[Delphi] GunZ Control Panel [WIP]

[bounty-hunter]

Nice idea :). I've always preferred IRC for admin tasks because I'm usually on it >.>

You should make sure that "sessions" cant be spoofed. They should probably have other security features such as a timeout and etc.

On the subject of features, It's pretty mcuh going to end up like a webpanel... so take ideas from there.

Also, you should indent your code :P. Makes it much easier to read.

Its similar to the Webpanel, but with more features which the webpanel wont have :).

[DF08Said]

hahaha bounty ma Friend haha u decided to come back after all :D!
thats good :D hope this project goes well ;D
and the project looks cool so good luck m8 :)

[bounty-hunter]

Update :
Thanks to demantor i have finished the CreateAccount Function
Which took about 10 minutes :P

Code:

Procedure TServerSystem.CreateAccount(U: string; P: string);
begin
CurrentTIme := DateTimeToStr(Time);  
  SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
  SQLQuery.ExecSQL()

[Jizeth]

thnx bounty.. xdd love u work... i press the button "ty" xdd

[Demantor]

He(we xD) is currently working on Character editing :P

[bounty-hunter]

Character Editing almost Complete, finishing it off 2moro

[Mark]

Might want to check for SQL injection ;).

[Demantor]

Might want to check for SQL injection ;).

Isn't needed since the Server is Applying the Querys.

An SQL Injection can be only made if the Client is requesting the Commands by the Querys(editing a packet and lol, trying to add something) But, The Client requests Commands by IDs.

[Mark]

Isn't needed since the Server is Applying the Querys.

An SQL Injection can be only made if the Client is requesting the Commands by the Querys(editing a packet and lol, trying to add something) But, The Client requests Commands by IDs.

I'm not exactly sure about what you just said, but...

The queries you're executing still take user input.

Code:

Procedure TServerSystem.CreateAccount(U: string; P: string);
begin
CurrentTIme := DateTimeToStr(Time);  
  SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
  SQLQuery.ExecSQL()

You could inject queries similar to that, by changing U or P.

[Demantor]

I'm not exactly sure about what you just said, but...

The queries you're executing still take user input.

Code:

Procedure TServerSystem.CreateAccount(U: string; P: string);
begin
CurrentTIme := DateTimeToStr(Time);  
  SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
  SQLQuery.ExecSQL()

You could inject queries similar to that, by changing U or P.

Thats true, but its going to be filtered.

But, generally Query(s) will be requested by IDs to make it safer.

[Mark]

Thats true, but its going to be filtered.

But, generally Query(s) will be requested by IDs to make it safer.

I see no filtering int he snippet posted, hence why I said it ;).

Requesting by IDs doesnt really make it safer. They still have to said their inputted data along with it, which doesnt remove the problem.

[Demantor]

I see no filtering int he snippet posted, hence why I said it ;).

Requesting by IDs doesnt really make it safer. They still have to said their inputted data along with it, which doesnt remove the problem.

True, but its better than requesting by a direct query(which would be so stupid if it was xD).

[Mark]

True, but its better than requesting by a direct query(which would be so stupid if it was xD).

Indeed, if you wanted to do a direct query, then you should be on the server :P.

-

You might want to try to implement logging, temporary bans, and perhaps interaction with the matchserver if you're up to it. :)

[Joe9099]

This looks damn awesome, good job so far!

[bounty-hunter]

For aristrum, that wasnt the full CreateAccount procedure this is :

Code:

Procedure TServerSystem.CreateAccount(U: string; P: string);
var
AID:string;
begin
CurrentTIme := DateTimeToStr(Time);
  SQLQuery.SQL.Text := 'SELECT * FROM Account WHERE UserID = ' + '''' + U + '''' ;
  SQLQuery.ExecSQL();
  SQLQuery.Active := true;
  if SQLQuery.Fields[1].AsString = U then // Change Feilds value from 0 to 1
  begin
    log.Lines.Add('Failed to Create Account: ' + U );
    log.lines.add('UserName Already in use!');  //lets test :D
  end
  else
  begin
  SQLQuery.SQL.Text := 'INSERT INTO Account (UserID, UGradeID, PGradeID, RegDate, Name, Email, RegNum, Age, Sex, ServerID) VALUES ( ' + '''' + U + '''' + ',0,0,' + '''' + CurrentTime + '''' + ',' + '''' + U + '''' +',NULL,NULL,20,NULL,0 )';
  SQLQuery.ExecSQL();
  SQLQuery.SQL.Text := 'SELECT AID FROM Account WHERE UserID = ' + '''' + U + '''';
  SQLQuery.ExecSQL();
  SQLQuery.Active := true; // this is the fix :p     WORKS :D sure?, the aid should be 3 or? na look
  Aid := SQLQuery.Fields[0].AsString; // Gets the AID Field :D
  showmessage(AID);
  sqlquery.SQL.text :=  'INSERT INTO Login (UserID, AID, Password) VALUES ( ' + '''' + U + '''' + ',' + '''' + AID + '''' + ',' + '''' + P + '''' + ')';
  SQLQuery.ExecSQL();
  Log.Lines.Add('User account created : ' + U);
  // DONE :D xD lets see if it works :Dyea
  end;
end;