It works for me.
If you want you can contact me from MSN.
That would mean that $q1 query is returning false instead of an array. Weird.
It works for me.
If you want you can contact me from MSN.
That would mean that $q1 query is returning false instead of an array. Weird.
Please try to resolve the issue here instead of on MSN. That way, anyone that has problems in the future can use this thread as a reference. Thank you.
The problem is not with the script. Problem is with something else. That is why I want to solve the problem with MSN.Originally Posted by Yamachi
I mean that the messages doesnt shows up...
For ex.: You already voted..., Your reward has been added..., etc...
If you can add the IP CHECK,it will be awesome, and oh , this script is hackable,you can find the password of mssql.
Don't try to give information which you haven't prove. where's your proof that this is script is hackable?
My server was hacked when i have used this script :)
And when i have removed the script , the server was not hacked anymore.
EDIT:AND I CAN'T GIVE THE PROOF BECAUSE THE "HACKERS" WILL SEE HOW TO HACK THAT SCRIPT.
I apologize for what i said a little earlier, i did and now i realize that it was because i had Cabal Toolz 4.0, who was stealing from me because i have someone i had met my scripts here on ragezone , so they can make a skin for my website, but he vanished and after a little while i saw the release of the ct 4.0 on ragezone with my all template(TRANSILVANIAGAMES) .
So i keep saying that this script runs perfect on Cabal Toolz 3.0 and 3.1 platform.
Good Job With That.
But if you add the ip restriction on this script , that will be the best vote reward sawed ever.
Last edited by cypher; 24-04-11 at 11:55 AM. Reason: fixed dbl post
You mean the one that vanished and hacked the script and released it in here is the one who hack your CabalToolz 4.0?????
I don't know who did that,but who released here cabal toolz 4.0 it was a big lier,because when i give my cabal toolz 4.0 script to him , i give that only to create a skin for me,but they just released the CT 4.0 on RZ.
Anyway,lets stop the off topic.
For much request on it, I did a version which has an IP check.
To use this version, you must run this query on your CabalCash database:
You can download the version from attachments.Code:ALTER TABLE VoteReward ADD UserIP VARCHAR(20)
Well I can imagine how this script is hackable, SQLi, anyone?
Sanitize it. For example using regex:PHP Code:$u=$_GET["u"];
/*...*/
$q2=mssql_query('SELECT * FROM CashAccount WHERE UserID="' . $u . '"');
And why are you using ADOdb for such a trivial task?PHP Code:/*ATTN: This is untested code, hacked together in notepad*/
if (ereg('[^A-Za-z0-9]', $u)) {
die "; DROP DATABASE my ASS!";
}
else {
$q2=mssql_query('SELECT * FROM CashAccount WHERE UserID="' . $u . '"');
}
Last edited by Alphakilo23; 23-04-11 at 02:50 AM.
Just use mssql_real_escape_string() there. Not complicated. No need for ereg.
I haved use that , but they shows me alway the vote reward is closed.
Please add only this ip check to my script :
Code:<?php include ('includes/adodb5/adodb.inc.php'); $server="xxxx"; $user="xxxx"; $pass="xxxx"; $db1=ADONewConnection('mssql'); $db1->Connect($server, $user, $pass, 'CabalCash') or die("Unable to connect cash!"); $db2=ADONewConnection('mssql'); $db2->Connect($server, $user, $pass, 'ACCOUNT') or die("Unable to connect account!"); $u=$_GET["u"]; $p=$_GET["p"]; $q1=$db2->Execute('SELECT * FROM cabal_auth_table WHERE ID=?', array($u)); $rc1=$q1->RecordCount(); $r1=$q1->FetchRow(); if ($rc1>=1) { $pwd=md5($p); if ($r1[2]==$pwd) { $con=mssql_connect($server, $user, $pass); mssql_select_db('CabalCash', $con); $q2=mssql_query('SELECT * FROM CashAccount WHERE UserID="' . $u . '"'); $rc2=mssql_num_rows($q2); $r2=mssql_fetch_array($q2); if (mssql_num_rows($q2)>=1) { if (isset($_COOKIE['voted'])) { $q3=$db1->Execute('SELECT * FROM VoteReward WHERE UserID=?', array($u)); $rc3=$q3->RecordCount(); $r3=$q3->FetchRow(); if ($rc3>=1) { $verify=$r3[1]+60*60*12; $time=time(); if ($time>=$verify) { $db1->Execute('UPDATE VoteReward SET VoteDate=? WHERE UserID=?', array($time, $u)); $newcash=$r2[4]+1; $newcashbon=$r2[3]+1; mssql_query('UPDATE CashAccount SET Cash="'.$newcash.'" WHERE UserID="'.$u.'"'); echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>Your reward has been added successfully. Click here to go back!</a>"; } else { echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>You already voted! Please wait 12 hours to vote again! Click here to go back!</a>"; } } else { $time=time();; $db1->Execute('INSERT INTO VoteReward (UserID, VoteDate) VALUES (?,?)', array($u, $time)) or die(mssql_error()); $newcash=$r2[4]+1; $newcashbon=$r2[3]+1; mssql_query('UPDATE CashAccount SET Cash="'.$newcash.'" WHERE UserID="'.$u.'"'); echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>Your reward has been added successfully. Click here to go back!</a>"; } } else { echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>You did not vote in the last 12 hours! Click here to go back!</a>"; } } else { if (isset($_COOKIE['voted'])) { $time=time(); mssql_query('INSERT INTO CashAccount (UserID, Cash, CashBonus) VALUES ("'.$u.'",1,0)'); $db1->Execute('INSERT INTO VoteReward (UserID, VoteDate) VALUES (?,?)', array($u, $time)); echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>Your reward has been added successfully. Click here to go back!</a>"; } else { echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>You did not vote in the last 12 hours! Click here to go back!</a>"; } } } else { echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>You have entered a wrong Password! Click here to go back!</a>"; } } else { echo "<a href='http://cabal.transilvaniagames.ro/votereward.html'>You have entered a wrong ID! Click here to go back!</a>"; } ?>
Add this line to anywhere in your config.php.Code:$_config['vote_status']=true;
It will fix the problem.
I already did that , but still not working,please help me,add to my script only the ip check,thank you again.
Hello everybody!
After some days with the happiness that I did the best vote reward script for cabal past, S37uP!Update came up with a problem I did not expect. I figured it might be his placing of the files, but it wasn't. After his complainments, I figured I left something incomplete inside the vote_do.php. You will find the script fixed in the attachments for this reply.
This release also includes mysql_real_escape_string method, which makes the passwords and usernames secure for SQL Injections.
One of the attachments include the logging system, other one does not.
Credits: S37uP!Update (for realising the problem)
![[hidden]'s Avatar](https://forum.ragezone.com/customavatars/avatar225847_3.gif "[hidden]'s Avatar"){kind=avatar}
code you add an option that will allow connection to database via freetds instead of mssql?
did anyone tested this on cumpys web page 1.5?
please make it with MYSQL Last time voted, By IP & username
beacuse you can delete cookies and vote again.
Who have done this work? It seems that I can connect this to the database.
Vote Work on MuCore? just ask :))
Yeah, it should work, but you must change all tables lines from script, this one use CabalCash DB and Cabal Online tables and rows.
You must change all of them to MuOnline Database, MuOnline tables and rows.
PS: It's using MD5.
ahhh thnk your for reply :))
Reply With Quote