PHP / HTTPObject

#1

function netlogin()
{
%username = $playername;
%password = $password; 
     
%server = "localhost:80";
%path = "/torque/";
%script = "login.php";
%query = "username="@%username@"==="@%password;
%hto = new HTTPObject(CharLogin);
%hto.get(%server,%path @ %script,%query);
    

}

i could not find a way to add a & in the url passing without modding source so I used explode in the php script to separate the username and password after the ===.

function CharLogin::onLine(%this,%line)
{
   if (StrStr(%line, "success") != -1)
   {
      resultguitext.text = "Log in Successful"; 
      return; 
      
   }
   if (StrStr(%line, "failure") != -1)
   {
     resultguitext.text = "Username or Password is incorrect"; 
     return;   
   }
   
   else
   {
     resultguitext.text = "Accessing Database...";    
   }
  
}

here is the php script

<?php
$username = $_GET['username'];
$exploded_username = explode('===',$username);
$newusername = $exploded_username[0];
$password = $exploded_username[1];
include "connect.php";
 
 
 $query="SELECT * from torque where username='$newusername' AND password = '$password'";
  $query2=mysql_query($query) or die("Could not query players table");
  $query3=mysql_fetch_array($query2);
    if (isset($query3['username']))
	{
	echo "success";
	}
	else
	{
	echo "failure";
	}
?>

just change the values to match your database and fields.

#2 Thanks a lot, I got most of this figured out a while back. I figure I will leave this up (not sure if I even can delete a thread.) for others with the same questions.

#3 @Hallsofvallhalla: It is perhaps a good idea to always one-way encode (hash) your passwords and store the hash only - regardless the method of hashing. Even when logging in, you should never send a clear text version of your users' passwords over the wire. Have it hashed on the client, and send the hash instead.

This is also important when someone hacks into your system. Decrease the damage by not letting the villain get the passwords of your users.

I'm writing this, because the example ahead is vulnerable to a number of security attacks. At the very least, use mysql_real_escape_string to avoid sql injections.

#4 amen!
I only posted this base example because no one game him an answer and it was a quick fix. I moved onto using a different method so never went any further with this.

#5 That's good to hear! Sorry if I sounded harsh, didn't mean to. I was just trying to save someone some headaches. :)

#6 not harsh at all, all good, the more info the better!

#7 As a Tribes 2 Modder, I have done this with TCP objects, and I believe you should be using those instead.

You need to know the HTTP RFC, which can be found here:

http://www.faqs.org/rfcs/rfc2616.html

So for the torque code, suppose you have this php:

<?php
   $Name = $_POST["name"];
   $Number = $_POST["numb"];
   echo $Name .":". $Number;
?>

you can interact with a TCP object like so:

function SendTCPConnection(%name, %number) {
   if (!isObject(TCPOBJNAMENUM)) {
      %Downloader = new TCPObject(TCPOBJNAMENUM);
   }
   else {
      %Downloader = TCPOBJNAMENUM;
   }
   %Downloader.name = %name;
   %Downloader.numb = %number;
   %Downloader.connect("ServerToConnectTo:80");
}

function TCPOBJNAMENUM::onConnected(%this) {
   %sep = getRandomSeparator(16);   //this is my separator creation function, see the RFC for details
   %loc = "/thepathtothephp.php";
   %header1 = "POST" SPC %loc SPC "HTTP/1.1\r\n";
   %host = "Host: ThatServerAbove\r\n";
   %header2 = "Connection: close\r\nUser-Agent: IAmAnAgent\r\n";
   %contType = "Content-Type: multipart/form-data; boundary="@%sep@"\r\n";
   %nameReq = "--"@%sep@"\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\n"@%this.name@"";
   %numbReq = "--"@%sep@"\r\nContent-Disposition: form-data; name=\"numb\"\r\n\r\n"@%this.numb@"";
   %payload = ""@%namereq@"\r\n"@%numbReq@"\r\n--"@%sep@"--";
   %qlen = strLen(%payload);
   %contentLeng = "Content-Length: "@%qlen@"\r\n\r\n";
   %query = %header1@%host@%header2@%contType@%contentLeng@%payload;
   echo("Connected, sending query");

   %this.send(%query);
   %this.schedule(5000, "Disconnect");
}

function TCPOBJNAMENUM::onLine(%this, %line) {
   echo(%line);
}

function TCPOBJNAMENUM::onConnectFailed(%this) {
   error("** Connection Failed");
   %this.disconnect();
}

function TCPOBJNAMENUM::onDisconnect(%this) {
   %this.schedule(1000, delete);
}

for %sep = getRandomSeparator(16) , you will need to write a simple function to generate a string of Characters and Numbers with a given length.

Hope that helps!

#8 @Hallsofvallhalla
the best way to integrate the & in this Code is, you use & followed by the next variable-name in the %query-line. Have a look at next lines

function netlogin(){  
%username = $playername;  
%password = $password;   

%server = "localhost:80";  
%path = "/torque/";  
%script = "login.php";  
%query = "username="@%username@"&password"@%password;  
%hto = new HTTPObject(CharLogin);  
%hto.get(%server,%path @ %script,%query);  
}

Best Regards

MasterNemo

#9 I explode on commas (uh, don't take that the wrong way...). Keep in mind that this is being used for testing:

function doStuff(%arg1, %arg2)
{
   %obj = new HTTPObject();
   %address = "www.yourSiteHere.com:80";
   %path = "/path/file.php";
   %query = "v=1,2,3"; //I just always call the values v
   %obj.get(%address, %path, %query);
}

And in file.php, to echo the values:

<?php
   $a = explode(',', $_GET['v']);
   echo $a[0].','.$a[1].','.$a[2].'\n';
?>

There may be some typos, as I just started learning PHP last week...