Change in new account creation disabled warning.

For announcing, describing and discussing code changes to BNT.

Post Reply
usalabs
Posts: 26
Joined: Tue May 19, 2020 13:29 UTC

Change in new account creation disabled warning.

Post by usalabs » Mon Jun 01, 2020 15:06 UTC

After a while I noticed the new account creation was a little off, so I investigated and found that if for some reason someone closed account creation by setting the variable $account_creation_closed in config.php to true, this would stop any new accounts, now here's the kicker, this only happens 'after' aperson clicks 'New Player' then fills out the details, then gets told "Game closed for tournament play", so what I've doen is to remove that check from new2.php, modified it a little, and inserted it into new.php, thus:-

new2.php
code removed after the line that shows $big_title();

Code: Select all

if ($account_creation_closed)
{
    die ($l_new_closed_message);
}
new.php
Code that's inserted after the line $big_title();

Code: Select all

if ($account_creation_closed)
{
echo $l_new_closed_message;
echo "<br>";
echo "<br>";
echo "<br>";
echo "Click <a href='index.php'>HERE</a> To return to login screen.";
    die();
}
This way when someone disables account creation, and someone else clicks the 'New Player' button, instead of filling out all the details, then get shown the message, the message is shown instead of the form.

This is another further modification that gives the user a choice to click the link to return back to the login or wait 5 seconds for an auto redirect.

Code: Select all

if ($account_creation_closed)
{

echo $l_new_closed_message;
echo "<br>";
echo "<br>";
echo "<br>";
echo "If this page does not redirect in 5 seconds, Click <a href='index.php'>HERE</a> To return to login screen.";
echo "<script language='javascript'>
window.setTimeout(function()
{
window.location.href = 'index.php';
}, 5000);
</script>";
   die();
}
I also removed this from login2.php

Code: Select all

if ($server_closed)
{
    $title = $l_login_sclosed;
    include "header.php";
    echo "<div style='text-align:center; color:#ff0; font-size:20px;'><br>$l_login_closed_message</div><br>\n";
    TEXT_GOTOLOGIN();

    include "footer.php";
    die();
}
Edited it a little, and inserted it into index.php after include "header.php";

Code: Select all

if ($server_closed)
{
    $title = "CLOSED";
    $l_login_closed_message = "ALL LOGINS ARE CLOSED UNTIL FURTHER NOTICE.....";
    echo "<div style='text-align:center; color:#ff0; font-size:40px;'><br>$l_login_closed_message</div><br>\n";
    include "footer.php";
    die();
}
This way, no login page is ever displayed when the variable $server_closed) is set to true in config.php

The problem I found is the language variables
$l_login_sclosed
$l_login_closed_message

were empty, so I had to manually enter the data in English.

I found the problem, I had to insert this line before the offline check:-

Code: Select all

load_languages($db, $lang, array('new', 'login', 'common', 'global_includes', 'global_funcs', 'footer', 'news'), $langvars, $db_logging);
and now it works.

User avatar
TheMightyDude
Site Admin
Posts: 293
Joined: Thu Apr 17, 2014 09:15 UTC

Re: Change in new account creation disabled warning.

Post by TheMightyDude » Tue Jun 02, 2020 04:03 UTC

If you removed that from new2.php, people can still create accounts by creating a page on their local machine calling new2.php resulting in creating an account when its has been disabled.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

usalabs
Posts: 26
Joined: Tue May 19, 2020 13:29 UTC

Re: Change in new account creation disabled warning.

Post by usalabs » Tue Jun 02, 2020 12:02 UTC

TheMightyDude wrote:
Tue Jun 02, 2020 04:03 UTC
If you removed that from new2.php, people can still create accounts by creating a page on their local machine calling new2.php resulting in creating an account when its has been disabled.
How is that possible? PHP is executed server side only, and even if the person looked at the source, they still couldn't create a page and feed another script the variables needed for the destinations script to use, if that was the case, the any website that uses PHP can be ultimately be changed at the whim of a person, just by creating a page on their local machine which then talks to the scripts running on the server, also if you called new2.php directly, it would show an error about the email address, name and ship name cannot be empty, and then gives the chance to click a link to return to the create new user screen, but because the modded code is there it still prevents the account creation form from being filled in.

There is one way though to prevent direct script access, and that's to use:-

Code: Select all

defined ('SYSPATH') or die ('NO DIRECT SCRIPT ACCESS');
Which then means the constant used would have to be defined at the server level, and the die message would need to be translated to the languages used in BNT, and the string replaced with a language variable.

And so calling the script from any other means would get the die message, unless it's called from a script running within the server itself.

ADDENDUM
I have just tried this by using AMPPS setup on my windows machine and calling new2.php using this:-

Code: Select all

<?
header("Location:https://home-regions.no-ip.org/traders/new2.php");
?>
And I get the 'no direct script access' error, but calling it from new.php which is running inside the server doesn't invoke that error.

thekabal
Posts: 94
Joined: Sat Apr 19, 2014 22:32 UTC

Re: Change in new account creation disabled warning.

Post by thekabal » Tue Jun 02, 2020 15:26 UTC

usalabs wrote:How is that possible?
Because PHP scripts take input: $_POST, $_GET, $_COOKIES, etc. And all of those can be created and sent by making a local php file which generates those values and sends them to the server.

It's literally exactly the same way the game works, just the source is different. As you mention, you do have to get all the variables set correctly, which yes, does require at least a glance at the code, but isn't difficult at all.

User avatar
TheMightyDude
Site Admin
Posts: 293
Joined: Thu Apr 17, 2014 09:15 UTC

Re: Change in new account creation disabled warning.

Post by TheMightyDude » Tue Jun 02, 2020 17:57 UTC

thekabal wrote:
Tue Jun 02, 2020 15:26 UTC
usalabs wrote:How is that possible?
Because PHP scripts take input: $_POST, $_GET, $_COOKIES, etc. And all of those can be created and sent by making a local php file which generates those values and sends them to the server.

It's literally exactly the same way the game works, just the source is different. As you mention, you do have to get all the variables set correctly, which yes, does require at least a glance at the code, but isn't difficult at all.
You beat me to it LOL

Long time no see, how are you and family?
I trust everyone is doing well.

Also it can be just a html file with post fields in it, some people do it on the live games, can be easy to spot, unless they are smart LOL.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

User avatar
TheMightyDude
Site Admin
Posts: 293
Joined: Thu Apr 17, 2014 09:15 UTC

Re: Change in new account creation disabled warning.

Post by TheMightyDude » Tue Jun 02, 2020 18:07 UTC

Basically you need checks in the files doing the account creation to the database, sure we could put in a check in the new.php page, but that check needs to stay in new2.php

Like when I disabled a feature in the IGB on the main page, and the 2nd page, but forgot the 3rd and 4th, so players just hooked into the 3rd and 4th page.
Never underestimate players, they will go to all means to do what they want, even when they know they shouldn't do so.

Also like with the Federal Bounty on the live games, where it now finally limits what they can do, that took like forever to stop players bypassing it.
So now they are forced to pay it off first.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

thekabal
Posts: 94
Joined: Sat Apr 19, 2014 22:32 UTC

Re: Change in new account creation disabled warning.

Post by thekabal » Tue Jun 02, 2020 18:53 UTC

TheMightyDude wrote:
Tue Jun 02, 2020 17:57 UTC
You beat me to it LOL

Long time no see, how are you and family?
I trust everyone is doing well.
Thanks, we are well. I'm currently employed, working remotely, occasionally indulging in my hobbies (like PHP programming), and staying safe.

Hope you are as well.
TheMightyDude wrote:
Tue Jun 02, 2020 17:57 UTC
Also it can be just a html file with post fields in it, some people do it on the live games, can be easy to spot, unless they are smart LOL.
Very good point, I should have mentioned that. ;-)

usalabs
Posts: 26
Joined: Tue May 19, 2020 13:29 UTC

Re: Change in new account creation disabled warning.

Post by usalabs » Wed Jun 03, 2020 00:24 UTC

And I wonder why I never studied scripting, it's far to contradictory, and seems to be very, very, unsafe, I much prefer the language I was taught many years a go (ASM), simple, to send data, you have to open a destination first to receive that data, then send it, and when an EOF is detected, close that destination, but in PHP it seems that any data can be sent to any PHP script as long as various details are known first, making PHP very, very, insecure, and that's not just PHP, but Curl, C++, Pascal, Fortran, Cobol, Java, and even HTML, and yet in most other programming languages, such as B.A.S.I.C, a file or memory location has to be opened first before any data is sent to it.

EG
50 mailman are in a queue waiting at a house to deliver information, but until someone opens the door, the data is not going to go anywhere, but with PHP it seems that the door is always open, and data can flow from outside in at anytime.

User avatar
TheMightyDude
Site Admin
Posts: 293
Joined: Thu Apr 17, 2014 09:15 UTC

Re: Change in new account creation disabled warning.

Post by TheMightyDude » Wed Jun 03, 2020 02:14 UTC

Its the same with what you said" (ASM), simple, to send data, you have to open a destination first to receive that data, then send it, and when an EOF is detected, close that destination" you can send anything that way too and its would be unsafe.

And by the way that is exactly how HTTP(s) sort of works, where the client sends a request to a web page on a server and that server returns the info for that page and then closes the connection.

Think of it like this, anything the user has to enter, clicking on a button etc on a webpage is sent via TCP on port 80 (HTTP) or port 443 (HTTPS) via a Web Form, its perfectly safe assuming you do all the checks and validation etc server side.

If you are a bad programmer or don't know scripting especially the language in question you will have issues.
TheMightyDude::Blacknova Development.
Development Blog Twitter Twitch

Post Reply