Miks

I'm looking for someone to implement a Facebook Connect feature with signup and login abilities. I dont mind paying, I have seen one on mccodes marketplace for $20 but states it doesnt work in IE. I dont have a standard Mccodes script so I think one may have to be custom made. I can post my signup source code if that helps?

Hey [MENTION=65073]lucky3809[/MENTION] thanks for your advice, at the moment I am learning about security and will continue to post my work as I create new features until I get it right. I appreciate everyone's feedback and ask that you continue to give feedback on my future posts as its helping me learn quickly! I dont want to copy and paste when I can help it as I do like to learn, I have a "fairly" good understanding and things are starting to click into place and become a little clearer. I'm still confused about a few things but will post them if I cant work them out for myself.

Ok so I was right about the comment bit, I thought he commented it out as it was not needed but then couldn't understand how it worked! And thank you for pointing out the DB escape issue as well, thank you!

I have copied and pasted Guests code and updated any reference to dp_update to cp_update. When you insert an image url it gives you the success message but doesnt update the DB I also dont see any reference to it updating the database apart from my commented out section, although I'm sure I'm wrong   <?php include "globals.php"; $image = isset($_POST['cp_update']) && is_string($_POST['cp_update']) && filter_var($_POST['cp_update'], FILTER_VALIDATE_URL) ? $_POST['cp_update'] : FALSE ; if ($image) { $ext = substr($image, strripos($image, '.') + 1); switch($ext) { case "png": $file = imagecreatefrompng($image); break; case "jpg": $file = imagecreatefromjpeg($image); break; case "gif": $file = imagecreatefromgif($image); break; default: $error = 'No valid image entered'; break; } if (isset($error)) { echo $error; } else { $size = getimagesize($image); if (is_array($size)) { $mime = array('image/jpg', 'image/jpeg', 'image/gif', 'image/png'); if (in_array($size['mime'], $mime)) { if ($size[0] && $size[1]) { //$db->query("UPDATE users SET cover_pic='{$_POST['cp_update']}' WHERE userid=$userid"); //$ir['cover_pic']=stripslashes($_POST['cp_update']); echo '<b>Your Avatar Has Been Updated!</b>'; } else { echo '<b>Height or Width could not be detected</b>'; } } else { echo '<b>No mime type returned.</b>'; } } else { echo '<b>Did not pass getimagesize() so not a valid resource.</b>'; } } } echo '<form action="coverupload.php" method="post"> Image Link : <input type="text" name="cp_update" value="http://"> <button>Test</button> </form>'; $h->endpage(); ?>

When I update the preg_match to if(!preg_match('^([a-z0-9_\-%\/\/.]+\.)(jpe?g|gif|png)$', $_POST['cp_update'])) and insert a image url like: http://covers4timelines.com/uploads/covers/7f99bef877271bf7dd4aee74c0629e32.jpg It keeps on saying You are trying to upload an invalid image

Ok I'll have another read, we dont have EXIF installed on the server, if its important then I'll put a request in to have it added I'll read up on preg_match as I'm still learning and dont know exactly what to do from your post however it is helpful but I will need to do a bit of searching to understand it

Ok this is what I have now   if(isset($_POST['cp_update'])) if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['cp_update'])) { print "You are trying to upload an invalid image"; } else{ $ir['cover_pic']=stripslashes($_POST['cp_update']); $cover_pic = trim($_POST['cp_update']); $db->query("UPDATE users SET cover_pic='$cover_pic' WHERE userid=$userid"); print "<b>Your Cover Picture Has Been Updated!</b>"; } print " <form method='post' action=$_SERVER[php_SELF]> url:<input type='text' name='cp_update' value='http://'> <input type='submit' value='Submit'> </form>   Using the below stopped the feature from working, not sure why   $cover_pic = $db->escape_string($cover_pic);   After doing some Google searching I read that it was best to change the form action to <form method='post' action=$_SERVER[php_SELF]>

I'm new to all this so was wondering if someone could teach/help me to secure this? Heres what I have got so far   include "globals.php"; print " <h2>Upload Cover Picture</h2> You can personalize your profile page by adding a cover picture<BR><BR> Current url:<BR> {$ir['cover_pic']}<BR> <img src='{$ir['cover_pic']}' width='840' height='300' alt='' title='' style='float: center'> "; if(isset($_POST['cp_update'])) if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['cp_update'])) { print "You are trying to upload an invalid image"; } else{ $db->query("UPDATE users SET cover_pic='{$_POST['cp_update']}' WHERE userid=$userid"); $ir['cover_pic']=stripslashes($_POST['cp_update']); print "<br><b>Your Cover Picture Has Been Updated!</b>"; } print " <form method='post' action='coverupload.php'> url:<input type='text' name='cp_update' value='http://'> <input type='submit' value='Submit'> </form><BR> You can set a cover picture by posting the url to the image itself in the above box, make sure you include http://.<BR>If you want a free website to upload your image to then we recommend ImgShare.co.uk. "; $h->endpage();

[MENTION=70854]Truefalse[/MENTION] I see what you mean about sql injections I didn't think about it like that but it makes perfect sense But I'm lost when you say about stored XSS

I tried a couple of other things first but couldn't get it to work correctly. I will have another stab at it tonight with random events etc

I will try and secure it myself as I "think" I know how to do it now. I will upload the changes shortly and then you can take a look. Sorry for sharing something that's not secure, I thought I had done it right. Oh well if anything this is a good learning curve! Iv picked up a lot from this site over the last few days, I guess I still have a bit more to learn!

Is it my upload page thats not secure?

[MENTION=70854]Truefalse[/MENTION] I wont be able to skype but if you could point out where I have gone or where it isnt secure that would be great, it will help me understand more and hopefully not make the same mistake in future

[ATTACH=CONFIG]1848[/ATTACH]

**Updated** Allow your users to upload a cover picture to there profile page. This one is slightly fiddly to implement but if you follow my instructions you shouldnt go wrong. 1. Create a new page called coverupload.php and paste the below code <?php include "globals.php"; $image = isset($_POST['cp_update']) && is_string($_POST['cp_update']) && filter_var($_POST['cp_update'], FILTER_VALIDATE_URL) ? $_POST['cp_update'] : FALSE ; if ($image) { $ext = substr($image, strripos($image, '.') + 1); switch($ext) { case "png": $file = imagecreatefrompng($image); break; case "jpg": $file = imagecreatefromjpeg($image); break; case "gif": $file = imagecreatefromgif($image); break; default: $error = 'No valid image entered'; break; } if (isset($error)) { echo $error; } else { $size = getimagesize($image); if (is_array($size)) { $mime = array('image/jpg', 'image/jpeg', 'image/gif', 'image/png'); if (in_array($size['mime'], $mime)) { if ($size[0] && $size[1]) { $ir['cover_pic']=stripslashes($_POST['cp_update']); $db->query("UPDATE users SET cover_pic='{$_POST['cp_update']}' WHERE userid=$userid"); echo '<b>You have updated your cover picture</b>'; } else { echo '<b>Height or Width could not be detected</b>'; } } else { echo '<b>No mime type returned.</b>'; } } else { echo '<b>Did not pass getimagesize() so not a valid resource.</b>'; } } } echo " <div class='desc2'> <div class='citstat'> <div class='pagemessage'> <BR>''Why not personalize your profile page by adding a cover picture using the form below''<BR><BR> </div> <h2>Upload A Cover Picture To Your Profile Page</h2> <table class='mytable'> <tr><td><center><BR> <div class='profilecover'> <img src='{$ir['cover_pic']}' width='840' height='300' alt='' title='' style='float: center'> </div> <form action='coverupload.php' method='post'><BR>To upload a cover picture insert the url to the image below<BR> Image Link : <input type='text' name='cp_update' value='http://'> <button>Submit</button></center><BR> </form> </td></tr></table><BR><BR><BR><BR><BR><BR><BR> "; $h->endpage(); ?> 2. Create a new column in your users database called cover_pic ALTER TABLE `users` ADD `cover_pic` TEXT NOT NULL ; So we now have the upload page and the appropriate column 3. We now need to modify our viewuser.php page and add the below code <img src='{$r['cover_pic']}' width='840' height='350' alt='' title='' style='float: center' /> You may need to play with the width and height attributes to fit your own page Thats it, you're all done! The below code isnt needed but its an example of how I implemented it into the viewuser page This is a basic version and I will hopefully update it in a week or two $rr=$db->query("SELECT * FROM referals WHERE refREFER={$r['userid']}"); $referal=$db->num_rows($rr); print " <div class='profileinfo'> <h2>User Profile</h2> <div class='profilecover'> <img src='{$r['cover_pic']}' width='840' height='350' alt='' title='' style='float: center' /> </div> <img src='{$r['display_pic']}' width='120' height='120' alt='User Display Pic' title='User Display Pic' style='float: left' /> <div class='profileinfotop'> <b>Name: </b>{$r['username']} <span>ID:{$r['userid']} $d </span> <BR> <b>Level:</b> {$r['level']} ".get_gameranks($r['level'],$r['hPRICE'],$r)." <BR> <b>User Level:</b> $userl <BR> <b>Gender:</b> {$r['gender']}<BR> <b>Status:</b> <span><font color='#70cb00'><b><img src='$on' alt='$status' title='$status' /></b></font></span> </div>

This modification allows a user who has been jailed to escape from jail, this is allowed twice every 24 hours. 1. A new column needs to be added to the user table ALTER TABLE `users` ADD `escapejail` INT( 2 ) NOT NULL ; 2. Create a new page and call is escapejail.php Then add this code: <?php include "globals.php"; if(!$_GET['escape']) { print " <div class='desc2'> <div class='citstat'> <h2>Escape Jail</h2> <br /> You do know that escaping jail is actually against the law and if you get caught you could be punished further <br /> <table class=mytable> <tr><td><a href='escapejail.php?escape=yes'>Escape</a></td></tr> </table> </div>"; } else { if($_GET['escape'] == 'yes') if($ir['escapejail'] == 2) { print "Escape from jail failed!"; } else { $db->query("UPDATE users SET jail=0 , escapejail = escapejail + 1 WHERE userid=$userid"); print "You managed to escape from the prisons of Raging Mortals, not many people have got away with this"; } } $h->endpage(); ?> 3. You now need to add the link on the jail.php page, like so <a href='escapejail.php'>Escape</a> I put this before the bail and bust links 4. Finally you need to add the below line to your daily cron file: $db->query("UPDATE users SET escapejail = 0");

I thought I would share the final result for anyone that would like to try it themselves [ATTACH=CONFIG]1847[/ATTACH]   <?php include "globals.php"; $result = $db->query("SELECT * FROM users ORDER BY posts DESC LIMIT 4"); print " <table class='mytable'> <tr> "; { while($row = $db->fetch_row($result)) print " <td> <a href='viewuser.php?u={$row['userid']}'>{$row['username']}</a> <BR> Posts:{$row['posts']} </td> "; } print " </tr></table> "; $h->endpage(); ?>

Ok So I have put the table before the loop and now it works as intended. You were right, the way I had it before it was creating a table for each result. Thanks for your time and help [MENTION=70485]G7470[/MENTION] you've helped me understand a lot more than what I understood this morning!

Ok I'm trying to style it and I cant seem to figure out where I am going wrong. This is what I have done   <?php include "globals.php"; $result = $db->query("SELECT username FROM users ORDER BY posts DESC LIMIT 4"); // moved $result to equal the query, as $db->query runs that query // $result = mysql_query($db); Not needed while($row = $db->fetch_row($result)) // using MCCodes fetch_row function, which can works as both fetch_array and fetch_row in mysql and mysqli { print " <table class='mytable'> <tr> "; } print " <td>$row['username'] </td> "; print " </tr></table> "; $h->endpage(); ?>   So the goal is to put the results in a table on the same row i.e inbetween <td> </td>

[MENTION=70485]G7470[/MENTION] Thank you for your help and explanation, really helpful indeed!!

I was wondering if someone could kindly point me in the right direction as to where I am going wrong. What I want to do is display the top 4 forum contributors above the forum, just to add some more stats and to fluff out the forum page a bit more. At the moment all I want to do is display the results and then I will work them into the forum page. Here is what I have:   <?php include "globals.php"; $db->query("SELECT username FROM users ORDER BY posts DESC LIMIT 4"); $result = mysql_query($db); while($row = mysql_fetch_array($result)) { print " $row "; } $h->endpage(); ?>   I'm guessing its how I'm displaying the results but I am learning still

Thanks KyleMassacre I will use that format in future

I would like a gang armoury but which one should I use? I see there is a free version on the forums and a paid version on mccodes website....Which one would you recommend?

I know theres a paid mod called City Park already, I made it a couple of years ago but wanted to improve it and make it free. **Note this is the first time I am sharing on the forum so might not have put it in the right format etc** The city park allows a user to restore there health once a day to either train some more or battle more users etc I have tested it and it works fine. If you want to use it then just following the below steps 1. You need to alter/add a new column in the users table called citypark [mysql]ALTER TABLE `users` ADD `citypark` INT( 2 ) NOT NULL ;[/mysql] 2. Add this to your daily cron file $db->query("UPDATE users SET citypark = 0 WHERE citypark = 1"); 3. This is the pages source code, you will need to edit it slightly to fit your design as we made a custom css file <?php include "globals.php"; error_reporting(E_ALL); if($ir['jail']) { print "<div class='desc2'> <div class='citstat'> <table class='mytable'><tr><td><center><BR> You cant go any further while you're in jail <BR><a href='jail.php'>Go back to jail</a> <BR><BR></center></td></tr></table>"; $h->endpage(); exit; } if($ir['hospital']) { print "<div class='desc2'> <div class='citstat'> <table class='mytable'><tr><td><center><BR> You can go any further while your in hospital <BR><a href='hospital.php'>Go back to Hospital</a> <BR><BR></center></td></tr></table>"; $h->endpage(); exit; } print " <div class='desc2'> <div class='citstat'> <h2>Welcome to the City Park!</h2> <br /> You walk up to a weird looking fountain, you see an old glass with lots of scratches and brown patches.<BR><BR> Do you take a drink?<BR> <br /> <table class=mytable> <th>Fountain</th> <tr><td><a href='citypark.php?drink=yes'><center>Yes</center></a></td></tr> <tr><td><a href='citypark.php?drink=no'><center>No!</center></a></td></tr> </table> </div> "; if(isset($_GET['drink']) && $_GET['drink'] == 'yes') { if($ir['citypark'] == 1) { print "This has no effect on you"; } else { $db->query("UPDATE `users` SET `energy`=maxenergy,`citypark`=1 WHERE `userid`=$userid"); print ">You have an almighty gulp and magically it restores your energy, awesome!"; } } if(isset($_GET['drink']) && $_GET['drink'] == 'no') { print "Wise choice buddy wise choice!"; } $h->endpage(); ?>

Thanks guys, my crons are now secured! I went with JMG Gamings suggestion [MENTION=70347]NonStopCoding[/MENTION] For the record I do have a license for Mccodes from 2012 and have pointed it to our domain which was the script from Ravan Mafia Game. I can see how Ravan mafia has ripped Mccodes but after downloading the "latest" version of mccodes it doesnt look like its changed much over the years and is still pretty basic. Thanks for everyone that helped and left there suggestions, much appreciated