Questions! Questions! Questions!

[Bite That Apple]

This isn't working, do you see something wrong?

Also, I did not add the url tags, it added itself for whatever reason.

Code: PHP

1.         $idcatmpleasework = $_GET["steamid"];
2.                 $data = '[url]http://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=A5B27E25F64B1EB2D62731C3ED866E69&steamids='.[/url]$idcatmpleasework.'';
3.                 $f = file_get_contents($data);
4.                 $arr = json_decode($f, true);
5.                 if (isset($arr['response']['players'][0]['avatarfull']))
6.                 $avatar = $arr['response']['players'][0]['avatarfull'];
7.        
8.                 $query = "UPDATE `score` SET avatar = '".$avatar."' WHERE steamid64 = '".$idcatmpleasework."'";            
9.                 $run = mysql_query($query);
10.                 if(empty($run)) {
11.                         echo("test");
12.                 }
13.                 if (!$run) {die('Invalid query: ' . mysql_error());}
14.  

Code: Lua

1. function UpdateStuffPlz(ply)
2. local steamid1 = "76561198016596475"
3. local tbl = { steamid = steamid1 }
4.  
5. http.Post( "website.php", tbl, function() MsgN("Working") end, function() MsgN("Not Working") end )
6. end
7. hook.Add('PlayerSpawn','PlayerInitialSpawnUpdatesAvatarsPics',UpdateStuffPlz)
8.  

[Bite That Apple]

So I've worked with this a lot now, and I've confirmed that the garry's mod server is not pushing the data, it is reading the file on the page, but not pushing the data onto the page.

[Bite That Apple]

Alright, I fixed it, it wasn't GET, it was POST that I needed. Also do not move this or lock this, I'm just going to try to use this thread for all my questions I have in the future.

[MrPresident]

Ahh.. Sorry. My bad. It's been a while since I've used http.Post

Though I suppose in hindsight, it makes sense.

[Bite That Apple]

Ahh.. Sorry. My bad. It's been a while since I've used http.Post

Though I suppose in hindsight, it makes sense.

Thank you for the assistance anyways, I wouldn't of been able to get as far as I did without your help.

---

Well not sure if you are curious what I was actually doing yesterday, but here: http://f4egaming.com/scoreboard/
I've been working on my recently new score/leaderboards addon. Most likely will not release this quite yet, or at all as it's kinda unique to my community. I have to store profile pictures and profile urls in the database, because steamapi is super slow, and it would literally take 56 seconds to load just one page of 15 players, so that's why I didn't do it the way you had suggested to me, as I had already tried before.

The only issue with getting profile urls, and profile pictures is that if they change it, I only have the old one saved unless they rejoin my server, and it will update it then.

[Bytewave]

Just a quick little thing:
With your current setup, anyone who gets a hold of the URL for your PHP script can issue bad, malicious SQL on your database, potentially dropping your entire records, modifying others' information, etc.
Especially with the (deprecated) mysql_ functions in PHP, you're leaving a 20-foot-wide hole for anyone with a bit of desire and know-how to do something malicious to your database, whatever that might be.

If you're concerned at all, I can help you clean that up.

[Neku]

Just a quick little thing:
With your current setup, anyone who gets a hold of the URL for your PHP script can issue bad, malicious SQL on your database, potentially dropping your entire records, modifying others' information, etc.
Especially with the (deprecated) mysql_ functions in PHP, you're leaving a 20-foot-wide hole for anyone with a bit of desire and know-how to do something malicious to your database, whatever that might be.

If you're concerned at all, I can help you clean that up.

Well I mean, it's obviously just scoreboard/index.php. :p

[MrPresident]

Well I mean, it's obviously just scoreboard/index.php. :p

That's the URL for the scoreboard, not the PHP script that interacts with GMOD to update the information.

[Bite That Apple]

If you're concerned at all, I can help you clean that up.

Well I entrust this community (99.6%), though I had added a security protocol lastnight anyways. The entire system will not work unless a certain security phrase is said to ensure it. Trust me when I say, I'm very secure when it comes to a database (well I think I am :S), seeing as I have this cancer here: http://www.f4egaming.com/archive uses ulx logs to finds stuff, sometimes its important and used, sometimes it's not, some bugs with searching (refuses to display steamids, not sure why), other than that I believe it's very secure.

Though you can never have too much security, I'd like to know what you have in mind?

[Bytewave]

Well I entrust this community (99.6%), though I had added a security protocol lastnight anyways. The entire system will not work unless a certain security phrase is said to ensure it. Trust me when I say, I'm very secure when it comes to a database (well I think I am :S), seeing as I have this cancer here: http://www.f4egaming.com/archive uses ulx logs to finds stuff, sometimes its important and used, sometimes it's not, some bugs with searching (refuses to display steamids, not sure why), other than that I believe it's very secure.

Though you can never have too much security, I'd like to know what you have in mind?

Well, if that script ever happens to touch the client-side, you could always do the old cache deobfuscation trick and pull the Lua file out, therefore revealing your link and your passcode/phrase.
Regardless of that, I would probably do some kind of input sanitization before querying the database—say, prepared statements or the like. You'd have to use MySQLi or PDO, though—both of which I happen to know fairly well.

With your current setup, the following POST string could do some bad things:

Code: SQL

1. ’; DROP DATABASE '<DB name here if they can get ahold of that>'; --

This, of course, would be pretty bad for the contents of that database.

There are ways of fixing this in the backend, but they require swapping over from the deprecated mysql_ library to something like PDO.

[MrPresident]

Well, if that script ever happens to touch the client-side, you could always do the old cache deobfuscation trick and pull the Lua file out, therefore revealing your link and your passcode/phrase.
Regardless of that, I would probably do some kind of input sanitization before querying the database—say, prepared statements or the like. You'd have to use MySQLi or PDO, though—both of which I happen to know fairly well.

With your current setup, the following POST string could do some bad things:

Code: SQL

1. ’; DROP DATABASE '<DB name here if they can get ahold of that>'; --

This, of course, would be pretty bad for the contents of that database.

There are ways of fixing this in the backend, but they require swapping over from the deprecated mysql_ library to something like PDO.

He could just escape input data. That would be the easiest way to prevent that kind of malicious code.

[Bite That Apple]

Alright, so I'm not really into terms, or anything really, I'm a very simple minded person when it comes to scripting, "tell me what you want, and I'll do it" type of person. Though when zone crosses another developer, they like to use things I like to call, "the idks" phrases. So when you guys use all this lingo, and logo, you throw me off (seeing as I self taught myself lua from looking at scripts, I received almost no help till just recently when things started to get a little more complicated).

I try to keep up with you guys, but most of you use terms I do not understand (trust me when I say I don't understand anything, maybe hooks is the only thing I understand), especially Sticky Man and sometimes JamminR, they are both very term based people. So when you guys all speak to me with your lingo, I see this:




So if someone could elaborate if my way of doing things isn't a good enough way, that would be nice.

lua -> ServerSide[Sends: secretcode, steamid] -> website -> phpfile[Receives: secretcode, steamid]

That in my opinion is pretty safe... I don't entirely understand how someone could read server side data?

[Decicus]

So if someone could elaborate if my way of doing things isn't a good enough way, that would be nice.

lua -> ServerSide[Sends: secretcode, steamid] -> website -> phpfile[Receives: secretcode, steamid]

That in my opinion is pretty safe... I don't entirely understand how someone could read server side data?

I haven't followed completely through, but I know MrPresident and Bytewave mentioned this.
IF someone, somehow retrieved your URL, they could forge a POST request, which could allow them to execute commands on your MySQL server if they aren't escaped properly.
You can probably find out more about this if you look up "SQL injection", and it's unfortunately way too common to find around.
While we're at it, escaping characters (in this case the POST requests that are supposed to be sent from your server), should at least be escaped with something like mysql_real_escape_string(). This would prevent most, if not all chances of being a victim of SQL injection.

But as Bytewave said, using mysqli_ or PDO would be highly recommended, as mysql_ is deprecated.

[Bite That Apple]

But as Bytewave said, using mysqli_ or PDO would be highly recommended, as mysql_ is deprecated.

I do not know that, I only know my limited knowledge on how stuff works, and what I don't know I get around it by doing it some other way. This to my knowledge is the only way I understand, thus I thought it was safe.

[Decicus]

I do not know that, I only know my limited knowledge on how stuff works, and what I don't know I get around it by doing it some other way. This to my knowledge is the only way I understand, thus I thought it was safe.

mysqli_ is very similar to mysql_. So if you want to stick to the same style (procedural), you would have to include the mysqli_connect() link in the mysqli_query() function. Like this, for example:

Code: [Select]

$con = mysqli_connect( host, user, password, dbname );
mysqli_query( $con, "QUERY" );
mysqli_close( $con );

Sorry if I'm terrible at explaining.