PHP code in Habbo ID settings

DutchenL · Jan 5, 2017

Im trying this:

Code:

[COLOR=#242729]  <?PHP[/COLOR]                                   
                                if(isset($_POST['update'])) { 
                                  $ts=$_POST['ts'];
                                  $user=$_POST['user'];
                                
                                 mysql_query("UPDATE users SET block_newfriends='$ts' WHERE username='$user'") or die(mysql_error());
                                echo '<div class="rounded-container">';
                                  echo '<div class="rounded-green rounded-done">';
                                echo '<b>text here</b><br>';
                                   echo '</div>';
                                 echo '</div>';
                                   }
                                   ?>

Code:

<?php                                            $query = "SELECT * FROM users WHERE id = '".$_SESSION['user']['id']."'";
                                            $result = mysql_query($query);
                                            $row = mysql_fetch_array($result);
                                            $x1 = $row['block_newfriends'];
                                            $ch1[$x1] = "checked";
                                            echo "text here
                                            ";
                                            ?>

As you can see, it includes PHP. But i'm not sure if it's safe against any hacks like SQL injection or XSS. Do I need to put a mysql_real_escape_string and if yes, where exactly?

Keiz · Jan 5, 2017

Oh god no, very vulnerable.
Well first of all, mysql is deprecated, use MySQLi or PDO instead.

2. You give the username to change in the post. Why lol? You have the $_SESSION['user']['id'] don't you? Anyone can now change anyone's user settings.

3. You need to check the value the user gives. It must be either 0 or 1. Check that.

This is the best I could do with the code you gave.

Code:

<?PHP


if(isset($_POST['update'])) 
{ 
	if(!isset($_POST['ts']))
	{
		header('Location: ./me');
		exit;
	}
	
	$ts = $_POST['ts'] === '1' ? '1' : '0';
	
	$id = $_SESSION['user']['id'];
	if(!is_numeric($id))
	{
		// Just some double check, I suppose you don't check if a user is logged in anyways
		header('Location: ./me');
		exit;
	}
	
	mysql_query("UPDATE users SET block_newfriends='" . $ts . "' WHERE id = '" . $uid . "'") or die(mysql_error());
	
	echo '<div class="rounded-container">';
	echo '<div class="rounded-green rounded-done">';
	echo '<b>text here</b><br>';
	echo '</div>';
	echo '</div>';
}


?>

DutchenL · Jan 5, 2017

Keiz said:
Oh god no, very vulnerable.
Well first of all, mysql is deprecated, use MySQLi or PDO instead.

2. You give the username to change in the post. Why lol? You have the $_SESSION['user']['id'] don't you? Anyone can now change anyone's user settings.

3. You need to check the value the user gives. It must be either 0 or 1. Check that.

This is the best I could do with the code you gave.

Code:

<?PHP if(isset($_POST['update'])) { if(!isset($_POST['ts'])) { header('Location: ./me'); exit; } $ts = $_POST['ts'] === '1' ? '1' : '0'; $id = $_SESSION['user']['id']; if(!is_numeric($id)) { // Just some double check, I suppose you don't check if a user is logged in anyways header('Location: ./me'); exit; } mysql_query("UPDATE users SET block_newfriends='" . $ts . "' WHERE id = '" . $uid . "'") or die(mysql_error()); echo '<div class="rounded-container">'; echo '<div class="rounded-green rounded-done">'; echo '<b>text here</b><br>'; echo '</div>'; echo '</div>'; } ?>

This one doesn't work on my revcms, the script in the openingpost does work. So could you stuck with that one and just change that one a little bit?
And by the way, these are 2 different script, can't put them in 1 script together:

Code:

<form method="post" id="profileForm">										     <h3>Instellingen</h3>
                                             <?PHP
									
									if(isset($_POST['update'])) { 
									$ts=$_POST['ts'];
									$user=$_POST['user'];
									
									mysql_query("UPDATE users SET block_newfriends='$ts' WHERE username='$user'") or die(mysql_error());
									echo '<div class="rounded-container">';
									echo '<div class="rounded-green rounded-done">';
									echo '<b>Je instellingen voor het onvangen van vriendschapsverzoeken zijn opgeslagen, herstart het hotel!</b><br>';
									echo '</div>';
									echo '</div>';
									}
									?>
											<form method="post">
											<input type="hidden" name="user" value="{username}" />
											
											<?php
											$query = "SELECT * FROM users WHERE id = '".$_SESSION['user']['id']."'";
											$result = mysql_query($query);
											$row = mysql_fetch_array($result);
											$x1 = $row['block_newfriends'];
											$ch1[$x1] = "checked";
											echo "
											
											<p><b><i>Wil je vriendschapsverzoeken ontvangen van andere spelers?</i></b></p>
											<input type='radio' name='ts' value='0' ".$ch1['0'].">Ja
											<input type='radio' name='ts' value='1' ".$ch1['1'].">Nee
											<br><br>
											";
											?>
											<div class="settings-buttons">
                                                <input type="submit" value="Instellingen opslaan" name="update" class="submit">
											 </div>
											
                                        </form>

DutchenL · Jan 7, 2017

bump, does anyone know how?

Welcome!

PHP code in Habbo ID settings

DutchenL

YOLO <3

Keiz

Experienced Elementalist

DutchenL

YOLO <3

DutchenL

YOLO <3

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor