store user in db to get access to chan

Fire-Fox · Post by **Fire-Fox** » Fri Mar 09, 2012 8:27 pm

Hey!

I belive i did see a script here on the site, that did. add user to db and the user gained access to a channel is that right?

if not does someone have one ?

Post by **caesar** » Sat Mar 10, 2012 7:27 am

Code: Select all

namespace eval dbCheck {
  set dbInfo "host user pass database"

  bind join - "#channel *" [namespace current]::dbJoin

  proc dbJoin {nick uhost handle chan} {
    if {[isbotnick $nick]} return
    variable dbInfo
    if {[scan $dbInfo %s%s%s%s hostname username password database] != 4} return
    set con [::mysql::connect -host $hostname -user $username -password $password -db $database]
    set results [::mysql::query $con "INSERT YOUR SELECT STATEMENT"]
    if {![::mysql::moreresult $results]} {
      # kick, ban or whatever
    }
    ::mysql::endquery $results
    ::mysql::close $con
  }
}

Something like this? Don't forget to add an actual select statement and a punishment or whatever you wish. Haven't tested it, but should do what you where looking for.

I would use a statement like:

Code: Select all

set user [::mysql::escape $nick]
set results [::mysql::query $con "SELECT 1 from access WHERE nick = '$user' AND uhost = '$uhost'"]

Don't know if $nick should be escaped but will throw that in anyway.

If you wish to make this to work for multiple channels, or be able to turn this on/off then you should use something like:

Code: Select all

  setudef flag dbCheck
  bind join - * [namespace current]::dbJoin

  proc dbJoin {nick uhost handle chan} {
    if {[isbotnick $nick]} return
    if {![channel get $chan dbCheck]} return

instead of the:

Code: Select all

  bind join - "#channel *" [namespace current]::dbJoin

  proc dbJoin {nick uhost handle chan} {
    if {[isbotnick $nick]} return

If you do then don't forget to .chanset #channel +dbCheck to activate it.

Post by **nml375** » Sat Mar 10, 2012 8:54 am

caesar,
Whenever you inject data from an untrusted source, you should use mysql_real_escape_string (::mysql::escape in mysqltcl) in order to avoid SQL injection exploits. Although the MySQL driver does not enable the multiple statement extension by default, you could still bypass the WHERE-clause of your query (generally speaking, irc nicknames and hostnames do not support spaces making it rather difficult to exploit "OR 1" here).

As such, escaping the nickname is correct, though you should do the very same for the hostname.

Fire-Fox · Post by **Fire-Fox** » Sat Mar 10, 2012 9:29 am

Thanks caesar!

Sure think i can use it

just need to figure out to put in a admin trigger to add users

with user and hostname

Post by **caesar** » Sat Mar 10, 2012 11:33 am

Just add this:

Code: Select all

  bind pub o|o .dbadd [namespace current]::dbAdd

  # add
  proc dbAdd {nick uhost handle chan text} {
    if {[scan $text {%s%[^!]!%[^@]@%s} user n u h] != 4} {
      putserv "NOTICE $nick :Usage: .dbadd <user> <maskhost>"
    } else {
      set user [::mysql::escape $user]
      set maskHost [::mysql::escape "$n!$u@$h"]
      set con [::mysql::connect -host $hostname -user $username -password $password -db $database]
      set query [::mysql::query $con "INSERT INTO access VALUES ('$user', '$maskHost')"]
      ::mysql::endquery $query
      ::mysql::close $con 
    }
  }

to the other code just before the last }, so in the end it would be something like:

Code: Select all

namespace eval dbCheck {

# and so on..

# this new code
}

Haven't tested anything but in theory should do what you need.

PS: You should take in to consideration nml375's comment (on escaping) when you will insert a valid select statement for the first code.