MSSQL Connection

~~KyoceraZ~~ · 04/15/2017, 17:25

Hey,

I want to create a connection from the webserver to the rootserver which have a mssql server. If I put the register script on the rootserver it works but if I wanna put the register script on the webserver it don´t work, ODBC settings on the server are correct.

register.html:

PHP Code:


			
    <head>
        <link rel="stylesheet" type="text/css" href="reg.css">
        <title>Everlasting RaiderZ Register!</title>
    </head>
<html>
    <body style="height: 100%;width: 100%;margin: 0; background-image:url('http://i.imgur.com/Rj6OhNk.jpg'); background-repeat: no-repeat; background-attachment: fixed; background-position: 40% 10%; ">
    <div style="margin: auto;width: 13%;padding-top: 50px;" >
    <a href="https://www.facebook.com/EverlastingRaiderZ/" title="Volver"> <img src="logo.png" alt="Everlasting RaiderZ" height="150px" width="330px" style="margin-left: -100px;"> </a>
        <form action='register.php' method='POST'>
            
            <br>
            <br>
            <c> Account Registration</c>
            <br>
            <br>
            <b >Username </b>
            <br>        
                <input title="4-12 Characters without spaces and without symbols" type='text' name='username'>
                <br>
                <br>
            <b>Password</b>
            <br>
                <input title="4-12 Characters without spaces and without symbols" type='password' name='password'>

                <br>
                <br>
            <b>Repeat Password</b>
            <br>
                <input title="4-12 Characters without spaces and without symbols" type='password' name='password_conf'>

                <br>
                <br>

            <b>E-mail Adress</b>
            <br>
                <input title="E-mail" type='text' name='email'>
                <br>
                <br>
            <b>Secret Question</b>
            <br>
                <input title="4-20 Characters without spaces and without symbols" type='text' name='secret'>
                <br>
                <br>
            <b>Answer</b>
            <br>
                <input title="4-12 Characters without spaces and without symbols" type='text' name='resp'>
                <br>
                <br>
                <input type='submit' value='Register by  now!'>
                <br>
                <br>
                <input type="reset" value="Reset!" />
    </div>            
    </body>
</html>

register.php:

PHP Code:


			
<?php
$server = "Server IP";
$host = "MSSQL\NAME";
$user = "USER";
$pass = "PW";
$dbname = "DB";

$connect = odbc_connect("Driver={SQL Server Native Client 10.0}; ServerName={$server}; Server={$host}; Database={$dbname}", $user, $pass) or die("Can't connect the MSSQL server.");

    function valida_email($email) {//Funktion um das Format der E-Mail zu bestätigen!
            if (preg_match('/^[A-Za-z0-9-_.+%]+@[A-Za-z0-9-.]+\.[A-Za-z]{2,4}$/', $email)) return true;
            else return false;
            } 

$userid = $_POST['username'];
$pass = $_POST['password'];
$login = md5($userid . ' ' . $pass);
$email = $_POST['email'];
$secret = $_POST['secret'];
$resp = $_POST['resp'];
$password_conf = $_POST['password_conf'];

$result = odbc_exec($connect, "SELECT name FROM dbo.Account WHERE name = '$userid'");
$existing_users = odbc_num_rows($result);
if($existing_users >= 1) {//Überprüft, ob das Konto noch nicht existiert!
    header("location:accal.html");
}

$result2 = odbc_exec($connect, "SELECT email FROM dbo.Account WHERE email = '$email'");
$existing_email = odbc_num_rows($result2);
if($existing_email >= 1) {//Überprüft, ob die E-Mail nicht in Gebrauch ist!
header("location:accal2.html");
}


if (!$_POST['username'] )
{//Schaut dass kein Feld leer ist!
header("location:accal3.html");
die();

}

if (!$_POST['password'] )
{//Schaut dass kein Feld leer ist!
header("location:accal3.html");
die();
}

if (!$_POST['email'] )
{//Schaut dass kein Feld leer ist!
header("location:accal3.html");
die();
}

if (!$_POST['secret'] )
{//Schaut dass kein Feld leer ist!
header("location:accal3.html");
die();
}

if (!$_POST['resp'] )
{//Schaut dass kein Feld leer ist!
header("location:accal3.html");
die();
}

if($_POST['password'] != $_POST['password_conf']) { // Wir überprüfen, ob die eingegebenen Kennwörter übereinstimmen
            header ("location:accal5.html");
            die();
        }

if(!valida_email($_POST['email'])) { // überprüfen, ob die eingegebene E-Mail korrekt ist
            header("location:accal2b.html");
            die();
}

odbc_exec($connect, "INSERT INTO dbo.Account (name, passwd, email, secretquestion, secretanswer, regdate) VALUES ('$userid', HASHBYTES('MD5', LTRIM(RTRIM('$userid')) + LTRIM(RTRIM('$pass'))), '$email', '$secret', '$resp', GETDATE())");
odbc_close($conn);
?>
<head>
        <link rel="stylesheet" type="text/css" href="regphp.css">
    </head>
<html>
    <body>
        <style type="text/css"></style>
            <a href="https://www.facebook.com/" title="Volver"> </a>
            <br>
            <br>
            <c> Account Registration</c>
            <br>
            <br>
            <br>
            <br>
            <br>
            <br>
            
            
            <b >Username: </b> <br> <d><?php echo $userid;
                            ?></d>
            <br>    
            <br>            
            <b>Password: </b> <br> <d><?php echo $pass;
                            ?> </d>
            <br>
            <br>
            <b>E-mail: </b> <br> <d><?php echo $email;
                            ?> </d>
            <br>
            <br>
            <b>Secret Question: </b> <br> <d><?php echo $secret;
                            ?> </d>
            <br>
            <br>
            <b>Answer: </b> <br> <d><?php echo $resp;
                            ?> </d>
            <br>
            <br>
            <br>
            <br>
            <br>
            <c>Thanks for registering, remember to enter your accountname small!</c>
            <br>
            <br>
            <a href="https://www.facebook.com//" title="Volver">Go to home page!</a>
            <br>        
            
    </body>
</html>

If I register it I become a error:

Warning: odbc_connect(): SQL error: [unixODBC][Driver Manager]Can't open lib 'SQL Server Native Client 10.0' : file not found, SQL state 01000 in SQLConnect in /www/htdocs/MyUserName/MyDomain/register-ingame/register.php on line 8
Can't connect the MSSQL server.

krankheit · 04/15/2017, 21:59

could this help you ?

i would try in the sql studio ? create the connection....

Quote:

$server = "Server IP";
$host = "MSSQL\NAME";
$user = "USER";
$pass = "PW";
$dbname = "DB";

you filled here your right data ?

~~Underfisk~~ · 04/16/2017, 17:47

An advice: Dont use odbc

I use alot of mssql because Dekaron an rpg i develop, uses alot of mssql and while im creating websites i just connect like this :

PHP Code:


			
//config here like yours

$con = mssql_connect($site_config['host'],$site_config['user'],$site_config['pass']);

Just do a connect and when you make a query just call it

~~KyoceraZ~~ · 04/24/2017, 08:44

Quote:

Originally Posted by Underfisk

An advice: Dont use odbc
I use alot of mssql because Dekaron an rpg i develop, uses alot of mssql and while im creating websites i just connect like this :

PHP Code:

//config here like yours $con = mssql_connect($site_config['host'],$site_config['user'],$site_config['pass']);

Just do a connect and when you make a query just call it

Thanks, I will try it. But where do I add that he must connect to another server? I must insert the server ip of the other server, thats why I need odbc I guess

~~Underfisk~~ · 04/25/2017, 15:40

What do you mean with connect to another server? You mean sql instance or another ip? And i cant get the point of needing another ip.
So you are trying to connect to a server or for 2 at same time.. Its quite confused xd

~~KyoceraZ~~ · 04/29/2017, 19:28

The mysql is on the webserver with the register script. The gameserver with the mssql server is on another server, also registerscript is on the url webserver.elitepvpers.com (samplepage) and the gameserver with mssql is on gameserver.elitepvpers.com
Now I need a connection from webserver to gameserver, so I must add a IP to the gameserver on my webserver that he can write the datas in the mssql server

Alpha · 04/29/2017, 19:34

Side note: Escape the username & email strings, you've got SQL injection right there

~~KyoceraZ~~ · 04/29/2017, 20:14

Quote:

Originally Posted by chillout74

Side note: Escape the username & email strings, you've got SQL injection right there

Hm okay..how can I solve that problem?

~~Underfisk~~ · 04/29/2017, 23:09

Here you go

PHP Code:


			
function anti_injection($sql)

{

   $sql = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$sql);

   $sql = trim($sql); 

   $sql = strip_tags($sql);

   $sql = addslashes($sql);

   return $sql;

}

atom0s · 04/30/2017, 03:49

If you are using PHP, just use PDO.

Using prepared statements prevents injections. This will protect you from nearly all injection types. You can google for the various other adjustments/settings you can use to prevent from the rest. But using a random regex check on a query is not the way to protect yourself.