Jump to content

Buy Credits


Recommended Posts

Firstly thank you for taking the time to look or glance here i have a problem when gaining credits via glpayment i use the keycode i i get when texting it in i use it on this page and i do not gain the credits/points on the account i think its something to do with line 162where it asks for a password what do i put as the password ??




include_once "includes/db_connect.php";




$query=mysql_query("SELECT * FROM users WHERE username='$username'");


$query1=mysql_query("SELECT * FROM user_info WHERE username='$username'");







<script language=JavaScript> 

//Disable right click script III- By Renigade ([email protected])
//For full source code, visit http://www.dynamicdrive.com

var message='';
function clickIE() {if (document.all) {(message);return false;}}
function clickNS(e) {if 
(document.layers||(document.getElementById&&!document.all)) {
if (e.which==2||e.which==3) {(message);return false;}}}
if (document.layers) 

document.oncontextmenu=new Function('return false')
// --> 

<link rel="shortcut icon" href="favicon.png">

<link href="style.css" rel="stylesheet" type="text/css">

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<table width="350" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="" class="table"> 
<tr><td align=center>Please note when you are <b>CLAIMING</b> credits that the URL <b>MUST</b> be <b>URL</b> thank you!<br><br><font color=red>You Buy Credits At Your Own Risk, We Stand On A Non Refundable Policy!</font>

<table width="350" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="" class="table"> 
<tr><td class="header" colspan="5">Buying Credits - Mobile & Home Phone</td> </tr>
<tr class="subhead"><td class="tableborder" align="center" ><u>Cost</u></td> 
<td class="tableborder" align="center" ><u>Amount</u></td>
<td class="tableborder" align="center" ><u>Text</u></td>
<td width="20%" align="center" class="tableborder" ><u>Claim</u></td> 
<tr><td  width="14%" align="center" class="tableborder">£1.50</div></td> 
<td  width="14%" align="center" class="tableborder">120</td> 
<td  width="27%" align="center" class="tableborder">GL pay to 87070</td> 
<td  width="20%" align="center" class="tableborder"><a href="?creds=120">Claim!</a></td> 
<tr><td  width="14%" align="center" class="tableborder">£3.00</div></td> 
<td  width="14%" align="center" class="tableborder">250</td> 
<td  width="27%" align="center" class="tableborder">GL prem to 87070</td> 
<td  width="20%" align="center" class="tableborder"><a href="?creds=250">Claim!</a></td>  
<tr><td  width="14%" align="center" class="tableborder">£4.50</div></td> 
<td  width="14%" align="center" class="tableborder">420</td> 
<td  width="27%" align="center" class="tableborder">GL token to 87070</td>
<td  width="20%" align="center" class="tableborder"><a href="?creds=420">Claim!</a></td>  
<tr><td  width="14%" align="center" class="tableborder">£6.00</div></td> 
<td  width="14%" align="center" class="tableborder">670</td> 
<td  width="27%" align="center" class="tableborder">GL bonus to 87070</td> 
<td  width="20%" align="center" class="tableborder"><a href="?creds=670">Claim!</a></td>  
<tr><td  width="14%" align="center" class="tableborder">£7.50</div></td> 
<td  width="14%" align="center" class="tableborder">830</td> 
<td  width="27%" align="center" class="tableborder">GL cool to 87070</td> 
<td  width="20%" align="center" class="tableborder"><a href="?creds=830">Claim!</a></td> 
<tr><td  width="14%" align="center" class="tableborder">£9.00</div></td> 
<td  width="14%" align="center" class="tableborder">900</td> 
<td  width="27%" align="center" class="tableborder">GL shot to 87070</td> 
<td  width="20%" align="center" class="tableborder"><a href="?creds=900">Claim!</a></td> 
<? if ($fetch->pban == "0"){ ?>

<table width="25%" border="0" align="center" cellpadding="3" cellspacing="1" bordercolor="#000000" class="table">
   <td colspan=2 class="header">Donate by Paypal
   <td align="center" ><form action="https://www.paypal.com/cgi-bin/webscr" method="post" target=_blank>
       <select name=amount class=textinput>
         <option value=5.00 >£5.00 - 480 Credits</option>
         <option value=10.00 >£10.00 - 1,200 Credits</option>
         <option value=15.00 >£15.00 - 1,920 Credits</option>
         <option value=20.00 >£20.00 - 2,520 Credits</option>
         <option value=25.00 >£25.50 - 3,300 Credits</option>
         <option value=30.00 >£30.00 - 4,200 Credits</option>
         <option value=100.00 >£100.00 - 16,800 Credits</option>
       <input type="hidden" name="cmd" value="_xclick">
       <input type="hidden" name="currency_code" value="GBP">
       <input type="hidden" name="business" value="Hidden">
       <input type="hidden" name="item_name" value="Hidden">
       <input type="submit" class="button" border="0" value="Continue" onClick="confirmbuy()" name="submit" alt="Click To Redeem Your Points">
</table><? } ?><br>

if ($creds == "120"){ $id = "13040"; }
if ($creds == "250"){ $id = "13553"; }
if ($creds == "420"){ $id = "13222"; }
if ($creds == "670"){ $id = "12643"; }
if ($creds == "830"){ $id = "12644"; }
if ($creds == "900"){ $id = "12645"; } 

if ($creds != ""){ ?>

<form name="glform" method="post" action="http://www.glpayment.co.uk/glpay0205/Auth_Standard.php">
<table align="center" class="table" width="20%" cellpadding="3" cellspacing="1" border="0">
<tr><td class="header">Claim Credits - Keycodes</td></tr>
<tr><td align="center" class="tableborder" >
Keycode: <input type="text" class="textinput" name="number"><br><br>
<input type="submit" class="button" value="Submit Keycode">
<input type="hidden" name="ddi_id" value="<? echo "$id"; ?>"> 
<? } if ($_GET[payment] != ""){

if($_GET[payment] == "true" && $_POST[price] && $_POST[Password] == "" && $_POST[CovNum]) {
$query = mysql_query("SELECT keycode FROM payments WHERE keycode='$_POST[CovNum]'");
$rows = mysql_num_rows($query); 

if($rows == 0) {

if($_POST[price] == "1.50"){ $credgain = "120"; }
elseif($_POST[price] == "3.00"){ $credgain = "250"; }
elseif($_POST[price] == "4.50"){ $credgain = "420"; }
elseif($_POST[price] == "6.00"){ $credgain = "670"; }
elseif($_POST[price] == "7.50"){ $credgain = "830"; }
elseif($_POST[price] == "9.00"){ $credgain = "900"; }

mysql_query("UPDATE users SET points=points+$credgain WHERE username='$username'");

mysql_query("UPDATE users SET donate='Yes' WHERE username='$username'");
mysql_query("INSERT INTO payments SET username='$username', keycode='$_POST[CovNum]', date=NOW(''), creds='$credgain'");
echo "<div class=success>Thanks for donating $credgain credits have been added to your account $username<br><br>";

}else{ echo "<center><font color=red><b>The keycode entered has been used before.<br><br>"; } 
}else{ echo "<center><font color=red><b>This keycode has been used before or is invalid.<br><br>"; }} ?>

Link to comment
Share on other sites

Handling Variables

Upon successful completion of a transaction, the Green Light Billing Server redirects your customer to a page of your choice (your "PassURL"). Whilst carrying out this redirect, we also post data a series of data to that page via HTTP Post.

Some of this data is standard system information, whilst other data can be supplied by you. In other words, you can insert additional fileds into the web form we have provided you with (using the naming convention set out below) and we will return that data to your Pass URL following successful payment.

The data included in this can be divided into two categories:


User Variables. Data sent by your website (via the "launch form") such as your unique reference, customer ID, postal address etc.


System Variables. Standard information about the transaction which you may find useful to know and use.


Name Type Description

CovNum System The Receipt Code / Keycode generated by Green Light and issued to the customer. This is a unique reference so you may wish to make use of it.

Password System This particularly useful for secure verification when receiving post data from us. You will receive your account password along with this data, and you can verify that it is correct in order to prevent misuse of the system. NB this is only passed to you via the HTTP post method i.e. it is not sent via email for security reasons.

method System Payment method used by cuistomer - Telephone, SMS, Credit Card orDebit Card.

payment System This is the value of "outpayment" due from Green Light to you for this specific transaction.

price System The price of this product, as set by you.

var1 User This is an open variable that can be used for any purpose you require. For example, if you have captured a customer telephone number and wish to receive that data back again at the end of the process along with the data above, simply name a form field "var1" and you will receive the data back with that same name following a successful transaction.

var2 User as above

var3 User as above

var4 User as above

var5 User as above

var6 User as above

var7 User as above

var8 User as above

var9 User as above

var10 User as above

Cust_Name User Whilst this is a user variable and can in theory be used for any data you wish, we have reserved it for the name of your customer.

Cust_Email User as above

Please ensure that you use the exact spelling and case stated above for all variables.

Link to comment
Share on other sites

First a few things.... NEVER EVER insert an unsecured variable directly to the database!!!!

INSERT INTO payments SET username='$username', keycode='$_POST[CovNum]', date=NOW(''), creds='$credgain'");


$_POST[price] might work as PHP assumes you ment $_POST['price'] if there is no constant named price. But it will run slower and fill up error logs, and kittens will die.

Their API does not seem to have a public documentation :(


You will receive your account password along with this data, and you can verify that it is correct in order to prevent misuse of the system..

Seems odd that your suppose to use your account password, as anybody working on a site will have access to it. And sending data over http is about as safe as sending a post card.


if($_GET['payment'] == true && $_POST['price'] && $_POST['Password'] == "YOURACCOUNTPASSWORD" && $_POST[CovNum']) {


Also note that == "true" is not the same as == true, "true" or 'true' is a string containing the word true, while == true means that it has been set. The variable should also be checked if the exist, in this example you can get away with changing:

//if ($_GET[payment] != ""){
if ( isset($_GET[payment]) ){


If that do not work, right after <? } if ($_GET[payment] != ""){


echo '<pre>'.print_r($_POST).'</pre>';
echo '<pre>'.print_r($_GET).'</pre>';

That should show you what data is sent back.

Edited by Someone
Link to comment
Share on other sites

Your scripts should have sort of variable securing function, probably in includes/functions.php in the lack of that you could use


$CovNum = mysql_real_escape_string( $_POST['CovNum'] );
//$credgain also need to be secured

All data that comes from a user $_GET and $_POST needs to be secured.

If I went to your page and in the browser wrote: pagename.php?creds='###REMOVED###

All users would be admins, that was an example, and based on some assumptions about the database..


INSERT INTO payments SET username='$username', keycode='$CovNum', date=NOW(''), creds='$credgain'");
Edited by Someone
removed the sample exploit
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...