Also generates a new activation key after they have verified their email in-case they change their email and guess the activation link for their fake email.
Also removes the given points until they verify their email again if they change their email.
Even if they arent forced to verify email during registration.
If they change their email in the settings later, the verification is lost.
Todo: Add a reward for first-time verification.
idk what stripslashes() was doing in there, but it was definitely a bug (there's no way the slashes in there, if any, had no purpose and could just be discarded.. right?)
in addition, post data with keys containing special characters (if any) was incorrectly encoded. a correct encoding loop goes like:
foreach ($_POST as $key => $value) {
$req.="&".urlencode($key)."=".urlencode($value);
}
but the original code was only encoding the value, not the key... but even better than a custom encoding loop is to just use http_build_query(), which does the entire encoding loop for us :) so that's what i changed it to.
* add html encoding function
* html-encode dynamic values
important if the values contain special characters like '&<>"
(for example if $config['site_title'] is `AT&T` or `<AWESOMESERVER>`, the old code would generate invalid html, but this updated code will generate valid html.)
the powergamers page was vulnerable to XSS/javascript injection, this should fix it.
XSS screenshot: https://i.imgur.com/4rJuWqY.png
XSS POC:
<form action="https://<censored>/powergamers.php" method="POST">
<input type="hidden" name="days[]" value="3" />
<input type="hidden" name="days[]" value="1<script>alert("XSS running!");</script>" />
<input type="submit" value="click here to start xss" />
</form>
Security issue reported by @slawkens
All wifi traffic is broadcasted - this means that any nearby sniffing devices can read your traffic. If you're connecting to a page through HTTP over public/unencrypted wifi you can assume that whatever information you are sending and receiving is public - all it takes is an attacker nearby with an antenna to read all that in plaintext. To perform a true MITM by having traffic flow through them, attackers can use technologies like WiFi pineapples or aircrack-ng to force users to connect to their wifi network.
Connecting over cable internet is much harder to intercept/mitm because you're not broadcasting your traffic for the whole neighborhood. In order to compromise this network an attacker will have to gain access to it somehow - either through physical access to a network port, malware installed on a host machine or router, etc. When an attacker has access to a network they then have to exploit that access through attacks such as ARP poisoning or HSRP spoofing. These attacks just MITM traffic - anyone on the network can still sniff (read, but not change) traffic, but keep in mind HTTPS traffic is still encrypted and can't be read.
https://security.stackexchange.com/questions/153148/how-easy-it-is-to-actually-perform-mitm-attack-these-days
When storage_account_id is not configured in config.php and people want to try the character auction system
Give them an error message instead of a query crash. Telling them to edit config.php properly.
There is no need to create a separate configs for OTHIRE when establishing an SQL connection,
and is confusing for new users who are configurating their webserver.
* Update toponline.php site_title and type
Parse error: syntax error, unexpected 'site_title' (T_STRING), expecting ',' or ';' in C:\xampp\htdocs\znote\toponline.php on line 40
Notice: Undefined index: type in C:\xampp\htdocs\znote\toponline.php on line 10
