I am trying to implement a script that adds a new vbulletin user during a shopping cart purchase within the WHMCS cart page. I have the basic jquery script built to check for username availability and it's setup for user insertion.
I just need to know what the minimum user variables are that need to be included during sql injection, as well as what validations I may need to use to ensure no vbulletin errors occur. I am using vBulletin 3.6 and the current code I am using in my WHMCS shopping cart is below:
JS Code:
PHP Code:
jQuery(document).ready(function(){
jQuery("#customfield2").keyup(function() {
var cfvalue = jQuery("#customfield2").val();
setTimeout(function() {
if (cfvalue != jQuery("#customfield2").val()) {return;}
jQuery("#cf2").attr("src","images/custom/icons/hourglass.gif");
if (cfvalue == '') {
jQuery("#cf2").hide();
} else if (cfvalue != '') {
jQuery("#cf2").show();
checkAvailability(cfvalue);
}
}, 1000);
});
});
function checkAvailability(cf2){
$.post("includes/vbusername.php", {task: "check", username: cf2}, function(result) {
jQuery("#cf2").attr("src",(result == 'available' ? 'images/custom/icons/check.gif' : 'images/custom/icons/x.gif'));
});
}
function createUser(cf2){
$.post("includes/vbusername.php", {task: "create", username: cf2});
}
function showUsernameNotification() {
document.write('<img src="images/custom/icons/hourglass.gif" alt="-" border="0" id="cf2" style="margin-bottom: -8px;" /> ');
jQuery("#cf2").hide();
}
PHP Code:
<?php
// ####################### SET PHP ENVIRONMENT ###########################
error_reporting(E_ALL & ~E_NOTICE);
// #################### DEFINE IMPORTANT CONSTANTS #######################
define('THIS_SCRIPT', 'vbusername');
// ######################### REQUIRE BACK-END ############################
chdir('/home/********/public_html/community');
require_once('./global.php');
require_once(DIR . '/includes/functions_user.php');
require_once(DIR . '/includes/functions_misc.php');
// #######################################################################
// ######################## START MAIN SCRIPT ############################
// #######################################################################
$vbulletin->GPC['username'] = mysql_real_escape_string($_POST['username']);
if ($_POST['task'] == "check") {
if ($db->query_first("SELECT username FROM ".TABLE_PREFIX."user WHERE username = '".$vbulletin->GPC['username']."'")) {echo "unavailable";} else {echo "available";}
}
if ($_POST['task'] == "create") {
$vbulletin->input->clean_array_gpc('p', array(
'options' => TYPE_ARRAY_BOOL,
'username' => TYPE_STR,
'email' => TYPE_STR,
'emailconfirm' => TYPE_STR,
'parentemail' => TYPE_STR,
'password' => TYPE_STR,
'password_md5' => TYPE_STR,
'passwordconfirm' => TYPE_STR,
'passwordconfirm_md5' => TYPE_STR,
'referrername' => TYPE_NOHTML,
'imagestamp' => TYPE_STR,
'imagehash' => TYPE_STR,
'coppauser' => TYPE_BOOL,
'day' => TYPE_UINT,
'month' => TYPE_UINT,
'year' => TYPE_UINT,
'timezoneoffset' => TYPE_NUM,
'dst' => TYPE_UINT,
'userfield' => TYPE_ARRAY,
'showbirthday' => TYPE_UINT,
));
$userdata =& datamanager_init('User', $vbulletin, ERRTYPE_ARRAY);
$userdata->set_info('coppauser', $vbulletin->GPC['coppauser']);
$userdata->set_info('coppapassword', $vbulletin->GPC['password']);
$userdata->set_bitfield('options', 'coppauser', $vbulletin->GPC['coppauser']);
$userdata->set('parentemail', $vbulletin->GPC['parentemail']);
$userdata->set('password', ($vbulletin->GPC['password_md5'] ? $vbulletin->GPC['password_md5'] : $vbulletin->GPC['password']));
$userdata->set('email', $vbulletin->GPC['email']);
$userdata->set('username', $vbulletin->GPC['username']);
$userdata->set('referrerid', $vbulletin->GPC['referrername']);
if ($vbulletin->options['verifyemail']) {$newusergroupid = 3;}
else if ($vbulletin->options['moderatenewmembers'] OR $vbulletin->GPC['coppauser']) {$newusergroupid = 4;}
else {$newusergroupid = 2;}
$userdata->set('usergroupid', $newusergroupid);
$userdata->set('languageid', $vbulletin->userinfo['languageid']);
$userdata->set_usertitle('', false, $vbulletin->usergroupcache["$newusergroupid"], false, false);
$userdata->set('showbirthday', $vbulletin->GPC['showbirthday']);
$userdata->set('birthday', array(
'day' => $vbulletin->GPC['day'],
'month' => $vbulletin->GPC['month'],
'year' => $vbulletin->GPC['year']
));
$userdata->set_dst($vbulletin->GPC['dst']);
$userdata->set('timezoneoffset', $vbulletin->GPC['timezoneoffset']);
$userdata->set('ipaddress', IPADDRESS);
$userdata->pre_save();
$vbulletin->userinfo['userid']
= $userid
= $userdata->save();
}
?>