pHP update script

Hi,I am programming in VB6. I am trying to figure out how to use my Database to allow updating only if they qualify.I am no PHP script writer but think I have the basics down. I have the basic connection completed and have the info being reported that is required to see what they qualify for. I need some help scripting that portion that sends them to the correct update file. Any help would be appreciated.

Unix server with . htaccessAll info is reporting and working correctly

<?php$q=$_GET["q"];$con = mysql_connect("localhost","User","password");if (!$con) { die('Could not connect: ' . mysql_error()); }mysql_select_db("Users", $con);

$sql="SELECT * FROM Users WHERE Registration = '".$q."'";$result = mysql_query($sql);$VArray=(str_split($q,10));$last_element = end($VArray);if (!$result){ die('Invalid Registration Number: ' . mysql_error());}//Pending Verification... default string for new applications in version die

//$row[Version] is set by me to the version they can register//$row[Lifetime] is set by me can update to any version //$row[Registration] is the number sent by application to this script it will only exist//in the DB if they have applied for and recieved and unlock key.while($row = mysql_fetch_array($result)) { $version_echo=$row['Version']; $lifetime="no"; if ($row[Lifetime]==yes ) $lifetime="yes"; if ($row[Lifetime]==Yes ) $lifetime="yes"; if ($row[Lifetime]==YES ) $lifetime="yes"; } if ($version_echo=="Pending Verification..."{ die('Information not yet verified ' . mysql_error());}if ($lifetime=="yes") echo "<BR>You are a Lifetime Member you can apply for a key for any version!";else{echo "<BR><BR>You must purchase a Version Upgrade or<BR>Upgrade to Lifetime Registration<BR>";echo "To register any version above.<BR>" . $version;}

if ($lifetime=="yes") //??? goto latest update without checking

if ($version_echo=="11")// v.11 can update to 12//???goto version12 update

if ($version_echo=="12")//only 12//???goto version12 update

if ($version_echo=="13")//only 13//???goto version12 update

mysql_close($con);?>

Well, the easiest solution is to use LimeLM -- we handle everything releated to licenses making it easy for you to get paid. We even have an example script showing how to make an "allow updates for renewed users only" type script.

Looking over your script you have one very critical thing wrong:

$sql="SELECT * FROM Users WHERE Registration = '".$q."'";

Danger! This is very bad. All a malicious user needs to do is write a "q" GET parameter to get your entire database or, if they're feeling especially malicious, they can eliminate your entire database. You're not properly "quoting" the "q" variable. (Putting quotes around the $q is insufficient because a malicious user can write something like this for a "q" value:

' OR WHERE Registration != NULL; --

With this "q" value a user can get free updates.

To properly quote any user-touched information (like q) then use the mysql_real_escape_string function.

As far as sending the actual updates goes, we have an article (with some examples) showing how to deliver the update files after a license has been successfully verified. See: How to prevent or limit updates.

SamThanks... My knowledge of PHP is extremely limited. At this point I was just trying to make the conection to the DB... The script is password protected on my server for testing. The Q will be passed by my application to the Script using the wyupdate. There will be no direct access from my server... This is where I am getting lost... Figuring out how to send the reg number(q$) using the wyupdate passage to a simple script based on version. My assumption being if they hack the application to send a q$ they invent to apply for a key would be counter productive... If it gets hacked they could then hack any future version anyway. I just need my application to pass the q$ to the script to get the version info from the db and either allow or not allow the update to occur.I will definitely look over the examples my guess is any rudimentary example will work for what I need.

--Don

Looking at the example... it is the same I was studying over the last month... My problem is the: Server file site (*.wys): http://example.com/limit-updates/%file% Update files site (*.wyu): http://example.com/limit-updates/?update=%file%&pkey=%urlargs%I was assuming I would Pass the q$ from my app as:Retval = ExecCmd(App.Path & "\wyupdate.exe wyupdate.exe -quickcheck -justcheck-q$")

Adding the key value from my program as q$ and sending it to the php script to parse out what they qualify for.Have I misunderstood the process? I was assuming the wyupdate update file would contain the info to take the q$ and relay it to the script and after setting up the (Server site/Update Site) the script would then send them to the update file if they qualify. As this is the first version that will require a yearly payment and I really won't be updating any older versionsit will either send them to the version 13 folder on the server next year if they have paid or do nothing if the q$ passed is version 12

I was not planning on linking them out to a web page for updates, I was planning to handle it silently from the program.

Please advise if I have misunderstood. I do not have a lot of time to devote to a PHP site to handle updates.

--Don

This is passing 2 parameters to the "index.php" script in the "limit-updates" folder on the example.com webserver:

http://example.com/limit-updates/?update=%file%&pkey=%urlargs%

The first parameter is "update" and it's being passed the filename of the update to download (e.g. yourapp.1.0.to.1.2.wyu). The second parameter is "pkey" and it's being passed whatever value is stored in the %urlargs% variable.

You can set the %urlargs% variable by passing it as a commandline option to wyUpdate.

OK so if I get this the:http://example.com/limit-updates/?update=%file%&pkey=%urlargs%Passing the update location as: http://example.com/limit-updates/?update=%file%Passing the Registration Number as: pkey=%urlargs%

My final script will only return 2 fields Version and Lifetime. This should prevent any of the script hacking problems of any of the other data they are trying to mine like email address etc?What was confusing me was the the %file%... Now I see it would send to the correct .wyu in the php example.

So if from my application I pass the file name as the current version.wyu and pkey as the reg number.The script will then get passed and parse both variables (file name $f and reg number $q)The script will then check the reg number and return yes or no for lifetime and 12 or 13 for version.

wyUpdate.exe -quickcheck -justcheck-updatepath="http://example.com/limit-updates/?update=%appname.12.0.010%&pkey=%xxxx-xxxx-xx%<?php$f=$_get["f"];$q=$_GET["q"];

if ($lifetime=="yes") //if ($f=="12.0.010")//list .wyu file for this version number passed%file%=appname.12.0.010.to12.0.353//if ($f=="12.0.020")

//list .wyu file for this version number passed%file%=appname.12.0.020.to12.0.353

if ($version_echo=="12")//if ($f=="12.0.010")//list .wyu file for this version number passed%file%=appname.12.0.010.to12.0.353

//if ($f=="12.0.020")//list .wyu file for this version number passed%file%=appname.12.0.020.to12.0.353

Am I understanding this correctly?

--Don

In the example script on the Limit updates page has 2 parameters that are passed to the script:

  1. update=%file%
  2. pkey=%urlargs%

To use these values in your PHP script it would go like this:

$update_filename = $_GET['update'];$pkey = $_GET['pkey'];

You can use the $update_filename to get the file from the disk and to send it to the user. You can use the $pkey variable to validate that the customer has access to the updates.

It's much easier if you just use LimeLM because we have pre-written examples that you can just put on your servers.

My apologies for bumping an old topic, but I'm doing something a bit similar.

I'm trying to get wyupdate to pass two variables to my server: username and password. Is it possible to include a second variable, or is -urlargs="<string>" the only one we can add via commandline?

The example already shows how to pass multiple variables to your script. They all go in the same urlargs parameter. Like my previous post said, the example shows passing 2 variables: "update", and "pkey"