Welcome!

Join our community of MMO enthusiasts and game developers! By registering, you'll gain access to discussions on the latest developments in MMO server files and collaborate with like-minded individuals. Join us today and unlock the potential of MMO server development!

Join Today!

[WIP] Website Language Selection

Status
Not open for further replies.
In Progress... FFXIV...
Member
Joined
Oct 5, 2010
Messages
1,695
Reaction score
456
I have been a bit busy lately due to the fact that I am so into my college classes and catching up on work. I was trying to make a website that is able to change the text language from a specific .PHP file from the database. It seems that I finally got it to work properly this time. I am gonna make a website, but it is very simple with the following web features:
  • Registration forms
  • Downloads page
  • User panel with character and clan management for the user
  • Clan and Individual ranking
  • User login and logout
  • Maybe a staff panel added as well

This is quite useful to those that don't read or write English. They will be able to change their language that they want from the user account settings.

The only thing I need help with is the anti-sql injection. I know there are many way to do the anti-sql injection. I was thinking that the person that wants to help please PM me, and I'll be sure to send you the files once I get it fully coded and such.

I will also release this, so don't need to ask if I am gonna release this or not.

Note: I will keep you guys update and showing proof of my results along with whoever helps me with the anti-sql injection.
 
Pee Aitch Pee
Joined
Mar 30, 2011
Messages
630
Reaction score
422
Best protection against SQL injection would be to use .

for examples.

To make it work, you'll have to move the correct .dll to your PHP extension dir and enable it in the php.ini file.


--

Another method would be to check all the data which is sent be the user. (Which should always be done imo.)
And by this I mean to use for numbers, for alphanumeric strings and possibly for strings which should fit your needs.

--

A dirty method would be to loop through all $_POST and $_GET values and remove all "illegal" characters.

--

You could also rewrite the mysql_real_escape_string function so it does the same without requiring an active mysql connection.

--

Whoever can add something to this or noticed I made a mistake, feel free to correct me.
 
Praise the Sun!
Member
Joined
Dec 4, 2007
Messages
2,502
Reaction score
986
PHP:
<?php
// MySQL
function cleanInput($ustrInput) {
    return mysql_real_escape_string(htmlentities(stripslashes($ustrInput)));
}

// MSSQL
function cleanInput($ustrInput) {
    return str_replace(htmlentities(stripslashes($ustrInput)), "'", "''");
}
?>

Call either of those functions before having user input interact with database. That goes for cookies, GET and POST data.

E.g. for basic forms:

PHP:
<?php
// Assuming posted values are UserID, Password and E-mail
if (!isset($_POST['userid']) && empty($_POST['userid'])) {
    // No need to clean input, only thing user could do is duck up his own browser
    echo $_POST['userid'] . " is not set.";
}

// Checks verified
// Insert to database, data entering the database should be cleaned
mssql_query("INSERT INTO Account (UserID, Email) VALUES ('" . cleanInput($_POST['userid']) . "', '" . cleanInput($_POST['email']) . "')");

echo $_POST['userid'] . " registered.";
?>

As for using identifiers I personally typecast them to integers.

E.g.:

PHP:
<?php
$pQuery = mssql_query("SELECT * FROM table WHERE id = " . (int)$_GET['id']);

if (mssql_num_rows($pQuery) == 0) {
    // No data found or user sent string, resulting into id = 0
}

// etc
?>
 
DRGunZ 2 Creator
Member
Joined
Jan 21, 2007
Messages
4,493
Reaction score
161
That's not a bad idea there with it being in the User Account Settings.
 
Praise the Sun!
Member
Joined
Dec 4, 2007
Messages
2,502
Reaction score
986
PHP:
    <?php
    $q = mssql_query("SELECT * FROM Website_ItemShop WHERE".((isset($_GET['cat'])) ? " Category = '".$_GET['cat']."' AND" : "")." Opened = 1 AND Type = '".convertType($_GET['page'])."' ORDER BY ID DESC");

Are you giving OP an example on how to not escape user data and therefore be vulnerable to SQL injects?
 
Hi, I'm Omar!
Member
Joined
Jan 6, 2011
Messages
1,345
Reaction score
646
Are you giving OP an example on how to not escape user data and therefore be vulnerable to SQL injects?

I loop through $_GETs and $_POSTs.
Code:
foreach($_GET as $key => $value)
{
	$_GET[$key]= str_replace("'", "", htmlentities($value));
}

foreach($_POST as $key => $value)
{
	$_POST[$key]= str_replace("'", "", htmlentities($value));
}
 
Praise the Sun!
Member
Joined
Dec 4, 2007
Messages
2,502
Reaction score
986
I loop through $_GETs and $_POSTs.
Code:
foreach($_GET as $key => $value)
{
    $_GET[$key]= str_replace("'", "", htmlentities($value));
}

foreach($_POST as $key => $value)
{
    $_POST[$key]= str_replace("'", "", htmlentities($value));
}

Ah, figured. You're missing out on GPC though, should stripslashes() before htmlentities().
 
In Progress... FFXIV...
Member
Joined
Oct 5, 2010
Messages
1,695
Reaction score
456
So far I got this:

index.php
PHP:
if(!$_SESSION[AID] == "")
	{
		$qy = mssql_query("SELECT * FROM Account WHERE AID = {$_SESSION[AID]}");
		$task = mssql_fetch_assoc($qy);
		$language = $task['Lang'];
		include "lang/{$language}.php";
	} else 
	{
		include "lang/{$_CONFIG[Language]}.php";
	}

config.php
PHP:
$_CONFIG[Language]			= "english";

Code:
ALTER TABLE dbo.Account ADD
	[Lang] [varchar](max) NOT NULL
GO
COMMIT

ALTER TABLE [dbo].[Account] ADD  CONSTRAINT [DF_Account_Lang]  DEFAULT ('english') FOR [Lang]
GO

Note: I did not include the rest of the codes of the files.

I'll probably use my own website design to make it look a bit more unique in ways.
 
Praise the Sun!
Member
Joined
Dec 4, 2007
Messages
2,502
Reaction score
986
index.php
PHP:
if(!$_SESSION[AID] == "")
    {
        $qy = mssql_query("SELECT * FROM Account WHERE AID = {$_SESSION[AID]}");
        $task = mssql_fetch_assoc($qy);
        $language = $task['Lang'];
        include "lang/{$language}.php";
    } else 
    {
        include "lang/{$_CONFIG[Language]}.php";
    }

That's not the way to go. Arrays shall have their key wrapped in quotation marks if it's a string, same goes for globals. Also, SESSION variables should be checked against existence.

E.g.

PHP:
<?php
if(isset($_SESSION['AID']) && !empty($_SESSION['AID']))
    {
        $qy = mssql_query("SELECT * FROM Account WHERE AID = " . $_SESSION['AID']);
        $task = mssql_fetch_assoc($qy);
        $language = $task['Lang'];
        include("lang/" . $language . ".php");
        
        // might as well
        //include("lang/" . mssql_result(mssql_query("SELECT Lang FROM Account WHERE AID = " . $_SESSION['AID']), 0, 0));
    } else 
    {
        include("lang/" . $_CONFIG['Language'] . ".php");
    }
?>

config.php
PHP:
$_CONFIG[Language]            = "english";

PHP:
<?php
$_CONFIG['Language']            = "english";
?>
 
Hi, I'm Omar!
Member
Joined
Jan 6, 2011
Messages
1,345
Reaction score
646
>google translate api.

Or you could use a cookie for it.
 
Pee Aitch Pee
Joined
Mar 30, 2011
Messages
630
Reaction score
422
Just something to add: if you're going to use that code, be sure to check if the language which the user is selecting at their profile is valid.
Else you might be vulnerable to local file inclusion. (In combination with a null byte.)
 
Joined
Jan 5, 2008
Messages
1,698
Reaction score
288
Isn't it easier to make certain "Define" files for every language.
and then just add something like:

Define english file (lan/english.php):
PHP:
<?php
Define('LOGIN', 'Login');
?>

Dutch ex (lan/dutch.php):
PHP:
<?php
Define('LOGIN', 'Inloggen');
?>

Then when someone is logging in check for:
PHP:
$query = mssql_query("SELECT * FROM Login WHERE username='".$_POST['username']."' ");
$f = mysql_fetch_array($query);

if( isset( $f['language'] ) && file_exists( 'lan/'.$f['language'] ) )
{
   include('lan/'.$f['language']);
}
else
{
   include('lan/english.php');
}

and for the login header:
PHP:
<div id="login">
   <div id="header">
       <?php echo LOGIN; ?>
   </div>
</div>

REMEMBER, THIS IS AN EXAMPLE.
 
Praise the Sun!
Member
Joined
Dec 4, 2007
Messages
2,502
Reaction score
986
Isn't it easier to make certain "Define" files for every language.
and then just add something like:

Define english file (lan/english.php):
PHP:
<?php
Define('LOGIN', 'Login');
?>

Dutch ex (lan/dutch.php):
PHP:
<?php
Define('LOGIN', 'Inloggen');
?>

Then when someone is logging in check for:
PHP:
$query = mssql_query("SELECT * FROM Login WHERE username='".$_POST['username']."' ");
$f = mysql_fetch_array($query);

if( isset( $f['language'] ) && file_exists( 'lan/'.$f['language'] ) )
{
   include('lan/'.$f['language']);
}
else
{
   include('lan/english.php');
}

and for the login header:
PHP:
<div id="login">
   <div id="header">
       <?php echo LOGIN; ?>
   </div>
</div>

REMEMBER, THIS IS AN EXAMPLE.

Defines were made to create constants during run-time. Though language sure is a constant, it's better practice and more organized to create your own superglobal-like variable.

E.g.

PHP:
$_LANG = array();
$_LANG['login'] = "Login";
$_LANG['logout'] = "Logout";
 
Joined
Jan 5, 2008
Messages
1,698
Reaction score
288
Defines were made to create constants during run-time. Though language sure is a constant, it's better practice and more organized to create your own superglobal-like variable.

E.g.

PHP:
$_LANG = array();
$_LANG['login'] = "Login";
$_LANG['logout'] = "Logout";

It is designed for another purpose, but it would still work..
and it's less writing to do LOGIN than $_LANG['login'] :$
 
In Progress... FFXIV...
Member
Joined
Oct 5, 2010
Messages
1,695
Reaction score
456
I'm still working on this, but I'm gonna release partial stuff that you can do for your own modifications. I don't care what you do to these files or say my method sucks or whatever. I am doing it my way for the files in order to make it work. There are many methods and ways to do one thing.

Download:
 
DRGunZ 2 Creator
Member
Joined
Jan 21, 2007
Messages
4,493
Reaction score
161
I'm still working on this, but I'm gonna release partial stuff that you can do for your own modifications. I don't care what you do to these files or say my method sucks or whatever. I am doing it my way for the files in order to make it work. There are many methods and ways to do one thing.

Download:
The site looks very good.
 
Status
Not open for further replies.
Back
Top