Hello, all. For some reason the section of my webpage won't display the current map that the server is on. The SteamID displays correctly, and I've basically copied over the code that garry posted on how to display steamid, map name, etc.
Does it matter where I have the file uploaded to display the map name? On a normal browser outside of gmod, it displays "; ?> (as does the steamid, but that one works). In game, it's just completely blank, nothing is there.
Link to the loading screen: [URL="http://riotservers.net/moose/home.php"]http://riotservers.net/moose/home.php[/URL]
Here is the chunk of code for the lines of the steamid and map id, along with the portions I stuck in the top of the code to create those functions.
Code for map name and for SteamID display:
[CODE] <p class="dot" style=""> </p>
<p class="dot" style=""> </p>
<p class="black" style="">Is now loading.</p>
<p class="black" style="">We are playing on: </p>
<p>
<?php
echo "$mapname<br>";
?>
<br>
</p>
<p>Your SteamID is:</p>
<p>
<?php
echo "$steamid<br>";
?>
<br>
</p>[/CODE]
code to get that information:
[CODE]<!DOCTYPE html>
<html>
<?php
//Get the steamid (really the community id)
$communityid = $_GET["steamid"];
//Get the map name
$mapname = $_GET["mapname"];
//See if the second number in the steamid (the auth server) is 0 or 1. Odd is 1, even is 0
$authserver = bcsub($communityid, '76561197960265728') & 1;
//Get the third number of the steamid
$authid = (bcsub($communityid, '76561197960265728')-$authserver)/2;
//Concatenate the STEAM_ prefix and the first number, which is always 0, as well as colons with the other two numbers
$steamid = "STEAM_0:$authserver:$authid";
?>
<head>[/CODE]
Set sv_loadingurl to "http://riotservers.net/moose/home.php?steamid=%s&mapname=%m"
[QUOTE=samm5506;40414095]Set sv_loadingurl to "http://riotservers.net/moose/home.php?steamid=%s&mapname=%m"[/QUOTE]
Thanks! I completely forgot about that! Works like a charm, now!
You do realize that you should be filtering the output? Don't just print anything from user input, ever.
[QUOTE=xPaw;40417867]You do realize that you should be filtering the output? Don't just print anything from user input, ever.[/QUOTE]
Sorry, I'm not too great at php functions; could you explain?
[QUOTE=xPaw;40417867]You do realize that you should be filtering the output? Don't just print anything from user input, ever.[/QUOTE]
In this case the user is only going to be able to mess with their own experience or anyone they link it to, so they could use it to inject malicious content into a website hosted on your domain.
But it is best practice to filter this, the functions 'strip_tags' which removes any HTML tags it can detect and 'htmlentities' which substitutes characters used for HTML for safe equivalents.
[QUOTE=CBastard;40423914]In this case the user is only going to be able to mess with their own experience or anyone they link it to, so they could use it to inject malicious content into a website hosted on your domain.
But it is best practice to filter this, the functions 'strip_tags' which removes any HTML tags it can detect and 'htmlentities' which substitutes characters used for HTML for safe equivalents.[/QUOTE]
so how would I add those functions to the page?
[QUOTE=nicholsml;40426487]so how would I add those functions to the page?[/QUOTE]
[url]http://php.net/manual/en/function.strip-tags.php[/url]
[url]http://php.net/manual/en/function.htmlentities.php[/url]
[PHP]$mapname = htmlentities(strip_tags($_GET["mapname"]));[/PHP]
Edit: Without these people could distribute links like this: [url]http://riotservers.net/moose/home.php?mapname=%3Cimg%20onload=%22alert('injected%20javascript%20can%20run')%22%20src=%22http://img444.imageshack.us/img444/7456/facepunchoc5.png%22/%3E[/url], note that chrome detects that it's being told to run JavaScript which is also in the query string and stops it as security measure, other browsers don't do this.
Had a mess around and could do [URL="http://riotservers.net/moose/home.php?mapname=%3Cstyle%3E%23injected{display:block;position:absolute;z-index:100;top:0px;left:0px;width:100%;height:100%;background:%23fff;color:%23000;font-style:normal;font-weight:400;font-size:28px}%3C/style%3E%3Cdiv%20id=%22injected%22%3EI%20can%20put%20my%20own%20content%20up%20on%20your%20site%3Cbr/%3E%3Cimg%20src=%22http://img444.imageshack.us/img444/7456/facepunchoc5.png%22/%3E%3C/div%3E"]this[/URL].
[QUOTE=CBastard;40429405][url]http://php.net/manual/en/function.strip-tags.php[/url]
[url]http://php.net/manual/en/function.htmlentities.php[/url]
[PHP]$mapname = htmlentities(strip_tags($_GET["mapname"]));[/PHP]
Edit: Without these people could distribute links like this: [url]http://riotservers.net/moose/home.php?mapname=%3Cimg%20onload=%22alert('injected%20javascript%20can%20run')%22%20src=%22http://img444.imageshack.us/img444/7456/facepunchoc5.png%22/%3E[/url], note that chrome detects that it's being told to run JavaScript which is also in the query string and stops it as security measure, other browsers don't do this.
Had a mess around and could do [URL="http://riotservers.net/moose/home.php?mapname=%3Cstyle%3E%23injected{display:block;position:absolute;z-index:100;top:0px;left:0px;width:100%;height:100%;background:%23fff;color:%23000;font-style:normal;font-weight:400;font-size:28px}%3C/style%3E%3Cdiv%20id=%22injected%22%3EI%20can%20put%20my%20own%20content%20up%20on%20your%20site%3Cbr/%3E%3Cimg%20src=%22http://img444.imageshack.us/img444/7456/facepunchoc5.png%22/%3E%3C/div%3E"]this[/URL].[/QUOTE]
I'm not really sure why you'd even want to do that?
[QUOTE=Sidewaykill;40442596]I'm not really sure why you'd even want to do that?[/QUOTE]
Then you could do something like read the users session cookie and send it to an attacker, giving them access to your forum account, if you were logged in to the forum.
Your forum would have to be pretty insecure for that.
Sorry, you need to Log In to post a reply to this thread.
