open All Channels
seplocked EVE Technology Lab
blankseplocked [EVEOTS] Eve Online Teamspeak 3 API Registration with PHP5 v1.5
 
This thread is older than 90 days and has been locked due to inactivity.


 
Pages: [1] 2 3 4 5 6

Author Topic

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.23 03:32:00 - [1]
 

Edited by: MJ Maverick on 29/08/2011 00:12:42

Version: 1.5

Intro:
So there I was, using a Teamspeak registration system that once worked well but is now outdated and falling to pieces :( (♥ u really Agent Unknown :) ). I saw that people had made their own but wanted outrageous amounts of ISK in order to share it. So, meh. I'll make my own simple, fast, easy to mod and adaptable system. Only one problem, I know jack about PHP. I only knew what little I learnt from building my alliance a nice new website.

So I learnt PHP :) Then built my baby piece by piece. Now you can have it. Call it my little gesture to share a little love in Eve. I plan to add more features such as red alt scanning etc. while keeping it fast in the future along with keeping up to date with the ever changing Teamspeak development. Also as I am/was/ish a sort of PHP noob, you should find my heavily commented code easy to understand.

Preview:
Sev3rance Alliance

Requirements:
PHP 5.2 or later
MySQL 5 or later (untested on earlier versions)
Dedicated web host

Features:
v1.0
Very fast cron job for quickly scanning if characters registered have left their corp/alliance and removes them.
Alliance whitelist.
Corporation whitelist.
Assign your own boys/girls into a separate group than your blues.
Supports character names containing an '.
If a blue joins your alliance, it realises and asks them to re-register so they can be moved into the correct group.
Error messages will even inform the user of who to contact (presumably, you).
Limited API entry form is limited to 64 characters (the length of an API Key) to help prevent pasting a space after the key.
Does not require | between tickers (no more horrible phonetic announcements).
Shoo's away doorstep salesmen.
API interface powered by Pheal.
Teamspeak interface powered by TS3 PHP Framework.
v1.1
Detects if a spy is using some ones API when they register.
If someone has lost their Teamspeak ID it will ask then to make a new API to verify them, then delete their old registrations.
Instructions page added for people trying to register on 2 computers.
Prevents any duplications on TS and in the database.
v1.15
Enhanced script security.
v1.17
For this update you will need to overwrite config.php and fill it in again. Sorry, it's for the best. :)
cron.php will now know if it's being run via CPanel and format e-mails correctly.
Made readme.html into your EVEOTS bible for when I'm not around.
v1.2
Security bot now optional to make sure people have the correct name.
General code tweaks made.
Readme updated.
v1.3
General code clean up.
Handles even more errors properly.
Added staged registration as requested (Yay).
Added compatibility for option ticker separators as requested.
v1.31
Character names over 30 characters this will no longer cause Teamspeak problems.
v1.5
Admin panel, yay :D
Big update, see "version history.txt"

Down to business:
By downloading you agree to leave the credit at the bottom of the page. Let's play fair, credit where credits due...
That is the only condition, so here it is:
Mirror 1 - Sev3rance Alliance (MJ Maverick)

Baring in mind how much ISK people want for a system like this, if you are using it, it would be awesome to let me know and maybe even donate :) (all this work leaves little time for ISKies *sadface*). If you run into any problems then either use this thread or mail me in game and I'll be happy to help.

Any kind donations can be sent to "MJ Maverick".

Special Thanks To:
Peter Powers from Pheal
Wollari from DOTLAN
ScP from Teamspeak
The Sev3rance Alliance for being my guinea pigs

Peter Powers
FinFleet
Raiden.
Posted - 2011.03.23 08:55:00 - [2]
 

hey mj m.,

nice to see you are getting further with your effords to learn php,
however, i have to put out a warning for people to install your script.

please do not take this personal, but the current version of the script is a security risk to everyone who installs it.
you are not sanitizing any userinput and therefor this script is quite vulnerable to sql injections. more on SQL Injection

also, you dont verify the user who puts in the API key is actually the owner of the key, assuming that someone who knows the key is actually the guy that should be allowed to access your teamspeak. That Idea is wrong, apikeys are 'public' keys; so if someone puts his api key to a random website, and that website owner then decides to register on your teamspeak with the users key, he could do that.
To verify a user is the owner of a character you wont get arround letting him send an isk or an evemail from one of the characters on his account to one of yours (you can pull that from your own API then).


MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.23 16:42:00 - [3]
 

Hey Peter,

I know a bit about injections but was unable to give myself access with them. I see it as someone's API key is their responsibility but in light of what you said would you recommend using their FULL API? A lot of people wouldn't like to use this.

I'll hit you up in game next time I see you pop up but I really can't see a security problem.

Peter Powers
FinFleet
Raiden.
Posted - 2011.03.23 17:25:00 - [4]
 

about the sql injection: its possible to insert characters that mysql interpretes as mysql commands, therefor it will execute 'em

about the key: it does not matter what key you use, the key is meant to be 'distributed', since it is meant to allow others to access your accounts data. therefor its not safe to use it for authentication.
for example, if i want myself to appear on a killboard through api, i have to give away my key, the owner of the killboard can read it and do shenannigans with it, like registering on your tool, thats why using keys, no matter if full or limited is no way of authentication.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.23 19:23:00 - [5]
 

Edited by: MJ Maverick on 24/03/2011 04:01:28

Edit:
After a detailed going over of my code I have found it not susceptible to SQL injections. Any SQL injection would stop the script with an error before it got anywhere near the database. "str_replace" removes key ingredients of SQL injections even if one did some how get through.
Also I could verify through wallet transactions but as that API has a large lag time it would be un-practical to implement. Not to mention leave members pulling their hair out.

However, in an upcoming release there will be functions that check to see if the member is already registered, if they are then it will check if the person already registered used the same API key. If they did then it will alert them to inform the admin of a possible spy in the TS. If they registered using an old API Key, then it will recognise the new API Key (you must be the account holder to create a new API) and remove all previous registrations by that character. Then register the new user.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 17:19:00 - [6]
 

Update v1.1

Added some spy and general imposter stuff. Also added an instructions page when people need to verify they are the account holder via making a new API. You should no longer be able to get a person in your database twice, but it checks anyway, that goes for TS also.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.03.25 17:37:00 - [7]
 

Originally by: MJ Maverick
After a detailed going over of my code I have found it not susceptible to SQL injections. Any SQL injection would stop the script with an error before it got anywhere near the database. "str_replace" removes key ingredients of SQL injections even if one did some how get through.

If you are talking about the code that is posted in the OP that is not correct, you write form input directly to your database and thus are widely open to SQL injection. The thought alone makes me shudder. You really should do some research on this, it is not a trivial matter.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 17:47:00 - [8]
 

Edited by: MJ Maverick on 25/03/2011 17:50:41
If you can make it work then please let me know straight away as yes, that would be serious, but I cannot. Raw data is taken yes. However an SQL injection still has to go through the API verification, as it will not be a valid API/user/char information it will of course fail. Thus never reaching the SQL stage it was intended to inject.

Edit: Also am I right in thinking that not allowing " and replacing ' renders injection pretty much useless.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.03.25 18:02:00 - [9]
 

Edited by: Catari Taga on 25/03/2011 18:10:49
Originally by: MJ Maverick
If you can make it work then please let me know straight away as yes, that would be serious, but I cannot. Raw data is taken yes. However an SQL injection still has to go through the API verification, as it will not be a valid API/user/char information it will of course fail. Thus never reaching the SQL stage it was intended to inject.

I would have to check pheal source code to be sure but assuming pheal does some input sanitizing it might simply strip offending characters from the input without giving you an error message. Or CCP might allow tomorrow to allow e.g. a semi-colon in their character names or API keys. The thing is that it is simply unnecessary and bad practice to even take the risk. Sanitize what goes into your database and thus decouple it from whatever else may go on in your code. mysql_real_escape_string() will take care of the names, e.g. intval() will take care of the IDs.

PS: Also from looking at your code it would seem $_POST['inputID'] goes directly into the database regardless of what you actually put into it and since it is not used for anything it could not possibly create an exception.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 18:19:00 - [10]
 

Edited by: MJ Maverick on 25/03/2011 18:29:30

inputID is just used when using the persons API prior to storage.

I'll take a look at those functions you linked and see if I can put them in just for good measure. I have to make sure that nothing filters ' or ! however as they have special meaning in my code. Because you have ' in character names, ! = ' as ' will crash an SQL statement so must be subsidised with ! in the database and switched back to ' whenever being displayed. But as it goes today, right now, I honestly don't see it susceptible to injections.

I will however add safeguards incase CCP do something daft.

Edit: In hind sight, a if I remove all ", ' and ; from all fields prior to storage then I should be immune anyway right? The problem is API Keys contain certain characters such as = so cannot be filtered. Do you know of a list of characters all API Keys are made up of?

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 19:18:00 - [11]
 

Update v1.15

Made security future proof for SQL shenanigans.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.03.25 19:38:00 - [12]
 

Originally by: MJ Maverick
Because you have ' in character names, ! = ' as ' will crash an SQL statement so must be subsidised with ! in the database and switched back to ' whenever being displayed.

Lol no, what you do is escape special characters, not replace them. The function I linked will do this for you (hence the name). Welcome to programming. Very Happy

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 22:18:00 - [13]
 

Haha, I see what you mean. So by using that it would insert the ' into the database but not break the query :P right? To be honest how it is now will die() on SQL injection attempts, and as I don't want them in with my database even if they have no effect I just barred them completely. But in future when boxing with names with ' in and SQL I will use the escape function so definitely a thanks there. :D Thanks for the lesson.

Catari Taga
Centre Of Attention
Middle of Nowhere
Posted - 2011.03.25 22:38:00 - [14]
 

You are welcome. :)

Your change does not really catch all injection vectors but I'll leave you alone with this now.

PS: Parting presents: in_array() and trim(). :)

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.25 22:57:00 - [15]
 

Edited by: MJ Maverick on 26/03/2011 01:09:58

Thanks Catari, all sorted and fully immune :)

Peter Powers
FinFleet
Raiden.
Posted - 2011.03.26 01:15:00 - [16]
 

simply checking for a small list of characters that might hurt your sql does not cut it.

php offers several methods to escape mysql queries (mysql_real_escape_string), but even those can be tricked by characterset shenannigans,
if you want to be safe for heavens sake use prepared queries.

Link for the lazy people:

http://de.php.net/manual/en/pdo.prepare.php

Originally by: "PHP Manual"

"The purpose of prepared statements is to not include data in your SQL statements. Including them in your SQL statements is NOT safe. Always use prepared statements. They are cleaner to use (code easier to read) and not prone to SQL injections."




your check for duplicates does not ensure that the registered user is the right user,

case:
user a is not registered, but put his api key to website x owned by user b
user b goes to the app and enters key of user a
user b now looks like user a.


the only way you can be sure that the owner of the key is the one registering is when you ingame auth the user aswell (and by that i do not mean using the IGB which can be forged),

howto:

stuff needed:
an account which is trusted by the website (the one running it)
a cronjob

Step 1:
User Registeres at the website, his characterID is saved.

Step 2:
two methods possible:
a) User sends 1 (or random amount) of ISK to trusted character (your character) (this can be with a specific reason so you can filter by that)
b) User sends a evemail to trusted character (this can be with a specific subject so you can filter by that)

Step 3:
Cronjob runs, checks for new transfers/evemail (matching filter)
for all new items (transfers or evemails), it will check the user accounts created in step 1, and set them to verified.

Step 4:
User is able to login


Problems:
user cannot login directly (doh).
cronjob has to respect cache timers, so it can take a while


Thing is, there is no other way to be sure that whoever registers is who he claims to be. This Subject has been discussed on #eve-dev a few times, and its up to CSM6 (still hoping i got elected ;) to talk to the right people at CCP, to get them to prioritize a way of verification that has a bit more usability to the end user. Until that happens, there is no way arround it.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.26 02:36:00 - [17]
 

Edited by: MJ Maverick on 26/03/2011 02:44:34
A lot of what you say is my point. There is no practical way to be certain all members are who they say they are. All ways that prove this are plagued by cache timers like you said. For the sake of speed and getting people on comms every alliance/corporation I know uses the API Key. It's not perfect but in my opinion it is the best we have for practicality at the moment. If the cache timers didn't last so long then the wallet would be the first thing I'd leap for. But as it is, pretty much everyone uses API with one dodgy system or the other.

So I am simply trying to offer the best way to do it if you must use API. Which, as I said, most people are forced to. Perhaps I will make a way to merge the two, or make a just wallet verification system at some point. But as it stands, I'm just filling the void Agent Unknowns system left. I hope for all our sakes you get into CSM6 and are able to change CCPs opinion on verification. But at the end of the day, nothing is ever 100% secure.

Edit: I am using mysql_real_escape_string :P

Varitina
Posted - 2011.03.27 19:36:00 - [18]
 

Edited by: Varitina on 27/03/2011 19:46:34
I am paying for website host from a source other than Teamspeak 3, and I'm also paying for teamspeak 3 host, by Gameservers.com

They claim default serverquery is 9100, so i used it.
This is what i get.

Quote:
API Connection was established.

Checking...
Character: Varitina

You are on our alliance whitelist
Attempting to grant access to: STCZ Varitina...

Removing your old registrations...
0 old registrations removed.

An error occured: Connection timed out [F10]



Any ideas?
*Edit* I entered debug, and it gave no extra info, still says connection time out, and 0 old registrations removed. So its has to be a serverquery problem. and im all out of my knowledge.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.27 23:00:00 - [19]
 

That error is a complete failure to connect to your Teamspeak.

GameServers are wrong, the default port is in fact as stated in my readme "10011". Have you tried using that port? The only way it would not be 10011 is if GameServers have changed it from the default for some silly reason. :-/

http://forum.teamspeak.com/showthread.php/46486-Teamspeak-3-Server-Ports?p=200519#post200519

Varitina
Posted - 2011.03.27 23:11:00 - [20]
 

Edited by: Varitina on 27/03/2011 23:17:35
Thats what i mean, they stated, that they have changed all ports, and they have a confusing answer.

FAQ Post on their members section for TS3:
Quote:
What is the query port for my server? Why won't the ts viewer work?

The query port for your server is 9100. No existing TS query scripts or websites will work, they will all need to be updated for the new version of TS.


I'll try 10011 anyways, and get back to ya. But i also made a TS server on my PC, enabled default ports on my router, just to test, and it still failed. But that could be my fault.
*Edit* With 10011, still same error. Any ideas? Could it maybe not be port?

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.28 00:09:00 - [21]
 

Any quote like that from a service provider deeply worries me. It shows incredible arrogance. I assure you my script works with the latest Teamspeak :)

If the server wasn't interpreting the commands correctly it would throw errors, not time out or not connect at all. I would suggest contacting GameServers on the basis their TS servers do not accept Queries... Which is both a failure of adiquette service and providing of the full service you pay for.

Varitina
Posted - 2011.03.28 01:32:00 - [22]
 

I really like this authenticator. I hope to get it working.

But i still cant get it working, like i said, i made my own server on my local pc to test out the program, and it doesn't work on mine either, and all ports are correctly forwarded, and proper ip's in place.

Could it be permissions?

Moogless
Posted - 2011.03.28 02:23:00 - [23]
 

Originally by: Varitina
I really like this authenticator. I hope to get it working.

But i still cant get it working, like i said, i made my own server on my local pc to test out the program, and it doesn't work on mine either, and all ports are correctly forwarded, and proper ip's in place.

Could it be permissions?


Unless your actuelly running your php script from the computer you are probably going to have problems with your router. (I need to DMZ to my local IP as port forwarding doesnt help me much on my router).

Are your

public $tsport = "10011"; //ServerQuery Port
public $tscport = "9987"; //TeamSpeak client port

Set correctly according to gameservers details?

Are you using domain for the:
public $tshost = "ts3.lala.com";

Try with the ip only,
public $tshost = "11.22.333.44";

If there hasnt been thought of it in the programming (cba to look through code)

PsyKzz
Posted - 2011.03.28 02:25:00 - [24]
 

MJ Maverick, do you know of R3tro? he's a dude in your alliance.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.28 18:00:00 - [25]
 

Originally by: PsyKzz
MJ Maverick, do you know of R3tro? he's a dude in your alliance.


lol off-topic but yes.

Varitina
Posted - 2011.03.28 22:12:00 - [26]
 

Edited by: Varitina on 28/03/2011 22:14:27
@Moogless, appreciate the help on those, but nope, i have all info filled correctly, contacted the company, and they confirmed that the query is 9100, and the connection port is 9186.

i also used the ip instead of subdomain. Still nothing, it gets connection times out. I'm so lost, what on earth could it be, if all the possibilities are 100% correct, whats left?

Host 8.9.36.132
Query: 9100
client: 9186
name: *Custom*
pass: *Randomly generated from my name*

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.29 15:37:00 - [27]
 

Try this:

1) In Teamspeak go to Tools > ServerQuery.
2) Press the tick in the top right and select login command.
3) Enter this into the top box on the left:
login $tsname $tspass
use 1
clientkick clid=YOUR_CLIENT_ID reasonid=5 reasonmsg=Test


Check your config.php and put in place of $tsname and $tspass what ever you have entered for them. For YOUR_CLIENT_ID click on your name in TS and on the right there is a number in brackets next to your name. So for example.

login username password
use 1
clientkick clid=29 reasonid=5 reasonmsg=Test


If you get an invalid clientID error then try "use 2" then 3 then 4 until you run out of servers. (error id=1033 msg=server\sis\snot\srunning).

If it doesn't work then your provider has ServerQuery turned off and needs to be shot.

Varitina
Posted - 2011.03.29 16:10:00 - [28]
 

Edited by: Varitina on 29/03/2011 16:23:06
Edited by: Varitina on 29/03/2011 16:19:30
In my TS, i have changed the use 1 because it always gave me this:

error id=0 msg=ok (16 ms)
error id=1033 msg=server\sis\snot\srunning (23 ms)
Total: 39 ms


to use 2, because 1 didnt work, than it started giving me:

error id=0 msg=ok (16 ms)
error id=0 msg=ok (24 ms)
error id=512 msg=invalid\sclientID (22 ms)
Total: 62 ms

the client id was 9, just like it shows in brackets, but no matter what number i used, it didn't work.
Dont know if when i messed with the use command it through it off, but your the expert.

MJ Maverick
IronPig
Sev3rance
Posted - 2011.03.29 19:22:00 - [29]
 

Keep the clientID as your client ID on the server (in brackets) but keep changing "use" up one number until you hit server not running again. Eventually you should be kicked from TS.

Varitina
Posted - 2011.03.30 21:37:00 - [30]
 

Edited by: Varitina on 30/03/2011 23:16:21
Edited by: Varitina on 30/03/2011 21:37:02
Okay, i have received a reply to my service petition, and he told me to use the following phrase "use port=" rather than "use".
like this:

login *User* *Pass*
use port=9186
clientkick clid=66 reasonid=5 reasonmsg=Test

This kicked me. So, the serverquery is working, whats my next approach to solving this problem, and i am 100% positive that the config file is filled TS info correctly.

*Edit*

I got a ticket response, he gave me the originating IP, tried that, no success, and than he gave me this:
(If you do need the VID, it is 359.)

I dont know what that is, maybe its needed? is there a remote query tool to test commands?


Pages: [1] 2 3 4 5 6

This thread is older than 90 days and has been locked due to inactivity.


 


The new forums are live

Please adjust your bookmarks to https://forums.eveonline.com

These forums are archived and read-only