Hi,
first at all: thank you for your release. This Script is really outdated. It uses old mssql drivers wich will not supported by PHP 5.3 or higher.
I just opened the index.php and can see a lot of sql injections.
PHP Code:
$userid = $_POST['userid'];
$pass = $_POST['pass'];
//Check if UserID Exists
{
$useruid = [MENTION=1039734]mss[/MENTION]ql_query('SELECT UserID,Pw FROM PS_UserData.dbo.Users_Master WHERE UserID = \'' . $userid . '\'');
if (mssql_num_rows($useruid) == 0)
die('"<center>Account Dosent Exist! Redirect Please wait..</center> <meta http-equiv="refresh" content="2;url=index.php">"');
else
// Check if UserID and Password match
$useruid1 = [MENTION=1039734]mss[/MENTION]ql_query('SELECT UserID,Pw FROM PS_UserData.dbo.Users_Master WHERE UserID = \'' . $userid . '\' and PW = \'' . $pass . '\'');
}
if (mssql_num_rows($useruid1) == 0)
die('"<center>Account and Password mixmatch! Redirect Please wait..</center> <meta http-equiv="refresh" content="2;url=index.php">"');
else {
$useruid2 = [MENTION=1039734]mss[/MENTION]ql_query('SELECT * FROM PS_UserData.dbo.Users_Master WHERE UserID = \'' . $userid . '\' and PW = \'' . $pass . '\'');
}
Every user input will executed directly into database without escaping.
Nobody should use this script for public bcs of missing security.
Regards
![Faction Change [PHP]](https://www.elitepvpers.com/forum/iconimages/shaiya-pserver-guides-releases/faction-change-php_ltr.gif){kind=small}
![[GameAdvisor]Finn's Avatar](https://www.elitepvpers.com/forum/customavatars/avatar6941637_1.gif){kind=avatar}
![[GameAdvisor]Finn is offline](images/elitepvpers/statusicon/user_offline.gif){kind=small}
