Hello Friends, Can you please help me out solving this code issue. The main issue is the refferal assigning. No matter from what affiliate url i try to sign up the registration page only assign the user to “userid 1” instead of the real user id. Also, Please let me know if there are any security issues i this code. If yes how can i make it more secure. Below is the registration page code. Please have a look:
Never put raw user input straight into a query, it’s wide open to SQL Injection.
The best thing I can recommend to fix this is to update your code and methods. The mysql api has been removed from php and is now completely obsolete, if a server runs php7 (which it should these days) it will not work at all.
You should be using either mysqli or my preference PDO to connect to your database. Both these have the ability to use Prepared Statements which can help guard against sql injection, among other advantages.
Hello, Thank you for your kind answer but can you please let me know how can i change the code so that it will assign the correct “ref” instead of just assigning every user under “user 1” . Also, It would be great if you can suggest some code modification to make this existing code more secure as this script is purchased and i am not very much expert in modifying codes.
Can you show the html where you call this code from? Specifically I find it strange that you use both $_GET and $_POST arrays to get information from the form. It can be done, of course, but I wondered whether it was intentional.
The best way to improve security is as @sama74 said, switch to PDO instead and use prepared statements.
Hello, You can check the registration page here : https://deadliestbtc.win . Also, Can you please help me out how to modify the code so that it can assign the orginal affiliate instead of assigning all referrals to user id 1 or just 0?
Note that the form’s method attribute value is “post”. and not “get”.
So this block of PHP code will always assign the value of zero to the $rrr variable, unless there is other code sending GET that you haven’t shown
if (isset($_GET['ref'])) {
$ref = $_GET['ref'];
$rrr = mysql_fetch_array(mysql_query("SELECT id FROM users WHERE username='".$ref."'"));
}else{
$rrr = 0;
}
My guess is that if it’s a sign-up from a referral site, perhaps the action tag is different. But it is just a guess, only the OP can confirm. If not, then mystery solved - the forum sends all data as POST, and there isn’t a form field called “ref” anywhere in the form.
Another weird thing with $rrr is that sometimes it’s an array as the result of mysql_fetch_array(), and sometimes it’s a variable as in $rrr = 0, but in the check it’s always assumed to be an array.
I know it must be frustrating that no-one is just doing that, but using these obsolete libraries to access your database is something that most have gone away from, and probably don’t really remember without spending time looking them up. There would then be the issue that a forum contributor appears to be advising you to carry on using old code, even though it has security implications. For any general site that is an issue, but for a betting site which presumably has some financial dealings with customers, that’s a serious mistake.
And finally, you’ve paid someone for a product which should work, why can’t they answer the questions you have? That’s what the money was for.
Not want you want to hear. But HTML that calls in shiv and has IE conditional comments and has empty element pairs suggests that not only the PHP code should be scrapped (save a backup) but the HTML as well.
I understand that “patching” might seem like the easier way to fix things, but if it were me I would seriously consider starting fresh. Starting with getting the HTML up to snuff.
Not that you would need to update everything at once. But any time you touch a file would be a good time to fix the file properly instead of patching it.
Thank you friends for all your kind reply but it seems that i have to leave this project because of this script code until i get some better alternative