserUID = @UserUID AND Slot = @Slot)
    
    IF (@empty <= 0) BREAK
    ELSE     
        SET @Slot = @Slot+1
END

INSERT INTO PS_Billing.dbo.Users_Product 
        (UserUID, Slot, ItemID, ItemCount, ProductCode, OrderNumber, BuyDate)
VALUES (@UserUID, @Slot, @ItemID, @ItemCount, @ProductCode, @OrderNumber, @BuyDate)

PRINT ''
IF @Slot < 239 PRINT 'Used slot: '+CONVERT(varchar(3), @Slot)
IF @Slot = 239 PRINT 'THERE IS NO FREE SLOT ANYMORE (240/240 SLOTS USED)!'";

        @odbc_exec($conn,$sql);//Envois de l'objet via SQL Server dans la banque
        
        Echo ("L'objet avec l'id $ItemID a été envoyé $ItemCount fois au compte $UserID avec le Code Produit $ProductDesc<br/>");

 }
Else {
('Merci de remplir les champs obligatoir<br/>');
}
?>
    </body>
</html>

And about sql injection,

Quote:

Originally Posted by ϟƘƦƖןןΣ✘

Don´t use this Scripts. There are many kinds of SQL Injection in it. In the next days the comes an secured release.
Regards

Of course, but please read the thread

Quote:

Originally Posted by Trayne01

please secure yourself

I let you protect these script with your current admin panel security, yes, do not let these like this in your www/ floder
In my exemple, my security look like this

Quote:

Originally Posted by "_Diavolino_

include "../PowerAuth.php"

And so, is impossible to use the script without a password.

[Cansas59]

k we waiting of this skrillex^^