Non-LL Forum Verification Script - PHP / LSL

I offered to write up a script for people running external forum software that would allow people to verify that they are who they say they are.

This is all provided as-is, with no warranty, under the GNU Public License. Do with it as you wish, but I will not be held responsible for anything that happens because of your use. There's no way to lock this down 100% securely, but I've put in several catches which should minimize the risk of it being used inappropriately if you follow the directions precisely.

A few things to keep in mind:

(1) Your users must use their avatar name as their user name for this to work.

(2) You must own the kiosks where people can verify their indentities to avoid spoofing from in-world, much like all ATMs are owned by the parties who run them.

(3) Use a hard to guess, obscure filename on your domain. Never share the file name or verification URL with anyone, or they could potentially spoof someone else by visiting the URL directly.

In the following PHP file, you need to enter the avatar key of the avatar that will be owning your registration stations. Then, enter the necessary information to connect to the database that your forum is stored in. Finally, you'll need to modify the database query to set an account to be verified based on what forum software you're using; the example below works with PHPBB (if you're having trouble with this, give me a yell, and I can walk you through it).

<?
// SANITY CHECK TO MAKE SURE WE'RE HEARING FORM LINDEN LAB (MAY CHANGE IN FUTURE)
if(substr($_SERVER["REMOTE_ADDR"], 0, 5) == "69.25") {

  // ENTER YOUR AVATAR'S KEY BELOW
  $owner_avatar_key="85f8e814-560d-4496-9e0c-b3c55beaba1c";

  if($_GET["creator_avatar_key"] == $owner_avatar_key) {

    // ENTER YOUR DATABASE INFORMATION ON THE TWO LINES BELOW
    mysql_connect("yourhost", "yourusername", "yourpassword");
    mysql_select_db("yourdbname");

    // EXAMPLE BELOW IS FOR PHPBB - USES IN-WORLD VERIFICATION INSTEAD OF A VERIFICATION EMAIL
    // YOU WILL HAVE TO MODIFY APPROPRIATELY FOR YOUR FORUM SOFTWARE'S DB SCHEMA
    $sql="update phpbb_users set user_active='1' where username='".str_replace("%20", " ", $_GET["avatar_name"])."'";

    mysql_query($sql);

    echo mysql_affected_rows(); // RETURN "1" IF SUCCESSFUL
  }
}
?>

Then, in world, you'll need to create a prim with this script in it. After creation, you'll need to enter the full URL to the PHP file you've created above. Remember to use your own, hard-to-guess filename; definitely change the default one I've selected below.

// FOR THIS SCRIPT TO WORK, PEOPLE MUST USE THEIR
// AVATAR NAMES AS USER NAMES ON YOUR FORUM
//
// CHANGE THE VARIABLE BELOW TO BE YOUR FORUM'S
// DOMAIN AND A HARD-TO-GUESS COMPLETE URL
//
// PLACE THE PHP SCRIPT AT THAT LOCATION ON YOUR
// SERVER TO LISTEN FOR VERIFICATIONS

string url="http://www.MyForum.com/obscure_hard_to_guess_url.php";

key requestid;

default
{
    state_entry()
    {
    }
    
    touch_start(integer total_number)
    {
        string temp_url = url + "?creator_avatar_key=" + (string) llGetCreator() + "&avatar_name=" + llEscapeURL(llKey2Name(llDetectedKey(0)));
        requestid = llHTTPRequest(temp_url, [HTTP_METHOD,"GET"], "");
    }

    http_response(key request_id, integer status, list metadata, string body)
    {
        if (request_id == requestid)
        {
            if(body == "1")
            {
                llSay(0, "Success!");
            }
            else
            {
                llSay(0, "Failure!");
            }
        }
    }
}

You can also change the "Success!" and "Failure!" messages within the code to something more specific.

Enjoy!

-Flip

PS - I've put this in general even though it's a script, because all the initial discussion happened in this forum and I wanted to make it easy for interested parties to find. Typically, I'd put this in a scripting area, but since it's of interest to those trying to replace "General / Bulletin Board / Sandbox", etc, I thought it would be best to put it here.

This is cool, but I suggest using the X-SecondLife-Shard header to identify is it's LL or not.

Ah, very good idea.

Awesome! Thank you for providing this!

hum... your "hard to guess filename" approach isn't very secure. I can easily get it. You should require https and a certificate.

Are you sure that helps? Headers can be faked..

But can't that header be spoofed?

Why not idenitify based on source machine IP (Which would be a Linden ip in this case)

Heh, as I warned above in bold: this is not 100% secure, or even close. It's not up to me to use https; that would be up to the person running the forum. I've written this for standard http, and most forums I see use simple http authentication instead of https. (In fact, I don't think I've seen a single external SL forum that uses https.)

The honeypot here isn't financial, and it would be a big pain to figure out with little payoff.

Regards,

-Flip

why not just require a hostname ending in *.secondlife.com or *.lindenlab.com - as the verification this came from a script on LL's servers, instead of some user's Fx?

This first line of code is actually checking to see it came from Linden Lab's IP range. I did a check on the IP address the HTTP request comes from and matched. This may change at some time, but it does make it require an IP spoof to get around.

Regards,

-Flip