Its similar to the Webpanel, but with more features which the webpanel wont have :).Quote:
Originally Posted by Aristrum
Printable View
Its similar to the Webpanel, but with more features which the webpanel wont have :).Quote:
Originally Posted by Aristrum
hahaha bounty ma Friend haha u decided to come back after all :D!
thats good :D hope this project goes well ;D
and the project looks cool so good luck m8 :)
Update :
Thanks to demantor i have finished the CreateAccount Function
Which took about 10 minutes :P
Code:Procedure TServerSystem.CreateAccount(U: string; P: string);
begin
CurrentTIme := DateTimeToStr(Time);
SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
SQLQuery.ExecSQL()
thnx bounty.. xdd love u work... :love: i press the button "ty" xdd
He(we xD) is currently working on Character editing :P
Character Editing almost Complete, finishing it off 2moro
Might want to check for SQL injection ;).
Isn't needed since the Server is Applying the Querys.Quote:
Originally Posted by Aristrum
An SQL Injection can be only made if the Client is requesting the Commands by the Querys(editing a packet and lol, trying to add something) But, The Client requests Commands by IDs.
I'm not exactly sure about what you just said, but...Quote:
Originally Posted by Demantor
The queries you're executing still take user input.
You could inject queries similar to that, by changing U or P.Code:Procedure TServerSystem.CreateAccount(U: string; P: string);
begin
CurrentTIme := DateTimeToStr(Time);
SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
SQLQuery.ExecSQL()
Thats true, but its going to be filtered.Quote:
Originally Posted by Aristrum
But, generally Query(s) will be requested by IDs to make it safer.
I see no filtering int he snippet posted, hence why I said it ;).Quote:
Originally Posted by Demantor
Requesting by IDs doesnt really make it safer. They still have to said their inputted data along with it, which doesnt remove the problem.
True, but its better than requesting by a direct query(which would be so stupid if it was xD).Quote:
Originally Posted by Aristrum
Indeed, if you wanted to do a direct query, then you should be on the server :P.Quote:
Originally Posted by Demantor
-
You might want to try to implement logging, temporary bans, and perhaps interaction with the matchserver if you're up to it. :)
This looks damn awesome, good job so far!
For aristrum, that wasnt the full CreateAccount procedure this is :
Code:Procedure TServerSystem.CreateAccount(U: string; P: string);
var
AID:string;
begin
CurrentTIme := DateTimeToStr(Time);
SQLQuery.SQL.Text := 'SELECT * FROM Account WHERE UserID = ' + '''' + U + '''' ;
SQLQuery.ExecSQL();
SQLQuery.Active := true;
if SQLQuery.Fields[1].AsString = U then // Change Feilds value from 0 to 1
begin
log.Lines.Add('Failed to Create Account: ' + U );
log.lines.add('UserName Already in use!'); //lets test :D
end
else
begin
SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
SQLQuery.ExecSQL();
SQLQuery.SQL.Text := 'SELECT AID FROM Account WHERE UserID = ' + '''' + U + '''';
SQLQuery.ExecSQL();
SQLQuery.Active := true; // this is the fix :p WORKS :D sure?, the aid should be 3 or? na look
Aid := SQLQuery.Fields[0].AsString; // Gets the AID Field :D
showmessage(AID);
sqlquery.SQL.text := 'INSERT INTO Login (UserID, AID, Password) VALUES ( ' + '''' + U + '''' + ',' + '''' + AID + '''' + ',' + '''' + P + '''' + ')';
SQLQuery.ExecSQL();
Log.Lines.Add('User account created : ' + U);
// DONE :D xD lets see if it works :Dyea
end;
end;