Staff Pin System.

[VOID3D]

I recently made this for a hotel and they said I should release it here, it's nothing special, just basic PHP and HTML made for people who don't know how to do it for themselves.

Firstly, add this to your client .php below <div id="client"></div>

PHP Code:

        <?php                    $connect = mysql_connect("localhost", "root", "database_passwrd");            mysql_select_db("database_name", $connect);                            $username = $_SESSION["user"]["username"];            $query = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");            if(mysql_num_rows($query) == 1)            {
                $row = mysql_fetch_assoc($query);                $rank = $row["rank"];                if($rank >= 4 && !isset($_SESSION["correct_key"]))                {                                    ?>
                    <form action='spk' method='post'>                        <select name='first'>                            <option value='0'>0</option>                            <option value='1'>1</option>                            <option value='2'>2</option>                            <option value='3'>3</option>                            <option value='4'>4</option>                            <option value='5'>5</option>                            <option value='6'>6</option>                            <option value='7'>7</option>                            <option value='8'>8</option>                            <option value='9'>9</option>                        </select>                        <select name='second'>                            <option value='0'>0</option>                            <option value='1'>1</option>                            <option value='2'>2</option>                            <option value='3'>3</option>                            <option value='4'>4</option>                            <option value='5'>5</option>                            <option value='6'>6</option>                            <option value='7'>7</option>                            <option value='8'>8</option>                            <option value='9'>9</option>                        </select>                        <select name='third'>                            <option value='0'>0</option>                            <option value='1'>1</option>                            <option value='2'>2</option>                            <option value='3'>3</option>                            <option value='4'>4</option>                            <option value='5'>5</option>                            <option value='6'>6</option>                            <option value='7'>7</option>                            <option value='8'>8</option>                            <option value='9'>9</option>                        </select>                        <select name='fourth'>                            <option value='0'>0</option>                            <option value='1'>1</option>                            <option value='2'>2</option>                            <option value='3'>3</option>                            <option value='4'>4</option>                            <option value='5'>5</option>                            <option value='6'>6</option>                            <option value='7'>7</option>                            <option value='8'>8</option>                            <option value='9'>9</option>                        </select><br />                        <input type='submit' name='staff_key' value='Go' />                    </form>                                        <?php                    exit;                }                        }else            {                            die("Sorry, something went wrong with your account, apparently you do not exist, please try logging in.");                            }                ?>

This box will appear for anyone who is rank 4 or over.

Then create a new PHP file and name is spk.php

PHP Code:

<?php
    session_start();    $username = strip_tags(stripslashes(mysql_real_escape_string($_SESSION["user"]["username"])));        $connect = mysql_connect("localhost", "root", "database_passwrd");    mysql_select_db("database_name", $connect);        $first = strip_tags(stripslashes(mysql_real_escape_string($_POST["first"])));    $second = strip_tags(stripslashes(mysql_real_escape_string($_POST["second"])));    $third = strip_tags(stripslashes(mysql_real_escape_string($_POST["third"])));    $fourth = strip_tags(stripslashes(mysql_real_escape_string($_POST["fourth"])));    $key = $first."".$second."".$third."".$fourth;    if(is_numeric($key))    {            $query = mysql_query("SELECT * FROM `users` WHERE `username` = '$username'");        $row = mysql_fetch_assoc($query);        $valid_key = $row["staff_pin"];        if($key == $valid_key)        {                    session_start();            $_SESSION["correct_key"] = $key;                }else{                    die("Incorrect Key!");                }        }else    {            die("Key must be 4 numbers...");        }
?>

You will also need to create the field staff_pin in your users table, make it an integer of 4 and a default of 0, then it should work, if you have any problems feel free to PM me.

Note: Remember to replace database_passwrd with your database password and database_name with your database name.

[MentaL]

[iTzScronnie]

This is also for RevCMS. It works great on my hotel. If you guys want working proof I will take screenshots!

[VOID3D]

This is also for RevCMS. It works great on my hotel. If you guys want working proof I will take screenshots!

It will work on any CMS if you know the session variables. (:

[Spot Ify]

Lol why making a new connection ... Thats horrible for your mysql server lol.
And why a pin system :o .
Just make great passwords on all staff accounts and make your hotel CMS sql exploit free (and shit like the forgotten function).
But i think its a nice release but it isnt my thing and you are also not filtering the username.. So you need to hope that it is filtered before.
Also this is a to long reaction lol. But is it not more handyr to bind the user to a IP or more IP'S.
Gr Spot Ify

Edit also a tip dont use sql for it because if they mysql inject your hotel they can still get the pin why not just do it with a switch?

[VOID3D]

Lol why making a new connection ... Thats horrible for your mysql server lol.
And why a pin system :o .
Just make great passwords on all staff accounts and make your hotel CMS sql exploit free (and shit like the forgotten function).
But i think its a nice release but it isnt my thing and you are also not filtering the username.. So you need to hope that it is filtered before.
Also this is a to long reaction lol. But is it not more handyr to bind the user to a IP or more IP'S.
Gr Spot Ify

I had originally filtered the username, but I didn't think it was necessary, and I made a new connection out of habit. I'll filter the usernames now and update the post.

[GrateZ4]

Default password for script?

[VOID3D]

Edit also a tip dont use sql for it because if they mysql inject your hotel they can still get the pin why not just do it with a switch?

By a switch I assume you mean a switch statement? If the hotel gets a new staff member you have to edit the code in that case, (Get it in that 'case' :P) I would check the IP's but if a staff member is using a proxy/VPN, or their IP changes it is not very helpful, it would be rare that something does happen to the IP but for example, if a staff member goes to someone elses house, they can no longer access the client due to an incorrect IP address. Thanks for the tips though, I am not super advanced in editing RevCMS so I am not 100% sure how it works, but I have been doing PHP for a few years now, so I understand what you're saying. Anyway, if anything does happen that causes me to rethink the methods of how the pin system works I will change it completely to be more efficient.

[GrateZ4]

I tried to add default key 1000 at staff_pin and i typed 1000 in client it says wrong key..

[VOID3D]

I tried to add default key 1000 at staff_pin and i typed 1000 in client it says wrong key..

Make sure it's in your users table, your database is connected properly, and that that is the correct key for the user.

[GrateZ4]

well it's the correct key, and i did fix the db details, default 1000, db details fixed in spk & client

[VOID3D]

well it's the correct key, and i did fix the db details, default 1000, db details fixed in spk & client

Do you have TeamViewer so I can connect to you to help you out?

[GrateZ4]

I think i found the prob, i had int instead of integer :). no still doesnt work, i have join.me

[Matata]

Lol why making a new connection ... Thats horrible for your mysql server lol.
And why a pin system :o .
Just make great passwords on all staff accounts and make your hotel CMS sql exploit free (and shit like the forgotten function).
But i think its a nice release but it isnt my thing and you are also not filtering the username.. So you need to hope that it is filtered before.
Also this is a to long reaction lol. But is it not more handyr to bind the user to a IP or more IP'S.
Gr Spot Ify

Edit also a tip dont use sql for it because if they mysql inject your hotel they can still get the pin why not just do it with a switch?

Does the username actually have to been filtered, since it's a session?
As I understand it, sessions are handled by the server and unchangeable by the user.

[VOID3D]

Does the username actually have to been filtered, since it's a session?
As I understand it, sessions are handled by the server and unchangeable by the user.

If a user manages to register with something like '; DROP TABLE users; I guess it could cause problems, it's best to be on the safe side.

[Matata]

If a user manages to register with something like '; DROP TABLE users; I guess it could cause problems, it's best to be on the safe side.

If a user is able to register with such name, you have some serious security problems.

[VOID3D]

If a user is able to register with such name, you have some serious security problems.

Well done, that made me laugh pretty hard, idek why x'D

[rafa95123]

And other... I'll pick from database, will help?
To make more secure, don't make an new connection with MySQL and the PIN CODE must be on archive, and the system with $_SESSION...
My Hotel have this, and is secure, i have sure.

[streamhotel]

I think the Staff IP list is much better. You make a table with username and ip and when a user try to acces the remote_addr and session username must be the same as the database records in the table. Or you can make that you only can acces staff accounts from a specified network.

[rafa95123]

I think the Staff IP list is much better. You make a table with username and ip and when a user try to acces the remote_addr and session username must be the same as the database records in the table. Or you can make that you only can acces staff accounts from a specified network.

Terrible to Dynamic IP.. I guess?

[Nathan]

Stop using the MySQL extension. Bad bad bad.

[Taiga]

Stop using the MySQL extension. Bad bad bad.

You are right, it's deprecated but at east tell him what to use instead. Tell him to replace the mysql with mysqli which stands for MySQL improved.

[Exonize]

Just use this solution, so much better and you only need to add this into one file. No database requirements etc.

PHP Code:

<?php
 
$mod_pw = 'passwordhere';
 
if (isset($_SESSION['user']))
{
    $sql = mysql_query("SELECT rank FROM users WHERE id = ".intval($_SESSION['user']['id']));
    $r = mysql_fetch_assoc($sql);
 
    if (@$r['rank'] >= 8 && (!isset($_POST['mod_pw']) || $_POST['mod_pw'] != $mod_pw))
    {
        echo '<form method="post" action="">
    <p>MOD Password.

<br><br>    <input type="password" name="mod_pw" value="" /></p>
    <p><input type="submit" value="Log in" /></p>
</form>';
 
        die;
    }
}
?>

This will require a extra password from everyone over rank 8. You can change both password and rank in the script. Works with RevCMS.

[NOC]

Not bad idea, I am personally more in favor of using either Mysqli or PDO, you could adapt it to allow extra security on paid membership accounts as part of the package allow them to set a personal pin number to access the accounts. Great start though

[rafa95123]

Just use this solution, so much better and you only need to add this into one file. No database requirements etc.
This will require a extra password from everyone over rank 8. You can change both password and rank in the script. Works with RevCMS.

Exactly what I said... Use only the MySQL to pick the rank, more secure in my opinion...

[Lewislol]

I personally would do key via database instead of same key for every staff member.

Code:

<?php 
if (isset($_SESSION['user'])) 
{ 
    $sql = mysql_query("SELECT * FROM users WHERE id = ".intval($_SESSION['user']['id'])); 
    $r = mysql_fetch_assoc($sql); 
  
    if (@$r['rank'] >= 8 && (!isset($_POST['mod_pw']) || $_POST['mod_pw'] == md5($r['pin']))) 
    {  ?>
		<style>
			body{
				background-image:url('<?php echo $_CONFIG['hotel']['url']; ?>/app/tpl/skins/Habbo/images/bg.png');
			}
			
			input[type='password']{
				border-radius:3px;
				border:1px solid lightgrey;
				height:25px;
				text-align:center;
			}
			
			input[type='submit']{
				border-radius:3px;
				border:1px solid lightgrey;
				background-color:#fff;
				height:25px;
				width:100px;
				font-weight:700;
				margin-top:5px;
			}
			
			input[type='submit']:hover{
				background-color:lightgrey;
			}
		</style>
        <form method="post" align = "center"> 
				  <p>Pin Information<br></p><br> 
				  <input type="password" name="mod_pw" placeholder = "Your client pin!"><br>
				  <input type="submit" value="Enter Pin">
		</form> 
<?php
        die; 
    } 
} 
?>

PS - Key is encrypted with md5 use a MD5 encrypter to create the key
http://www.miraclesalad.com/webtools/md5.php

Tested it should work I just used the one @Exonize posted and got it selecting keys via database.

SQL

Code:

ALTER TABLE `users` ADD `pin` VARCHAR(255)