EVE Search - [EVEOTS] Eve Online Teamspeak 3 Registration with PHP5

Check My IP Information

All Channels

EVE Technology Lab

[EVEOTS] Eve Online Teamspeak 3 Registration with PHP5

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Pages: [1] 2 3 4 5 6 :: one page

Author	Thread Statistics \| Show CCP posts - 0 post(s)
MJ Maverick IronPig Sev3rance	Posted - 2011.03.23 03:32:00 - [1] Version: 1.0 Intro: So there I was, using a Teamspeak registration system that once worked well but is now outdated and falling to pieces :( (♥ u really Agent Unknown :) ). I saw that people had made their own but wanted outrageous amounts of ISK in order to share it. So, meh. I'll make my own simple, fast, easy to mod and adaptable system. Only one problem, I know jack about PHP. I only knew what little I learnt from building my alliance a nice new website. So I learnt PHP :) Then built my baby piece by piece. Now you can have it. Call it my little gesture to share a little love in Eve. I plan to add more features such as red alt scanning etc. while keeping it fast in the future along with keeping up to date with the ever changing Teamspeak development. Also as I am/was/ish a sort of PHP noob, you should find my heavily commented code easy to understand. Features: Cron job for quickly scanning if characters registered have left their corp/alliance and removes them Alliance whitelist Corporation whitelist Assign your own boys/girls into a separate group than your blues Shoo's away doorstep salesmen API interface powered by Pheal Teamspeak interface powered by TS3 PHP Framework Down to business: Here it is: Mirror 1 - Sev3rance Alliance (MJ Maverick) Baring in mind how much ISK people want for a system like this feel free to donate if you use it :) (me poor sadface). If you run into any problems then either use this thread or mail me in game and I'll be happy to help. Any donations should be sent to "MJ Maverick". Special Thanks To: Peter Powers from Pheal Wollari from DOTLAN ScP from Teamspeak ------------------ CCP are not perfect. :)
Peter Powers FinFleet Raiden.	Posted - 2011.03.23 08:55:00 - [2] hey mj m., nice to see you are getting further with your effords to learn php, however, i have to put out a warning for people to install your script. please do not take this personal, but the current version of the script is a security risk to everyone who installs it. you are not sanitizing any userinput and therefor this script is quite vulnerable to sql injections. more on SQL Injection also, you dont verify the user who puts in the API key is actually the owner of the key, assuming that someone who knows the key is actually the guy that should be allowed to access your teamspeak. That Idea is wrong, apikeys are 'public' keys; so if someone puts his api key to a random website, and that website owner then decides to register on your teamspeak with the users key, he could do that. To verify a user is the owner of a character you wont get arround letting him send an isk or an evemail from one of the characters on his account to one of yours (you can pull that from your own API then). Vote Peter Powers for CSM6!
MJ Maverick IronPig Sev3rance	Posted - 2011.03.23 16:42:00 - [3] Hey Peter, I know a bit about injections but was unable to give myself access with them. I see it as someone's API key is their responsibility but in light of what you said would you recommend using their FULL API? A lot of people wouldn't like to use this. I'll hit you up in game next time I see you pop up but I really can't see a security problem. ------------------ CCP are not perfect. :)
Peter Powers FinFleet Raiden.	Posted - 2011.03.23 17:25:00 - [4] about the sql injection: its possible to insert characters that mysql interpretes as mysql commands, therefor it will execute 'em about the key: it does not matter what key you use, the key is meant to be 'distributed', since it is meant to allow others to access your accounts data. therefor its not safe to use it for authentication. for example, if i want myself to appear on a killboard through api, i have to give away my key, the owner of the killboard can read it and do shenannigans with it, like registering on your tool, thats why using keys, no matter if full or limited is no way of authentication. Vote Peter Powers for CSM6!
MJ Maverick IronPig Sev3rance	Posted - 2011.03.23 19:23:00 - [5] Next time I see you we should have a discussion about alternative methods, I do have a few in mind. But as it is all Teamspeaks I have ever needed to register on use the API key method. True there are more secure methods, but keeping things simple is also key. I shall probably change the verification methods later on to a more secure way if I can find one that is also reliable. ------------------ CCP are not perfect. :)
MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 17:19:00 - [6] Update v1.1 Added some spy and general imposter stuff. Also added an instructions page when people need to verify they are the account holder via making a new API. You should no longer be able to get a person in your database twice, but it checks anyway, that goes for TS also. ------------------ CCP are not perfect. :)
Catari Taga Centre Of Attention Middle of Nowhere	Posted - 2011.03.25 17:37:00 - [7] Originally by: MJ Maverick After a detailed going over of my code I have found it not susceptible to SQL injections. Any SQL injection would stop the script with an error before it got anywhere near the database. "str_replace" removes key ingredients of SQL injections even if one did some how get through. If you are talking about the code that is posted in the OP that is not correct, you write form input directly to your database and thus are widely open to SQL injection. The thought alone makes me shudder. You really should do some research on this, it is not a trivial matter. --
MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 17:47:00 - [8] If you can make it work then please let me know straight away as yes, that would be serious, but I cannot. Raw data is taken yes. However an SQL injection still has to go through the API verification, as it will not be a valid API/user/char information it will of course fail. Thus never reaching the SQL stage it was intended to inject. ------------------ CCP are not perfect. :)
Catari Taga Centre Of Attention Middle of Nowhere	Posted - 2011.03.25 18:02:00 - [9] Originally by: MJ Maverick If you can make it work then please let me know straight away as yes, that would be serious, but I cannot. Raw data is taken yes. However an SQL injection still has to go through the API verification, as it will not be a valid API/user/char information it will of course fail. Thus never reaching the SQL stage it was intended to inject. I would have to check pheal source code to be sure but assuming pheal does some input sanitizing it might simply strip offending characters from the input without giving you an error message. Or CCP might allow tomorrow to allow e.g. a semi-colon in their character names or API keys. The thing is that it is simply unnecessary and bad practice to even take the risk. Sanitize what goes into your database and thus decouple it from whatever else may go on in your code. mysql_real_escape_string() will take care of the names, e.g. intval() will take care of the IDs. --
MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 18:19:00 - [10] Edited by: MJ Maverick on 25/03/2011 18:29:30 inputID is just used when using the persons API prior to storage. I'll take a look at those functions you linked and see if I can put them in just for good measure. I have to make sure that nothing filters ' or ! however as they have special meaning in my code. Because you have ' in character names, ! = ' as ' will crash an SQL statement so must be subsidised with ! in the database and switched back to ' whenever being displayed. But as it goes today, right now, I honestly don't see it susceptible to injections. I will however add safeguards incase CCP do something daft. Edit: In hind sight, a if I remove all ", ' and ; from all fields prior to storage then I should be immune anyway right? The problem is API Keys contain certain characters such as = so cannot be filtered. Do you know of a list of characters all API Keys are made up of? ------------------ CCP are not perfect. :)

MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 19:18:00 - [11] Update v1.15 Made security future proof for SQL shenanigans. ------------------ CCP are not perfect. :)
Catari Taga Centre Of Attention Middle of Nowhere	Posted - 2011.03.25 19:38:00 - [12] Originally by: MJ Maverick Because you have ' in character names, ! = ' as ' will crash an SQL statement so must be subsidised with ! in the database and switched back to ' whenever being displayed. Lol no, what you do is escape special characters, not replace them. The function I linked will do this for you (hence the name). Welcome to programming. --
MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 22:18:00 - [13] Haha, I see what you mean. So by using that it would insert the ' into the database but not break the query :P right? To be honest how it is now will die() on SQL injection attempts, and as I don't want them in with my database even if they have no effect I just barred them completely. But in future when boxing with names with ' in and SQL I will use the escape function so definitely a thanks there. :D Thanks for the lesson. ------------------ CCP are not perfect. :)
Catari Taga Centre Of Attention Middle of Nowhere	Posted - 2011.03.25 22:38:00 - [14] You are welcome. :) Your change does not really catch all injection vectors but I'll leave you alone with this now. PS: Parting presents: in_array() and trim(). :) --
MJ Maverick IronPig Sev3rance	Posted - 2011.03.25 22:57:00 - [15] Yeah I found that out reading up on your links. $query = "INSERT INTO users (api_user,api_key,characterID,blue,tsDatabaseID,tsUniqueID,tsName) VALUES ('$inputID','$inputAPI','$characterID','$blue','$tsDatabaseID','$tsUniqueID','$tsName')"; $sqlquery = mysql_real_escape_string($query); mysql_query($sqlquery); Is that good? ------------------ CCP are not perfect. :)
Peter Powers FinFleet Raiden.	Posted - 2011.03.26 01:15:00 - [16] simply checking for a small list of characters that might hurt your sql does not cut it. php offers several methods to escape mysql queries (mysql_real_escape_string), but even those can be tricked by characterset shenannigans, if you want to be safe for heavens sake use prepared queries. Link for the lazy people: http://de.php.net/manual/en/pdo.prepare.php Originally by: "PHP Manual" "The purpose of prepared statements is to not include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use prepared statements. They are cleaner to use (code easier to read) and not prone to SQL injections." your check for duplicates does not ensure that the registered user is the right user, case: user a is not registered, but put his api key to website x owned by user b user b goes to the app and enters key of user a user b now looks like user a. the only way you can be sure that the owner of the key is the one registering is when you ingame auth the user aswell (and by that i do not mean using the IGB which can be forged), howto: stuff needed: an account which is trusted by the website (the one running it) a cronjob Step 1: User Registeres at the website, his characterID is saved. Step 2: two methods possible: a) User sends 1 (or random amount) of ISK to trusted character (your character) (this can be with a specific reason so you can filter by that) b) User sends a evemail to trusted character (this can be with a specific subject so you can filter by that) Step 3: Cronjob runs, checks for new transfers/evemail (matching filter) for all new items (transfers or evemails), it will check the user accounts created in step 1, and set them to verified. Step 4: User is able to login Problems: user cannot login directly (doh). cronjob has to respect cache timers, so it can take a while Thing is, there is no other way to be sure that whoever registers is who he claims to be. This Subject has been discussed on #eve-dev a few times, and its up to CSM6 (still hoping i got elected ;) to talk to the right people at CCP, to get them to prioritize a way of verification that has a bit more usability to the end user. Until that happens, there is no way arround it. Vote Peter Powers for CSM6!
MJ Maverick IronPig Sev3rance	Posted - 2011.03.26 02:36:00 - [17] Edited by: MJ Maverick on 26/03/2011 02:44:34 A lot of what you say is my point. There is no practical way to be certain all members are who they say they are. All ways that prove this are plagued by cache timers like you said. For the sake of speed and getting people on comms every alliance/corporation I know uses the API Key. It's not perfect but in my opinion it is the best we have for practicality at the moment. If the cache timers didn't last so long then the wallet would be the first thing I'd leap for. But as it is, pretty much everyone uses API with one dodgy system or the other. So I am simply trying to offer the best way to do it if you must use API. Which, as I said, most people are forced to. Perhaps I will make a way to merge the two, or make a just wallet verification system at some point. But as it stands, I'm just filling the void Agent Unknowns system left. I hope for all our sakes you get into CSM6 and are able to change CCPs opinion on verification. But at the end of the day, nothing is ever 100% secure. Edit: I am using mysql_real_escape_string :P ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.27 19:36:00 - [18] Edited by: Varitina on 27/03/2011 19:46:34 I am paying for website host from a source other than Teamspeak 3, and I'm also paying for teamspeak 3 host, by Gameservers.com They claim default serverquery is 9100, so i used it. This is what i get. Quote: API Connection was established. Checking... Character: Varitina You are on our alliance whitelist Attempting to grant access to: STCZ Varitina... Removing your old registrations... 0 old registrations removed. An error occured: Connection timed out [F10] Any ideas? Edit I entered debug, and it gave no extra info, still says connection time out, and 0 old registrations removed. So its has to be a serverquery problem. and im all out of my knowledge.
MJ Maverick IronPig Sev3rance	Posted - 2011.03.27 23:00:00 - [19] That error is a complete failure to connect to your Teamspeak. GameServers are wrong, the default port is in fact as stated in my readme "10011". Have you tried using that port? The only way it would not be 10011 is if GameServers have changed it from the default for some silly reason. :-/ http://forum.teamspeak.com/showthread.php/46486-Teamspeak-3-Server-Ports?p=200519#post200519 ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.27 23:11:00 - [20] Edited by: Varitina on 27/03/2011 23:17:35 Thats what i mean, they stated, that they have changed all ports, and they have a confusing answer. FAQ Post on their members section for TS3: Quote: What is the query port for my server? Why won't the ts viewer work? The query port for your server is 9100. No existing TS query scripts or websites will work, they will all need to be updated for the new version of TS. I'll try 10011 anyways, and get back to ya. But i also made a TS server on my PC, enabled default ports on my router, just to test, and it still failed. But that could be my fault. Edit With 10011, still same error. Any ideas? Could it maybe not be port?

MJ Maverick IronPig Sev3rance	Posted - 2011.03.28 00:09:00 - [21] Any quote like that from a service provider deeply worries me. It shows incredible arrogance. I assure you my script works with the latest Teamspeak :) If the server wasn't interpreting the commands correctly it would throw errors, not time out or not connect at all. I would suggest contacting GameServers on the basis their TS servers do not accept Queries... Which is both a failure of adiquette service and providing of the full service you pay for. ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.28 01:32:00 - [22] I really like this authenticator. I hope to get it working. But i still cant get it working, like i said, i made my own server on my local pc to test out the program, and it doesn't work on mine either, and all ports are correctly forwarded, and proper ip's in place. Could it be permissions?
Moogless	Posted - 2011.03.28 02:23:00 - [23] Originally by: Varitina I really like this authenticator. I hope to get it working. But i still cant get it working, like i said, i made my own server on my local pc to test out the program, and it doesn't work on mine either, and all ports are correctly forwarded, and proper ip's in place. Could it be permissions? Unless your actuelly running your php script from the computer you are probably going to have problems with your router. (I need to DMZ to my local IP as port forwarding doesnt help me much on my router). Are your public $tsport = "10011"; //ServerQuery Port public $tscport = "9987"; //TeamSpeak client port Set correctly according to gameservers details? Are you using domain for the: public $tshost = "ts3.lala.com"; Try with the ip only, public $tshost = "11.22.333.44"; If there hasnt been thought of it in the programming (cba to look through code)
PsyKzz Minmatar Bat Country Goonswarm Federation	Posted - 2011.03.28 02:25:00 - [24] MJ Maverick, do you know of R3tro? he's a dude in your alliance. PsyK
MJ Maverick IronPig Sev3rance	Posted - 2011.03.28 18:00:00 - [25] Originally by: PsyKzz MJ Maverick, do you know of R3tro? he's a dude in your alliance. lol off-topic but yes. ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.28 22:12:00 - [26] Edited by: Varitina on 28/03/2011 22:14:27 @Moogless, appreciate the help on those, but nope, i have all info filled correctly, contacted the company, and they confirmed that the query is 9100, and the connection port is 9186. i also used the ip instead of subdomain. Still nothing, it gets connection times out. I'm so lost, what on earth could it be, if all the possibilities are 100% correct, whats left? Host 8.9.36.132 Query: 9100 client: 9186 name: Custom pass: Randomly generated from my name
MJ Maverick IronPig Sev3rance	Posted - 2011.03.29 15:37:00 - [27] Try this: 1) In Teamspeak go to Tools > ServerQuery. 2) Press the tick in the top right and select login command. 3) Enter this into the top box on the left: login $tsname $tspass use 1 clientkick clid=YOUR_CLIENT_ID reasonid=5 reasonmsg=Test Check your config.php and put in place of $tsname and $tspass what ever you have entered for them. For YOUR_CLIENT_ID click on your name in TS and on the right there is a number in brackets next to your name. So for example. login username password use 1 clientkick clid=29 reasonid=5 reasonmsg=Test If you get an invalid clientID error then try "use 2" then 3 then 4 until you run out of servers. (error id=1033 msg=server\sis\snot\srunning). If it doesn't work then your provider has ServerQuery turned off and needs to be shot. ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.29 16:10:00 - [28] Good and bad news, since i followed your last directions, its not the same message. Bad news, still doesn't work. I get a different error, and I'm not in an alliance. Quote: Debug: Running: Teamspeak 3 PHP Framework version: 1.1.5-beta API Connection was established. Checking... Character: Varitina Debug: User ID: lol Debug: API Key: NO bodys business Character ID: ********** Debug: Character List: Debug: PLAYER1 Debug: Varitina Debug: PLAYER2 Debug: API verified. You are on our alliance whitelist Debug: Getting your corp ticker... STCZ Debug: Getting your alliance ticker... An error occured: API Date could not be read / parsed, orginial exception: Operation timed out after 10 seconds with 465007 bytes received [239] Any ideas now?
MJ Maverick IronPig Sev3rance	Posted - 2011.03.29 19:22:00 - [29] Keep the clientID as your client ID on the server (in brackets) but keep changing "use" up one number until you hit server not running again. Eventually you should be kicked from TS. ------------------ CCP are not perfect. :)
Varitina	Posted - 2011.03.30 21:37:00 - [30] Edited by: Varitina on 30/03/2011 21:37:02 Okay, i have received a reply to my service petition, and he told me to use the following phrase "use port=" rather than "use". like this: login User Pass use port=9186 clientkick clid=66 reasonid=5 reasonmsg=Test This kicked me. So, the serverquery is working, whats my next approach to solving this problem, and i am 100% positive that the config file is filled TS info correctly.



Pages: [1] 2 3 4 5 6 :: one page
First page \| Previous page \| Next page \| Last page

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.