Storage Script?

This is guide mostly for website tools and code, for example CMS or registration scripts.
There can also be tools.

Moderators: osRose dev team, ospRose dev team, osiRose dev team, Moderators

Re: Storage Script?

Postby xadet3 on Wed Feb 29, 2012 9:12 am

You don't need to escape hashes because they aren't user inputted.
xadet3
Pero pero
Pero pero
 
Posts: 727
Joined: Tue Jan 08, 2008 11:51 pm
Location: Norwich, England.

Re: Storage Script?

Postby hoegarden31 on Wed Feb 29, 2012 11:34 am

hum i would escape every value you get from a $_GET or $_POST.
If not, i can do a sql injection with a tamper data :p
I'm the one and only. In heaven and on earth.
Image
hoegarden31
Rackie
Rackie
 
Posts: 150
Joined: Sun Nov 13, 2011 7:13 pm

Re: Storage Script?

Postby xadet3 on Wed Feb 29, 2012 2:49 pm

Yes, but escaping hashes is completely pointless, they're essentially randomly generated where the user inputted value is merely the seed.
xadet3
Pero pero
Pero pero
 
Posts: 727
Joined: Tue Jan 08, 2008 11:51 pm
Location: Norwich, England.

Re: Storage Script?

Postby Mark on Wed Nov 07, 2012 6:47 pm

Ok back to this lil project.

I'm still working on this script, so far I have got the data to be shown from the storage.sql, I'm just trying to find a way to link the icon files to the data which is presented from the storage.sql, see example below:

  1. User logs in
  2. User clicks storage link
  3. Storage loads and shows items that are currently in his/her storage
  4. In column: Itemnum, the data is the item number of the item in storage


Below is how the table of data is grabbed and shown:
( owner is echo'd for testing purposes only )
  1. // Making a box and naming the fields in html
  2.  echo "<table border='1'>
  3. <tr>
  4. <th>Owner ID</th>
  5. <th>Item#</th>
  6. <th>Quantity</th>
  7. </tr>";
  8. // Filling box's with data
  9. while($row = mysql_fetch_array($result))
  10.   {
  11.   echo "<tr>";
  12.   echo "<td>" . $row['owner'] . "</td>";
  13.   echo "<td>" . $row['itemnum'] .  "</td>";
  14.   echo "<td>" . $row['count'] . "</td>";
  15.   echo "</tr>";
  16.   }
  17. echo "</table>";
  18. //Closing the sql connection, for now
  19.   mysql_close($con);


So as you can see, this is just a basic echo of data from the sql table.
Now I need to find a way of displaying an image for data in column Item#

I didn't really want to go down the route of adding every single icon to an sql database, rather all the icons are currently sitting in the image folder all correctly named ( 1049.png/jpg, not Iconsheet_16_1049.png )

Any ideas anyone ( points at the gods of PhP and Mysql )

Thanks in advance,
Mark
:D
Administrator / Coder for EutopiaRose Online
Image
http://www.eutopiarose.co.uk
User avatar
Mark
Rackie
Rackie
 
Posts: 176
Joined: Tue Dec 13, 2011 8:15 am
Location: Sunny England

Re: Storage Script?

Postby hoegarden31 on Sun Dec 16, 2012 1:47 pm

Back to xadet3 (i know it's a long time ago :p) It doesn't matter if it's generated in the php code. If you pass that variable into a get, you can use tamper data (firefox plugin) to intercept the data you just send or recieve, and then change it the way you want (including adding some sql injections) So never use a get or post into a query without escaping it first.

To mark, just name all your images to the item id.... problem solved
(And i would see the result of all your echo's... :p who not making a template in html to make your header and rows. Would be far more easier after to add css, or change something. But it's just a suggestion. You are the pro...)
I'm the one and only. In heaven and on earth.
Image
hoegarden31
Rackie
Rackie
 
Posts: 150
Joined: Sun Nov 13, 2011 7:13 pm

Re: Storage Script?

Postby xadet3 on Sun Dec 16, 2012 2:22 pm

hoegarden31 wrote:Back to xadet3 (i know it's a long time ago :p) It doesn't matter if it's generated in the php code. If you pass that variable into a get, you can use tamper data (firefox plugin) to intercept the data you just send or recieve, and then change it the way you want (including adding some sql injections) So never use a get or post into a query without escaping it first.

Yes but it's not inserting GET or POST data, it's inserting a hash, you can't change what MD5/SHA1/etc returns to include an SQL injection, MD5, for example, will return a 32 character hexadecimal string regardless. Escaping everything being inserted into a database is very bad practise, you only need to escape user input, a hash is not user input.
xadet3
Pero pero
Pero pero
 
Posts: 727
Joined: Tue Jan 08, 2008 11:51 pm
Location: Norwich, England.

Re: Storage Script?

Postby hoegarden31 on Sun Dec 16, 2012 3:43 pm

I agree with that, but i was confused on how he used the hash. I thought he putted the code into a url or something. In that case you can better secure it. And i said in previous posts to escape only $_GET and $_POST.
I'm the one and only. In heaven and on earth.
Image
hoegarden31
Rackie
Rackie
 
Posts: 150
Joined: Sun Nov 13, 2011 7:13 pm

Re: Storage Script?

Postby Mark on Sun Dec 16, 2012 11:24 pm

Guys, ignore the above code snippet, the storage script has changed since that post, and I only ever escape $_GET and $_POST, had to remove some stuff like addslashes as one of my idiot friends was like

"why don't you use addslashes instead of mysql real escape string"


I was like lol, get fked.
Administrator / Coder for EutopiaRose Online
Image
http://www.eutopiarose.co.uk
User avatar
Mark
Rackie
Rackie
 
Posts: 176
Joined: Tue Dec 13, 2011 8:15 am
Location: Sunny England

Re: Storage Script?

Postby observe on Wed Jan 23, 2013 2:52 am

This what u mean?
This is still a WIP but getting there

Still working on the layout and the code to make it work more flexible (slot changing etc)
Attachments
Naamloos.png
observe
osRose dev
osRose dev
 
Posts: 194
Joined: Thu Sep 17, 2009 10:28 am
Location: The Netherlands

Re: Storage Script?

Postby observe on Sat Jan 26, 2013 2:02 am

If someone has a full database of items i can use for the storage script that would be very nice.
This so i can setup the fields correctly and such.
observe
osRose dev
osRose dev
 
Posts: 194
Joined: Thu Sep 17, 2009 10:28 am
Location: The Netherlands

PreviousNext

Return to PHP / Web Guides, Scripts and tools.

Who is online

Users browsing this forum: No registered users and 10 guests

cron