Application mod

[joey_4ers]

Your phpBB Version: 2.0.22
phpBB Type: Integramod 140
MODs: No
Your knowledge: Basic Knowledge
Board URL: [url]http://[/url]

PHP Version:
MySQL Version:


What was done before the problem appeared?



What was done to try to solve the problem?




De.scription and Message

Hi Guys ..

i have this application form which i downloaded from wowroster site. Its for people to apply to a guild.

The page sends the information to an email address

i was wondering if anyone can help me make it post into one of our public forums.?

I dont know enought about this to make it work would appreciate some help!

Thanks!

http://www.wowroster.net/Downloads/details/id=73.html

[joey_4ers]

This is what i have done so far .. I created a portal page and then a block with this inside ...

Code: Select all

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"     "http]]>*/</style><title></title></head><body><table><tr><td><h2>Welcome!If you are interested in joining Conclave then please fill out thisapplication form and submit it, we will get back to you as soon aspossible.<br></h2>  <h2>If you are not from from the same realm as we are  pleaseleave as much info as possible and show sign of a personality (ifyou have one). The more info you provide the better! Also includerealm name!</h2>  <p><span>You <strong><u>MUST</u></strong>include a character profile using <a>CTProfile</a> or <a>Allakhazam</a>.<br>Applications without a profile will be automaticallyrejected.</span></p></td></tr>  </table><form><table><tr><td><span>CharacterName:<br></span></td><td><span>Level:<br></span></td><td><span>Class:<br></span></td><td><span>Timezone: Australian<br></span></td><td><span>Email:<br></span></td></tr><tr><td><input></td>  <td><input></td><td><select>   <option>Druid</option>   <option>Hunter</option>   <option>Mage</option>   <option>Paladin</option>   <option>Priest</option>   <option>Rogue</option>   <option>Shaman</option>   <option>Warlock</option>   <option>Warrior</option></select></td><td><select><option>Melb/Syd (Servertime)</option><option>Adelaide -30m</option><option>Queensland -1h</option><option>Perth -2h</option><option>Other</option></select></td><td><input></td></tr></table><br><table><tr>  <td><span>Availability:<br>We raid 8:30pm - 12:30am</span></td><td>Age:</td><td><span>Hours playing WoW per week</span></td></tr><tr><td><input>Sun  <input>Mon  <input>Tue <input>Wed  <input>Thu  <input>Fri  <input>Sat</td>  <td><input></td><td><select><option>Less Than 10 hours</option><option>10-15 hours</option><option>15-20 hours</option><option>20-25 hours</option><option>25+ hours</option></select></td></tr></table><br><table>  <tr><td><span>Reputation - Do youhave revered or exhalted with?:<br></span></td><td><span>InstanceKeys/Attunement:<br></span></td><td><span>TradeSkills:<br></span></td></tr><tr><td><input>   Thrallmar - Flamewrought Key <br>   <input>   Cenarion Expedition - Reservoir Key <br>   <input>   Lower City - Auchenai Key <br>   <input>   The Sha'tar - Warpforged Key <br>   <input>   Keepers of Time - Key of Time<br></td><td><input>   Karazhan <br>   <input>   The Tempest Key <br>   <input>   Serpentshire Cavern <br>   <input>   Mt. Hyjal</td><td><select>   <option>Profession 1</option>   <option>Gathering/Herbalism</option>   <option>Gathering/Mining</option>   <option>Gathering/Skinning</option>   <option>Alchemy</option>   <option>Alchemy/ Master of Potions</option>   <option>Alchemy/ Master of Elixirs</option>   <option>Alchemy/ Master of Transmutation</option>   <option>Blacksmithing/Armor</option>   <option>Blacksmithing/Axe</option>   <option>Blacksmithing/Hammer</option>   <option>Blacksmithing/Sword</option>   <option>Enchanting</option>   <option>Engineering/Gnomish</option>   <option>Engineering/Goblin</option>   <option>Jewelcrafting</option>   <option>Leatherworking/Dragonscale</option>   <option>Leatherworking/Elemental</option>   <option>Leatherworking/Tribal</option>   <option>Tailoring</option>   <option>Tailoring/Mooncloth</option>   <option>Tailoring/Shadoweave</option>   <option>Tailoring/Spellfire</option></select>   <br>   <br>   <select>     <option>Profession 2</option>     <option>Gathering/Herbalism</option>     <option>Gathering/Mining</option>     <option>Gathering/Skinning</option>     <option>Alchemy</option>     <option>Alchemy/ Master of Potions</option>     <option>Alchemy/ Master of Elixirs</option>     <option>Alchemy/ Master of Transmutation</option>     <option>Blacksmithing/Armor</option>     <option>Blacksmithing/Axe</option>     <option>Blacksmithing/Hammer</option>     <option>Blacksmithing/Sword</option>     <option>Enchanting</option>     <option>Engineering/Gnomish</option>     <option>Engineering/Goblin</option>     <option>Jewelcrafting</option>     <option>Leatherworking/Dragonscale</option>     <option>Leatherworking/Elemental</option>     <option>Leatherworking/Tribal</option>     <option>Tailoring</option>     <option>Tailoring/Mooncloth</option>     <option>Tailoring/Shadoweave</option>     <option>Tailoring/Spellfire</option>     <option>None</option>   </select></td></tr></table><br><table><tr><td><span>Why do you want tojoin and why would we want you?:</span></td><td><span>Previous Guilds(Include guild names, realms names & why you left):</span></td>  <td><span>Raidingexperience</span></td></tr><tr><td><div><textarea></textarea></div></td><td><div><textarea></textarea></div></td><td><div><textarea>  </textarea></div></td></tr></table><br><table><tr><td>Character profile from <a>CTProfile</a> or <a>Allakhazam</a>(<span>This is required</span>)</td>  </tr><tr><td><input></td></tr></table><br><table><tr><td>Applying as "Friends andFamily"?</td><td>Name of guild member that is yourfriend or family</td></tr><tr><td><input>Yes on F&F</td>  <td><input></td></tr></table><br><table><p><span>Before hitting "Submit Application"<br>Please read our <a>Conclave Rules</a>.</span></p><tr><td><input><input></td></tr></table></form></body></html>

When the user hits submit it runs this file apply.php which has this in it ..

[code] <?$GamerName = ($_POST['GamerName']);$level = ($_POST['level']);$class = ($_POST['class']);$Age = ($_POST['Age']);$Profile = ($_POST['Profile']);$Location = ($_POST['Location']);$EmailAddress = ($_POST['EmailAddress']);$Hours = ($_POST['Hours']);$Clans = ($_POST['Clans']);$day7 = ($_POST['day7']);$day1 = ($_POST['day1']);$day2 = ($_POST['day2']);$day3 = ($_POST['day3']);$day4 = ($_POST['day4']);$day5 = ($_POST['day5']);$day6 = ($_POST['day6']);$faction_ad = ($_POST['faction_ad']);$faction_bn = ($_POST['faction_bn']);$faction_cc = ($_POST['faction_cc']);$faction_tb = ($_POST['faction_tb']);$faction_ti = ($_POST['faction_ti']);$faction_zt = ($_POST['faction_zt']);$mc = ($_POST['mc']);$ony = ($_POST['ony']);$bwl = ($_POST['bwl']);$nax = ($_POST['nax']);$prof1 = ($_POST['prof1']);$prof2 = ($_POST['prof2']);$Why = ($_POST['Why']);$About = ($_POST['About']);$ff = ($_POST['ff']);$ffname = ($_POST['ffname']);  $EmailTo = "XX@XX.com.au"; //Insert email address here.$Subject = "Conclave Application";  //Change the Email Subject to identify applications.$Name = $GamerName;$App = "Name]

You will see that there is a line that says email to : which is were you put the email address for it to send..

Is there anyway you can add code in there to make it post on forums ?

I thought i'd give you more details rather than a link <img>

Thanks

[Ma®©uS]

Hi,

As far as I can tell your coding is vulnerable to "e-mail injection" which allows someone to slip in CC: and B CC: addresses for the purpose of spamming via your site and form.

If you're adding a mod to phpBB that requires an e-mail to be sent, always do it using the emailer.php "emailer" class, as this prevents such injections.

More info here:
http://www.securephpwiki.com/index.php/Email_Injection

Making a form post to a selected forum is not easy - I've been doing it for someone recently as a paid job, and have been successful in writing a "form to post" .script - but it only works for his forum, because of his form requiring different data.

If you'd like me to write you a custom mod, for a small fee, that includes secure coding and a proper template file please contact me and I'll be happy to discuss it with you.

Regards,
Marcus

[Whisky]

I am interrested to port this Application form mod to my IM guild portal, I'll take a few hours this week to study it <img>

[Ma®©uS]

Bear in mind what I said, it may be vulnerable to e-mail injection because of the way it's coded insecurely.

phpBB comes with a lot of functions which make data safe from e-mail/html/sql injections - but this mod does not use any of them, nor does it use a phpBB style template.

[Whisky]

Yeah don't worry I will not work with emails at all but rather a post injection. I am using the user_id of the form applier.

I've begun a already, I fusionned a phpbb hack form that insert posts in the Database and the mod proposed by Joey, it's running like a charm <img>

You can see this on my test board:
http://www.rebirthoflight.net/roltest/WoWform.php (note that you must choose the ROL Druid theme to get it working, I haven't made the templates for other themes so far)

The resulting post is there (just the first attempt) :
http://www.rebirthoflight.net/roltest/v ... hp?p=18498

Once I'll finished i will add this to my World of Warcraft guild tools

[Ma®©uS]

Looks promising!

[Whisky]

I've got a small issue maybe some1 will have an idea.

In the php code receiptioning the form I've added this function:

Code: Select all

 function fix_quotes($value){  if(get_magic_quotes_gpc()==1)  {   return $value;  }else  {   return addslashes($value);  }}

Before make my SQL inserts I call this fonction with the message to insert in order to strip any quotes that the user encoded

Code: Select all

$post_message = fix_quotes($message);

But this is not working, the quotes in the messages are not escaped <img>

[Ma®©uS]

Don't use that function. Include common.php at the top of your forms php file and it does all the get_magic_quotes_gpc riff-raff for you, there's no point in repeating an existing function.

Then just use

Code: Select all

$post_message = stripslashes(htmlspecialchars($HTTP_POST_VARS['message']));

to do the rest.

[Whisky]

I've learned an other thing about IM today, thank you <img>

[joey_4ers]

Hi whisky ..


I have been away on holidays..

That looks fantastic .. Do you have the mod avilable to download ?

[Whisky]

Hi

Well I was waiting for you before moving further on this... and you are magically there :ra: [url=http]The FORM itself[/url]

[joey_4ers]

Hi Whisky

I can do it myself.

World of warcraft servers are down tonight do i can spend the time translating it..
<img>

You can pm them to me if you like or post em here .. Up to you ..

Thanks for your help ..

I'll repost them here for everyone in english

[Whisky]

Here it is => http://rebirthoflight.net/ara/ROLrecruitform.zip

I commented accuratly the code where you must and must NOT edit.

Note that the original mod I wrote mine from let you the opportunity to open a pool in the submited post and/or to send a pm message to any of your users (admin by default).
I have not tested this functionality at all but the code is still there and should still work I guess, it's open to you to test and see if it works.

If your guild is using the recruitment block of my WoW guild tools , you can uncomment the code at the top of the ROLrecruitform.php, it's detailled in the file.
This will gather recruitment info from your database and display them on top of the form, like this:
"We are currently recruiting: 1 Warrior, 2 Priests, 1 Warlock"

Hope I haven't make something weird just now coz I edited the php files to make your life easier and I did not tested my changes <img>

[joey_4ers]

Nps mate .. thanks heaps for all your hard work..

BTW where can i get your wow guild tools wouldnt mind taking a look at them ..!

Thanks again