[HTML, CSS, PHP, TrinityCore] Creating an Account Creation webpage for your Server menu

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 15 of 21
  1. #1
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Deleted - GDPR

    Deleted - GDPR
    Last edited by Valkryst; 10-04-2023 at 12:15 PM.

    [HTML, CSS, PHP, TrinityCore] Creating an Account Creation webpage for your Server
  2. Thanks Byakurai (1 members gave Thanks to Valkryst for this useful post)
  3. #2
    homer91's Avatar Active Member CoreCoins Purchaser
    Reputation
    79
    Join Date
    Oct 2008
    Posts
    259
    Thanks G/R
    59/7
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Did you check this for sqli?

  4. #3
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by homer91 View Post
    Did you check this for sqli?
    SQL Injection? Yeah, it should be safe from it. No special characters are allowed and everything important is done server-side so I can't think of any way for someone to mess with it.

  5. #4
    stoneharry's Avatar Moderator Harry

    Authenticator enabled
    Reputation
    1613
    Join Date
    Sep 2007
    Posts
    4,554
    Thanks G/R
    150/146
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Thanks for this guide. Didn't see it before and a up to date account registration script has been needed for a while.

    I am really not confident about this piece of code though:

    Code:
                                        include('config.inc.php');
                                        $username = $_POST['accUsername'];
                                        $password = $_POST['accPassword'];
    
    
                                        $connection = new mysqli($host, $user, $pass, $db, $port);
                                        mysqli_query($connection, "call create_account(\"{$username}\", \"{$password}\");");
                                        $connection->close();
    Any time you take input directly from POST/GET or any other client data you should really verify it.

    It should be something like:

    Code:
    $string = mysql_real_escape_string($string);
    My PHP knowledge is not that great though so I could be wrong.

  6. #5
    Pewzz's Avatar Sergeant
    Reputation
    11
    Join Date
    May 2014
    Posts
    55
    Thanks G/R
    0/1
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Very useful & Interesting, thanks for this.

  7. #6
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    @stoneharry

    I did a quick search on the mysql_real_escape_string function and was told that it "Escapes special characters in a string for use in an SQL statement.". I'm going to assume that this serves the same purpose as the code below (a snipit of code from the OP). What I did, because I barely know php, is to prevent any of the special characters from being used in usernames/passwords as you can see <removed the link>.

    I'll take a better look at that function later today and test it out. If it works as I think it does then I'll do a quick rewrite of the OP.

    Thanks for the tip!
    Last edited by Valkryst; 05-15-2014 at 03:22 PM.

  8. #7
    stoneharry's Avatar Moderator Harry

    Authenticator enabled
    Reputation
    1613
    Join Date
    Sep 2007
    Posts
    4,554
    Thanks G/R
    150/146
    Trade Feedback
    0 (0%)
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valkryst View Post
    @stoneharry

    I did a quick search on the mysql_real_escape_string function and was told that it "Escapes special characters in a string for use in an SQL statement.". I'm going to assume that this serves the same purpose as the code below (a snipit of code from the OP). What I did, because I barely know php, is to prevent any of the special characters from being used in usernames/passwords as you can see here.

    I'll take a better look at that function later today and test it out. If it works as I think it does then I'll do a quick rewrite of the OP.

    Thanks for the tip!
    Since you are specifically using direct POST data input, you can use this to modify the POST data sent to the website: https://addons.mozilla.org/en-US/fir...n/tamper-data/

    (I don't have FireFox installed and Chrome is difficult to do this in.)

    Modifying the post data directly will bypass any type of sanitisation you have done previously.

  9. #8
    InternetExplorer's Avatar Contributor
    Reputation
    136
    Join Date
    Sep 2007
    Posts
    420
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Instead of using mysql_real_escape_string, you should be using prepared statements.

  10. #9
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by InternetExplorer View Post
    Instead of using mysql_real_escape_string, you should be using prepared statements.
    I took a quick look at PHP: Prepared statements and stored procedures - Manual and I don't really see why they would be any better than mysql_real_escape_string. Care to explain?

  11. #10
    InternetExplorer's Avatar Contributor
    Reputation
    136
    Join Date
    Sep 2007
    Posts
    420
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valkryst View Post
    I took a quick look at PHP: Prepared statements and stored procedures - Manual and I don't really see why they would be any better than mysql_real_escape_string. Care to explain?
    mysql_real_escape string is deprecated, and will be removed from PHP in the future.
    With prepared statements, SQL statements are sent & parsed to your database separatly from any parameters, which makes it impossible to inject any malicious SQL.

    mysql_real_escape_string only escapes special characters and still leaves your query at risk for SQL injection, as user provided data will compose your SQL statement.

  12. #11
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Drat. Prepared statements do sound like a necessary modification to the code, but I've forgotten nearly everything about PHP that I knew when writing most of this. It was more of a "code for 24-hours straight, get it to work, then forget everything" kind of deal. =/

    Would you care to modify the code to work with a prepared statement?

  13. #12
    InternetExplorer's Avatar Contributor
    Reputation
    136
    Join Date
    Sep 2007
    Posts
    420
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by Valkryst View Post
    Drat. Prepared statements do sound like a necessary modification to the code, but I've forgotten nearly everything about PHP that I knew when writing most of this. It was more of a "code for 24-hours straight, get it to work, then forget everything" kind of deal. =/

    Would you care to modify the code to work with a prepared statement?
    I've never used Mysqli, so I only know how to do this with PDO.

    confic.inc.php:
    Code:
    <?php
    class MySQL {
        public static $dsn  = 'mysql:host=HOST NAME;dbname=DB NAME;charset=utf8';
        public static $user = '';
        public static $pass = '';
    
    
        private static $db;
    
    
        final private function __construct() { }
        final private function __clone() { }
    
    
        public static function get() {
            if (is_null(self::$db)) {
                self::$db = new PDO(self::$dsn, self::$user, self::$pass);
                self::$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
                self::$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
            }
            return self::$db;
        }
    }
    ?>
    Call your connection with:
    Code:
    require('config.inc.php');
    $db = MySQL::get();
    Then you can do SELECT queries like this:
    Code:
    $stmt = $db->prepare('SELECT username FROM account WHERE username = ?');
    $stmt->execute(array($_POST['accUsername']));
    $rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
    if ($rows) {
        // user found, do something
    } else {
        // not found
    }
    INSERT INTO queries:
    Code:
    $stmt = $db->prepare('INSERT INTO account(username, password) VALUES (?,?)');
    $stmt->execute(array($_POST['accUsername'], $_POST['accPassword']));
    PHP will automaticly close the connection itself when script is finished.
    Btw, your form is vulnerable to CSRF attacks.

  14. #13
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot for writing out that code. I'm working on getting a test-version of the code up and running at the moment before I rewrite the tutorial with it.

    I've just-about got the code ready for testing. For the INSERT query I'm actually using a stored procedure instead, but that's not too relevant to this next bit.

    Basing my slightly altered test-code off of this:
    Code:
    $stmt = $db->prepare('INSERT INTO account(username, password) VALUES (?,?)');
    $stmt->execute(array($_POST['accUsername'], $_POST['accPassword']));
    Should it be written like this if I'm using variables:
    Code:
    $accUsername = $_POST['accUsername'];
    $accPassword = $_POST['accPassword'];
    $stmt = $db->prepare('CALL create_account(:accUsername, :accPassword);');
    $stmt->bindParam(':accUsername', $accUsername);
    $stmt->bindParam(':accPassword', $accPassword);

    Edit:

    I can't seem to get it working correctly. Maybe I've combined the different pieces of code you've given me incorrectly?

    As far as my tests have shown, the echo on line 96 doesn't show up after submitting the form and the accounts are never created even after submitting correct information. I'll keep messing around for now.

    Current HTML/PHP code: http://pastebin.com/xa9CdcTy
    confic.inc.php: http://pastebin.com/rKFuqK9Q

    Thanks again for your help.
    Last edited by Valkryst; 05-16-2014 at 10:44 PM.

  15. #14
    InternetExplorer's Avatar Contributor
    Reputation
    136
    Join Date
    Sep 2007
    Posts
    420
    Thanks G/R
    0/0
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You forgot to execute the query.
    $stmt->execute();

  16. #15
    Valkryst's Avatar Active Member
    Reputation
    62
    Join Date
    Apr 2014
    Posts
    41
    Thanks G/R
    0/3
    Trade Feedback
    0 (0%)
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally Posted by InternetExplorer View Post
    You forgot to execute the query.
    $stmt->execute();
    Both execute statements are there from what I see. Lines 88 and 119 contain the execute statements. Was there another place where there had to be one?

Page 1 of 2 12 LastLast

Similar Threads

  1. [Trinity] [HTML,CSS,PHP,Bash] Creating a Server-Status String for your Webpage
    By Valkryst in forum WoW EMU Guides & Tutorials
    Replies: 0
    Last Post: 09-04-2014, 12:03 PM
  2. Need help with creating a account creation website for mangos!
    By Insanity in forum World of Warcraft Emulator Servers
    Replies: 2
    Last Post: 07-13-2008, 04:58 AM
  3. Account Creation Website for Ascent
    By burmadude in forum WoW EMU Guides & Tutorials
    Replies: 2
    Last Post: 01-05-2008, 05:30 PM
  4. Account Creation Website for Ascent
    By burmadude in forum WoW EMU Guides & Tutorials
    Replies: 1
    Last Post: 12-31-2007, 02:04 PM
  5. Replies: 15
    Last Post: 11-25-2007, 09:53 AM
All times are GMT -5. The time now is 03:27 PM. Powered by vBulletin® Version 4.2.3
Copyright © 2024 vBulletin Solutions, Inc. All rights reserved. User Alert System provided by Advanced User Tagging (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
Digital Point modules: Sphinx-based search