Page 1 of 1

Change in new account creation disabled warning.

Posted: Mon Jun 01, 2020 15:06 UTC
by usalabs
After a while I noticed the new account creation was a little off, so I investigated and found that if for some reason someone closed account creation by setting the variable $account_creation_closed in config.php to true, this would stop any new accounts, now here's the kicker, this only happens 'after' aperson clicks 'New Player' then fills out the details, then gets told "Game closed for tournament play", so what I've doen is to remove that check from new2.php, modified it a little, and inserted it into new.php, thus:-

new2.php
code removed after the line that shows $big_title();

Code: Select all

if ($account_creation_closed)
{
    die ($l_new_closed_message);
}
new.php
Code that's inserted after the line $big_title();

Code: Select all

if ($account_creation_closed)
{
echo $l_new_closed_message;
echo "<br>";
echo "<br>";
echo "<br>";
echo "Click <a href='index.php'>HERE</a> To return to login screen.";
    die();
}
This way when someone disables account creation, and someone else clicks the 'New Player' button, instead of filling out all the details, then get shown the message, the message is shown instead of the form.

This is another further modification that gives the user a choice to click the link to return back to the login or wait 5 seconds for an auto redirect.

Code: Select all

if ($account_creation_closed)
{

echo $l_new_closed_message;
echo "<br>";
echo "<br>";
echo "<br>";
echo "If this page does not redirect in 5 seconds, Click <a href='index.php'>HERE</a> To return to login screen.";
echo "<script language='javascript'>
window.setTimeout(function()
{
window.location.href = 'index.php';
}, 5000);
</script>";
   die();
}
I also removed this from login2.php

Code: Select all

if ($server_closed)
{
    $title = $l_login_sclosed;
    include "header.php";
    echo "<div style='text-align:center; color:#ff0; font-size:20px;'><br>$l_login_closed_message</div><br>\n";
    TEXT_GOTOLOGIN();

    include "footer.php";
    die();
}
Edited it a little, and inserted it into index.php after include "header.php";

Code: Select all

if ($server_closed)
{
    $title = "CLOSED";
    $l_login_closed_message = "ALL LOGINS ARE CLOSED UNTIL FURTHER NOTICE.....";
    echo "<div style='text-align:center; color:#ff0; font-size:40px;'><br>$l_login_closed_message</div><br>\n";
    include "footer.php";
    die();
}
This way, no login page is ever displayed when the variable $server_closed) is set to true in config.php

The problem I found is the language variables
$l_login_sclosed
$l_login_closed_message

were empty, so I had to manually enter the data in English.

I found the problem, I had to insert this line before the offline check:-

Code: Select all

load_languages($db, $lang, array('new', 'login', 'common', 'global_includes', 'global_funcs', 'footer', 'news'), $langvars, $db_logging);
and now it works.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 04:03 UTC
by TheMightyDude
If you removed that from new2.php, people can still create accounts by creating a page on their local machine calling new2.php resulting in creating an account when its has been disabled.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 12:02 UTC
by usalabs
TheMightyDude wrote: Tue Jun 02, 2020 04:03 UTC If you removed that from new2.php, people can still create accounts by creating a page on their local machine calling new2.php resulting in creating an account when its has been disabled.
How is that possible? PHP is executed server side only, and even if the person looked at the source, they still couldn't create a page and feed another script the variables needed for the destinations script to use, if that was the case, the any website that uses PHP can be ultimately be changed at the whim of a person, just by creating a page on their local machine which then talks to the scripts running on the server, also if you called new2.php directly, it would show an error about the email address, name and ship name cannot be empty, and then gives the chance to click a link to return to the create new user screen, but because the modded code is there it still prevents the account creation form from being filled in.

There is one way though to prevent direct script access, and that's to use:-

Code: Select all

defined ('SYSPATH') or die ('NO DIRECT SCRIPT ACCESS');
Which then means the constant used would have to be defined at the server level, and the die message would need to be translated to the languages used in BNT, and the string replaced with a language variable.

And so calling the script from any other means would get the die message, unless it's called from a script running within the server itself.

ADDENDUM
I have just tried this by using AMPPS setup on my windows machine and calling new2.php using this:-

Code: Select all

<?
header("Location:https://home-regions.no-ip.org/traders/new2.php");
?>
And I get the 'no direct script access' error, but calling it from new.php which is running inside the server doesn't invoke that error.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 15:26 UTC
by thekabal
usalabs wrote:How is that possible?
Because PHP scripts take input: $_POST, $_GET, $_COOKIES, etc. And all of those can be created and sent by making a local php file which generates those values and sends them to the server.

It's literally exactly the same way the game works, just the source is different. As you mention, you do have to get all the variables set correctly, which yes, does require at least a glance at the code, but isn't difficult at all.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 17:57 UTC
by TheMightyDude
thekabal wrote: Tue Jun 02, 2020 15:26 UTC
usalabs wrote:How is that possible?
Because PHP scripts take input: $_POST, $_GET, $_COOKIES, etc. And all of those can be created and sent by making a local php file which generates those values and sends them to the server.

It's literally exactly the same way the game works, just the source is different. As you mention, you do have to get all the variables set correctly, which yes, does require at least a glance at the code, but isn't difficult at all.
You beat me to it LOL

Long time no see, how are you and family?
I trust everyone is doing well.

Also it can be just a html file with post fields in it, some people do it on the live games, can be easy to spot, unless they are smart LOL.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 18:07 UTC
by TheMightyDude
Basically you need checks in the files doing the account creation to the database, sure we could put in a check in the new.php page, but that check needs to stay in new2.php

Like when I disabled a feature in the IGB on the main page, and the 2nd page, but forgot the 3rd and 4th, so players just hooked into the 3rd and 4th page.
Never underestimate players, they will go to all means to do what they want, even when they know they shouldn't do so.

Also like with the Federal Bounty on the live games, where it now finally limits what they can do, that took like forever to stop players bypassing it.
So now they are forced to pay it off first.

Re: Change in new account creation disabled warning.

Posted: Tue Jun 02, 2020 18:53 UTC
by thekabal
TheMightyDude wrote: Tue Jun 02, 2020 17:57 UTC You beat me to it LOL

Long time no see, how are you and family?
I trust everyone is doing well.
Thanks, we are well. I'm currently employed, working remotely, occasionally indulging in my hobbies (like PHP programming), and staying safe.

Hope you are as well.
TheMightyDude wrote: Tue Jun 02, 2020 17:57 UTCAlso it can be just a html file with post fields in it, some people do it on the live games, can be easy to spot, unless they are smart LOL.
Very good point, I should have mentioned that. ;-)

Re: Change in new account creation disabled warning.

Posted: Wed Jun 03, 2020 00:24 UTC
by usalabs
And I wonder why I never studied scripting, it's far to contradictory, and seems to be very, very, unsafe, I much prefer the language I was taught many years a go (ASM), simple, to send data, you have to open a destination first to receive that data, then send it, and when an EOF is detected, close that destination, but in PHP it seems that any data can be sent to any PHP script as long as various details are known first, making PHP very, very, insecure, and that's not just PHP, but Curl, C++, Pascal, Fortran, Cobol, Java, and even HTML, and yet in most other programming languages, such as B.A.S.I.C, a file or memory location has to be opened first before any data is sent to it.

EG
50 mailman are in a queue waiting at a house to deliver information, but until someone opens the door, the data is not going to go anywhere, but with PHP it seems that the door is always open, and data can flow from outside in at anytime.

Re: Change in new account creation disabled warning.

Posted: Wed Jun 03, 2020 02:14 UTC
by TheMightyDude
Its the same with what you said" (ASM), simple, to send data, you have to open a destination first to receive that data, then send it, and when an EOF is detected, close that destination" you can send anything that way too and its would be unsafe.

And by the way that is exactly how HTTP(s) sort of works, where the client sends a request to a web page on a server and that server returns the info for that page and then closes the connection.

Think of it like this, anything the user has to enter, clicking on a button etc on a webpage is sent via TCP on port 80 (HTTP) or port 443 (HTTPS) via a Web Form, its perfectly safe assuming you do all the checks and validation etc server side.

If you are a bad programmer or don't know scripting especially the language in question you will have issues.