[Tool/Web/Other] [PHP/SQL] View Bans/Vehicles/Users from browser
#1

Before we start. You will need to have an MySQL-able gamemode, an sql server and .php supporting server (doesnt count what OS). Otherwise it will NOT work!

What is it? The .zip file contains 3 *.php files: users.php, bans.php and vehicles.php. If they are correctly set up, you can view your info for these three things from sql in your web browser. Also the zip contains graphical files, css and js files. Also config.inc.

Preview. HERE

Setting up. Download the package (Link is in the end of the post) unpack them to your desktop or somewhere.
Open up config.inc and configure it for your needs
PHP код:
define ("DB_HOST""localhost"); // set database host
define ("DB_USER""root"); // set database user
define ("DB_PASS","x"); // set database password
define ("DB_NAME","sa-mp"); // set database name    
define ("DB_TABLE_VEHS","vehicles"); // set database table for vehs    
define ("DB_TABLE_PLAYER","playerinfo"); // players
define ("DB_TABLE_BANS","bans"); //bans 
It should be no hard.

Next open up one of the .php files. I use Notepad++. For example i open users.php.
Firstly you will need to edit these lines:
PHP код:
$db_table_player DB_TABLE_PLAYER;
$sql="SELECT * FROM $db_table_player"
It has to be same as in config.inc

Now we need to edit these lines for your needs
PHP код:
$user = ($rows['user']);
$money = $rows['money']; 
$skin = $rows['skin'];
$Level = $rows['Level'];  
$nLevel = $rows['nLevel'];
?>
<tr>
<td class="alt" ><?php echo "$user"?></td>
<td class="alt" ><?php echo "$money"?></td>                
<td class="alt" ><?php echo "$skin"?></td>
<td class="alt" ><?php echo "$Level"?></td>
<td class="alt" ><?php echo "$nLevel"?></td>
PHP код:
$user = ($rows['user']); 
if in mysql you have named your row for usernames to usernames, instead of users, it has to be
PHP код:
$usernames = ($rows['usernames']); 
, also you need to edit the following line:
PHP код:
<?php echo "$user"?>
to
PHP код:
<?php echo "$usernames"?>
Same for the other lines and other 3 files.

Download
Upload.ee
Solidfiles.com

The .inc replaced with .php
Solidfiles.com
Reply
#2

Hey mate, this is just awesome! why don't you sell it ?
Reply
#3

Код:
$db_table_player = DB_TABLE_PLAYER;
$sql="SELECT * FROM $db_table_player";
Reply
#4

Quote:
Originally Posted by royal_king
Посмотреть сообщение
Hey mate, this is just awesome! why don't you sell it ?
It's quite easy to make actually. Thanks
Reply
#5

Quote:
Originally Posted by Sergei
Посмотреть сообщение
Код:
$db_table_player = DB_TABLE_PLAYER;
$sql="SELECT * FROM $db_table_player";
It's defined. And player names are not escaped epic fail right ?

config.inc -_- people can easily see your mysql password and stuff.....
Reply
#6

Quote:
Originally Posted by XFlawless
Посмотреть сообщение
config.inc -_- people can easily see your mysql password and stuff.....
I used it just 4 myself. I also added
Quote:

EDIT: I forgot to mention, for higher security you should rename config.inc to config.inc.php (also edit the php files)

In the end of main post
Reply
#7

Quote:
Originally Posted by Oliverraisk
Посмотреть сообщение
I used it just 4 myself. I also added In the end of main post
But you still need to escape usernames and use htmlentites().Also you have not sanitized any vulnerable character.
Reply
#8

Quote:
Originally Posted by XFlawless
Посмотреть сообщение
But you still need to escape usernames and use htmlentites().
Quite dunno what you are talkin 'bout. The thing is, that the system worked :O
Reply
#9

Well i'm going to develop it with some more features

@Flawless - You are right people can see MySQL details, maybe he would make it in "PHP"
Reply
#10

Wow awesome
Reply
#11

Quote:
Originally Posted by Oliverraisk
Посмотреть сообщение
Quite dunno what you are talkin 'bout. The thing is, that the system worked :O
Ex: html characters in php can be hacked by CrossSite Scripting. And $username can be mysql injected they can easily override the player password.
Reply
#12

For avoiding sql injection you can you htmlspecialchars() and mysql_real_escape_string() - This needs a mysql db connection
Reply
#13

This looks nice, but i don't think its secure enough for me. :P
Reply
#14

Well I'm gonna try to fix it in evening. Thanks everybody for heads-up!
Reply
#15

Naiss :P
Reply
#16

Nice release
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)