-1

I've made a script to delete characters on my game. It works tough. but it seems like anyone with a random account (who doesn't own the character) can delete them. It checks password correctly, the pin code ect, only it wont check the charname to match the playerID used on the script.

I hope any one here could help me out.

This is the script

I've already tryed adding the charname check, but it's in another table and i can't figure out how to do it.

This is the basic index deletion Page

<?php
 include "config.php";
  echo $_GET['error'];
?>

<form action="delete_char.php" method="post">
  <table>
    Please enter the required information to delete your character<br><br>
    <tr><td>Character Name: <br /></td><td><input name="char_name" type="text" maxLength=10 size=13/><br />
    <tr><td>Account: <br /></td><td><input name="use" type="text" maxLength=13 size=13/><br />
    <tr><td>Password: <br /></td><td><input name="acc_pass" type="password" maxLength=10 size=13/><br />
    <tr><td>PIN: <br /></td><td><input name="pin" type="text" maxLength=6 size=13/><br />
    <tr><td colspan="2"><input type="submit" value="Ok"/></td></tr>
  </table>
</form>

This is the Script.

<?php
  include "config.php";
  $char_name = $_POST['char_name'];
  $use = $_POST['use'];
  $acc_pass = $_POST['acc_pass'];
  $pin = $_POST['pin'];

  $con = mysql_connect($host, $user, $pass);
  mysql_select_db($db);

  $query = mysql_query("SELECT SSN, Password FROM Player WHERE PlayerID='$use'");

  $row = mysql_fetch_array($query);
  $count = mysql_num_rows($query);

  $q = mysql_query("SELECT PASSWORD('$acc_pass') AS Password");
  $p = mysql_fetch_array($q);

  if($count == "0") {
    $error = "Account not found!<hr size=2><br>";
    header("Location: delete.php?error=$error");
  }
  else {
    if($p['Password'] != $row['Password']) {
      $error = "Invalid password!<hr size=2><br>";
      header("Location: delete.php?error=$error");
    }

    if($row['LogOn'] == "GAME") {
      $error = "Account is logged on!<hr size=2><br>";
      header("Location: delete.php?error=$error");
    }

    if($pin != $row['SSN']) {
      $error = "Invalid PIN Number!<hr size=2><br>";
      header("Location: delete.php?error=$error");
    }

    else {
      $q = mysql_query("SELECT CurrentWorldID FROM Player WHERE Name = '$use'");
      $world_id = mysql_fetch_array($q);
      $world_id = $world_id['CurrentWorldID'];

      $del_query = mysql_query("DELETE FROM Slayer WHERE Name = '$char_name'");
      $del_query = mysql_query("INSERT INTO DeleteChar (PlayerID, WorldID, Name, delDate) VALUES ('$use',$world_id,'$char_name',now())");
      $del_query = mysql_query("DELETE FROM Vampire WHERE Name = '$char_name'");
      $del_query = mysql_query("DELETE FROM Ousters WHERE Name = '$char_name'");
      $del_query = mysql_query("DELETE FROM SkillSave WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireSkillSave WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersSkillSave WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM RankBonusData WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM FlagSet WHERE OwnerID='$char_name'");
      $del_query = mysql_query("DELETE FROM ARObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM BeltObject WHERE OwnerID = '$char_name");
      $del_query = mysql_query("DELETE FROM BladeObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM BloodBibleObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM BombMaterialObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM BombObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM BraceletObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CastleSymbolObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CoatObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CrossObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ETCObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventETCObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventGiftBoxObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventStarObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventTreeObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM GloveObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM HelmObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM HolyWaterObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM KeyObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM LearningItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MaceObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MagazineObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MineObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MoneyObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MotorcycleObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM NecklaceObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PotionObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM QuestItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM RelicObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM RelicObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SMGObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SRObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SerumObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ShieldObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ShoesObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SkullObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SlayerPortalItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SwordObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM TrouserObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM RingObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CoupleRingObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireAmuletObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireBraceletObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireCoatObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireETCObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireEarringObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireNecklaceObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampirePortalItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireRingObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireWeaponObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM VampireCoupleRingObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM WaterObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM DyePotionObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ResurrectItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MixingItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersArmsbandObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersBootsObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersChakramObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersCircletObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersCoatObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersPendentObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersRingObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersStoneObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersWristletObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM LarvaObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PupaObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ComposMeiObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM OustersSummonItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CodeSheetObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MoonCardObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SweeperObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PetItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PetFoodObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PetEnchantItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM LuckyBagObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SMSItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CoreZapObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM GQuestItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM GQuestSave WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM TrapItemObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CarryingReceiverObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM ShoulderArmorObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM DermisObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM PersonaObject WHERE OwnerID = '$char_name");
      $del_query = mysql_query("DELETE FROM FasciaObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MittenObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM SubInventoryObject WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM CoupleInfo WHERE FemalePartnerName = '$char_name'");
      $del_query = mysql_query("DELETE FROM CoupleInfo WHERE MalePartnerName = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectAcidTouch WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectAftermath WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectBloodDrain WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectDetectHidden WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectFlare WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectLight WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectParalysis WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectPoison WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectPoisonousHands WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectProtectionFromParalysis WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectProtectionFromPoison WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectRestore WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectYellowPoisonToCreature WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EffectMute WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EnemyErase WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM TimeLimitItems WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM EventQuestAdvance WHERE OwnerID = '$char_name'");
      $del_query = mysql_query("DELETE FROM MofusPowerPoint WHERE OwnerID = '$char_name'");

      $OK = "Character $char_name has been deleted.<hr size=2><br>";
      header("Location: delete.php?error=$OK");
    }
  }
  mysql_close($con);

Well script works fine.

I expect that the script checks the Char_name Used to be verified with the PlayerID so only the owner can delete it.

Mister K
  • 1
  • 2
  • 3
    `$_POST['char_name'] = "' OR 1 --';` There I just SQL Injected your code and deleted everyone's characters.... Eg. `DELETE FROM Slayer WHERE Name = '' OR 1 --';` This is why you must use prepared statements. – ArtisticPhoenix Jun 16 '19 at 14:53
  • No it does not delete every ones Character, you fill in the character name on the index page. but it has to delete there own char only not a character name from a other user. – Mister K Jun 16 '19 at 14:54
  • 1
    Yes it will, `Name='' OR 1` is always true, so it deletes every row in that table. The `--` is a comment and removes the end of the query... It's called SQLInjection. – ArtisticPhoenix Jun 16 '19 at 14:55
  • to be honest,it does not delete everything at the moment. it just deletes the char name. Only anyone can do it. If they provide an oke, Account pass and ssn. they can delete any random char name on the ranking boards (slayer Just hold's all the races Names so easy to check player id to match it – Mister K Jun 16 '19 at 14:56
  • 1
    Well your DB schema needs some work, why have multiple tables for each type of character when you can have a column named `type` etc... Too many tables. Sorry I just point out what I see... The number of delete queries you have to do is bordering on ridiculous, its way more work then you need to do. Dont take it as me being mean or criticizing you, I'm just trying to save you a ton of needless work. – ArtisticPhoenix Jun 16 '19 at 14:57
  • 1
    Code looks like it was stolen from a i386 barebone server during 90’s. – Mike Doe Jun 16 '19 at 15:00
  • 1
    It is from the 90's my friend. so am i, so is the game. – Mister K Jun 16 '19 at 15:01

1 Answers1

3

header does not immediately end the script, even if redirecting. You need to exit or do something else to prevent the subsequent code from running. In your current code, the if checking the password and LogOn values set the redirect header but don't stop the MySQL code from running. This could be solved by using elseif instead, so you get if..elseif..elseif..else(delete stuff) which should be fine.

I would like to bring up a couple of things you should revise, however.

  1. You are injecting values directly into your query. If I submit my character name as Niet' OR 1=1; -- then I've just pwn'd your entire database. It is long past time to update your code to PDO and use prepared statements.

  2. You appear to be using an insecure method of storing passwords. You should use password_hash() and password_verify() to secure and validate passwords.

  3. You are running a lot of delete queries manually. This suggests your database is not set up in a proper relational manner. Use FOREIGN KEY constraints to make each of those tables enforce a proper relation to the OwnerID that owns them. This way, when you delete (or update) the Slayer record, all elements owned by that record will be deleted (or updated). This means you can add more later without having to remember to go back to this code and add that too.

  4. You appear to be using an arbitrary string value (the name) as the key for your tables. You should instead have something like an INT UNSIGNED AUTO_INCREMENT as your primary key - in particular this will allow you to rename your Slayer without having to update every single thing that pointed to that name.

Hope this helps!

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • Well, the most frustrating part is i can't seem to update my sql version as well. because the game+client are so old they refuse the changes. Was kinda hoping i could do something like this ````$query = mysql_query("SELECT $char_name, FROM Slayer WHERE PlayerID='$use'");```` – Mister K Jun 16 '19 at 15:02
  • You really need to go look for some *recent* tutorials on databases, because - I'll be very frank here - you don't seem to have a clue what you're doing and it's actually dangerous for you to work on this project... – Niet the Dark Absol Jun 16 '19 at 16:32
  • you probably don't understand the rest behind this why i do it like this. so don't judge before you guys know what you're doing – Mister K Jun 17 '19 at 16:11
  • Again, being very honest here, there is no justifiable reason for doing it the way you're showing. – Niet the Dark Absol Jun 17 '19 at 16:23
  • Thanks anyways got it fixed tough :) – Mister K Jun 18 '19 at 21:00