BlueDevil23
-
Posts
328 -
Joined
-
Last visited
Content Type
Profiles
Forums
Events
Everything posted by BlueDevil23
-
Which is fine, good thing you're trying :) ... I'm sure the more possibilities gideon has to choose from, the better.
-
Here ya go, I littered comments throughout it, to help you understand what's going on, and how it is securing it. If you need more info, don't be afraid to ask :) Oh, I'm not sure it 100% works the way you had it working.... there's a possibility I named a link wrong or something minor... but I'm about 95% sure I didn't. Though I know there is no PHP syntax errors. So, if there's a link pointing to the wrong place or the switch() isn't full working, let me know, and I'll help you fix it, if you can't. :) <?php include_once('globals.php'); ?> <style type="text/css"> span.bigBold { font-weight: bold; font-size: larger; } table#spend_points { width: 50%; border: 1px black solid; } #spend_points { width: 20%; } td.spendOn { width: 10% } td.spendOn_accept { width: 3%; } label { display: block; } form { text-align: center; } </style> <?php //I've left this code in here, for you to see the difference, and how easy it can be to secure a switch() like this, //by understanding some simple PHP functions //My version of all this, is found on lines 138-145 /*$_GET['refill'] = stripslashes(htmlspecialchars($_GET['refill'])); $_GET['refill0'] = stripslashes(htmlspecialchars($_GET['refill0'])); $_GET['refill2'] = stripslashes(htmlspecialchars($_GET['refill2'])); $_GET['refill3'] = stripslashes(htmlspecialchars($_GET['refill3'])); $_GET['hospitalheal'] = stripslashes(htmlspecialchars($_GET['hospitalheal'])); $_GET['getoutjail'] = stripslashes(htmlspecialchars($_GET['getoutjail'])); $_GET['turnsfill'] = stripslashes(htmlspecialchars($_GET['turnsfill'])); $_GET['turnsfill2'] = stripslashes(htmlspecialchars($_GET['turnsfill2'])); $_GET['IQ'] = stripslashes(htmlspecialchars($_GET['IQ'])); $_GET['money'] = stripslashes(htmlspecialchars($_GET['money'])); */ //I know you were mainly wondering about the security of this //but while we're at, let's clean up the HTML abit. //Small thing, but if you're going to write new code, it's worth doing //use echo with single quotes, as it is the fastest of the basic write-to-document options //Though I don't exactly recommend going through old, already written code and doing this //as the speed gain from it, is usually so miniscule, it's not worth it. echo '<h1>Welcome to the Points Store!</h1>'; echo ' You have <span class="bigBold">', $ir['crystals'], '</span> Points to spend.'; if(!$_GET['spend']) { //Another small thing that makes a *big* difference, is to indent you're code. //Without doing this, the code becomes increasingly unreadable. //Now technically here, if it was me, I would turn this into a list, but it could go either-or //I'll leave it as a table, assuming you would rather have it that way. //And since this is mainly a lot of HTML, and barely any PHP, I'm going to close out the PHP tags //and simply open them back up when I need to use a variable. ?> <table id="spend_points"> <tr> <th>What would you like to spend your Points on?</th> </tr> <tr> <td class="spendOn">Spend 1 Point to refill your Health.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=refill0'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend <?php $set['ct_refillprice'] ?> Points to refill your Energy.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=refill'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend <?php $set['ct_refillprice'] ?> Points to refill your Nerve.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=refill2'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend 75 Points to refill your Awake.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=refill3'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend 5 Points to get out of the Hospital.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=hospitalheal'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend 5 Points to Bail out of Jail.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=getoutjail'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend 50 Points to Reset your Downtown Search.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=turnsfill'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Spend 25 Points to Reset your Lucky Dip.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=turnsfill2'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Gain <?php $set['ct_iqpercrys'] ?> IQ per Point Spent.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=IQ'](click here)[/url]</td> </tr> <tr> <td class="spendOn">Sell Points. <?php $set['ct_moneypercrys'] ?> per point.</td> <td class="spendOn_accept">[url='spendpoints.php?spend=money'](click here)[/url]</td> </tr> </table> <?php } else { //First I create an array of all the possible valid options $_GET['spend'] can be //This way, if it's not in this array, it will not be accepted, and you will be protected //from anyone trying to exploit your game using the $_GET array/superglobal. //Now that I have an array of the possible valid options, I can check against it //using in_array(), to see if the supplied $_GET value is one in there, therefore being valid //and secure. $possibleOptions = array('refill0', 'refill1', 'refill2', 'refill3', 'hospitalheal', 'getoutjail', 'turnsfill', 'turnsfill1', 'IQ', 'IQ2', 'money', 'money2'); if(!in_array($_GET['spend'], $possibleOptions)); { echo '<h3>Invalid Option</h3>'; echo '[url="spendpoints.php"]Go Back[/url]'; return; //Using return simply to stop script execution } if($_GET['spend'] == 'refill0') { if($ir['crystals'] < 1) { echo '<h3>You don\'t have enough Points!</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['hp'] == $ir['maxhp']) { echo '<h3>You already have Full Health.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else { //If we got through to this part, everything is good and we can build our query $maxHP = sprintf("UPDATE `users` SET `hp` = `maxhp`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 1, $userid); //Execute the query $do_maxHP = mysql_query($maxHP); //Check to see if the query failed.... if it did display the mysql error. if($do_maxHP === FALSE) { echo mysql_error(); } echo '<h3>You have paid 1 Point to refill your Health Bar.</h3>'; echo '<a href="spendpoints.php">Back to Points Store<a/>'; echo '<a href="explore.php">Back to City<a/>'; } } else if($_GET['spend'] == 'getoutjail') { if($ir['crystals'] < 9) { echo '<h3>You don\'t have enough Points!</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['jail'] == 0) { echo '<h3>You are not in jail.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else { $getOutOfJail = sprintf("UPDATE `users` SET `jail` = `jail` - `jail`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 10, $userid); $do_getOutOfJail = mysql_query($getOutOfJail); if($do_getOutOfJail === FALSE) { echo mysql_error(); } echo '<h3>You have paid 10 Points Get out of Jail.</h3>'; echo '[url="explore.php"]Back to City[/url]'; } } else if($_GET['spend'] == 'refill1') { if($ir['crystals'] < $set['ct_refillprice']) { echo '<h3>You don\'t have enough Points!'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['energy'] == $ir['maxenergy']) { echo '<h3>You already have full energy.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else { $maxEnergy = sprintf("UPDATE `users` SET `energy` = `maxenergy`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $set['ct_refillprice'], $userid); $do_maxEnergy = mysql_query($maxEnergy); if($do_maxEnergy === FALSE) { echo mysql_error(); } echo '<h3>You have paid ', $set['ct_refillprice'], ' Points to refill your energy bar.</h3>'; echo '[url="gym.php"]Go to Gym[/url]'; } } else if($_GET['spend'] == 'refill2') { if($ir['crystals'] < $set['ct_refillprice']) { echo '<h3>You don\'t have enough Points!</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['brave'] == $ir['maxbrave']) { echo '<h3>You already have full Nerve.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; } else { $maxBrave = sprintf("UPDATE `users` SET `brave` = `maxbrave`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $set['ct_refillprice'], $userid); $do_maxBrave = mysql_query($maxBrave); if($do_maxBrave === FALSE) { echo mysql_error(); } echo '<h3>You have paid ', $set['ct_refillprice'], ' Points to refill your Nerve Bar.</h3>'; } } else if($_GET['spend'] == 'hospitalheal') { if($ir['crystals'] < 9) { echo 'You don\'t have enough Points!</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['hospital'] < 1) { echo '<h3>You are not in the Hospital !</h3>'; echo '[url="spendpoints.php"]Go Back[/url]'; return; } else { $getOutOfHospital = sprintf("UPDATE `users` SET `hospital` = 0, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 10, $userid); $do_getOutOfHospital = mysql_query($getOutOfHospital); if($do_getOutOfHospital === FALSE) { echo mysql_error(); } echo '<h3>You have paid 10 Points to get out of the hospital.</h3>'; echo '[url="explore.php"]Back to City[/url]'; } } else if($_GET['spend'] == 'turnsfill') { if($ir['crystals'] < 74) { echo '<h3>You don\'t have enough Points!</h3>'; echo '[url="spendpoints.php"]Go Back[/url]'; return; } else if($ir['turns'] > 1) { echo '<h3>You still have some searches left !</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else { $moreTurns = sprintf("UPDATE `users` SET `turns` = `turns` + %d, `crystals` = `crystals` - %d WHERE (`userid` = %u)", 100, 50, $userid); $do_moreTurns = mysql_query($moreTurns); if($do_moreTurns === FALSE) { echo mysql_error(); } echo '<h3>You have paid to 50 Points to reset your Downtown Search.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; } } //Ok, by now you might be wondering why I keep using echo over and over for each line //I know I know I can just keep it open, and not having to keep re-using it. //But, with this way, it helps the parser out, and go line by line, to pinpoint syntax //errors to the exact line. Plus..... I like the way it looks :D else if($_GET['spend'] == 'refill3') { if($ir['crystals'] < 65) { echo '<h3>You don\'t have enough Points!</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else if($ir['will'] == $ir['maxwill']) { echo '<h3>Your Awake is already Maxed out.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; return; } else { $maxWill = sprintf("UPDATE `users` SET `will` = `maxwill`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 75, $userid); $do_maxWill = mysql_query($maxWill); if($do_maxWill === FALSE) { echo mysql_error(); } echo 'You have paid 75 Points to refill your Will Bar.</h3>'; echo '<a href="spendpoints.php">Go Back<a/>'; } } //Phew....that was tiring... else if($_GET['spend'] == 'IQ') { echo ' Type in the amount of Points you want to swap for IQ.</p>'; echo ' You have ', $ir['crystals'], ' Points.</p>'; echo '<h5>One crystal = ', $set['ct_iqpercrys'], ' IQ.</h5>'; echo '<form action="spendpoints.php?spend=IQ2" method="POST">'; echo '<label for="crystals">Crystals</label>'; echo '<input type="text" id="crystals" name="crystals" />'; echo ' <input type="submit" value="Swap" /></p>'; echo '</form>'; } else if($_GET['spend'] == 'IQ2') { //Now to secure the $_POST value being sent by the form //we have to think what we expect, and only allow what we //want to allow //If we only want to allow numbers, only allow numbers //If you only want to allow alphabetic characters, only allow alphabetic characters //etc etc... //In this case, we only want to allow numbers, so I'll use is_number() if(!is_number($_POST['crystals'])) { echo '<h3>You must enter a valid *number*</h3>'; echo '[url="spendpoints.php?spend=IQ"]Back[/url]'; return; //If it's not a number, we stop execution of the script, and let them go back. } if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals']) { echo ' Error, you either do not have enough Points or did not fill out the form.</p>'; echo '[url="spendpoints.php?spend=IQ"]Back[/url]'; return; } else { $iqgain = $_POST['crystals'] * $set['ct_iqpercrys']; $takeCrystals = sprintf("UPDATE `users` SET `crystals` = `crystals` - %d WHERE(`userid` = %u)", $_POST['crystals'], $userid); $do_takeCrystals = mysql_query($takeCrystals); if($do_takeCrystals === FALSE) { echo mysql_error(); } $moreIQ = sprintf("UPDATE `userstats` SET `IQ` = `IQ` + %d WHERE(`userid` = %u)", $iqgain, $userid); $do_moreIQ = mysql_query($moreIQ); if($do_moreIQ === FALSE) { echo mysql_error(); } echo '<h3>You traded ', $_POST['crystals'], ' Points for ', $iqgain, ' IQ.</h3>'; } } else if($_GET['spend'] == 'money') { echo ' Type in the amount of Points you want to swap for money.</p>'; echo ' You have, ', $ir['crystals'], ' Points.</p>'; echo '<h5>One crystal = \$', number_format($set['ct_moneypercrys']), '.</h5>'; echo '<form action="spendpoints.php?spend=money2" method="POST">'; echo '<label for="crystals">Crystals</label>'; echo '<input type="text" id="crystals" name="crystals" />'; echo ' <input type="submit" value="Swap" />'; echo '</form>'; } else if($_GET['spend'] == 'money2') { if(!is_number($_POST['crystals'])) { echo '<h3>You must enter a valid *number*</h3>'; echo '[url="spendpoints.php?spend=money"]Back[/url]'; return; } if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals']) { echo ' Error, you either do not have enough Points or did not fill out the form.</p>'; echo '[url="spendpoints.php?spend=money"]Back[/url]'; return; } else { $moneygain = $_POST['crystals'] * $set['ct_moneypercrys']; $moreMoney = sprintf("UPDATE `users` SET `money` = `money` + %d, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $moneygain, $_POST['crystals'], $userid); $do_moreMoney = mysql_query($moreMoney); if($do_moreMoney === FALSE) { echo mysql_error(); } echo '<h3>You traded ', $_POST['crystals'], ' Points for \$', number_format($moneygain), '.</h3>'; } } else if($_GET['spend'] == 'turnsfill2') { if($ir['crystals'] < 24) { echo '<h3>You don\'t have enough Points!</h3>'; echo '[url="spendpoints.php"]Go Back[/url]'; return; } else if($ir['luckydip_turns'] == 0) { $luckyDips = sprintf("UPDATE `users` SET `luckydip_turns` = `luckydip_turns` + %d, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 1, 25, $userid); $do_luckyDips = mysql_query($luckyDips); if($do_luckyDips === FALSE) { echo mysql_error(); } echo '<h3>You have paid 25 Points to reset your Lucky Dip.</h3>'; echo '[url="luckydip.php"]Go to Lucky Dip[/url]'; } else { echo '<h3>You still have chances left !<h3>'; echo '[url="luckydip.php"]Go to Lucky Dip[/url]'; } } } $h->endpage(); //Hope you've learned something! :) ?>
-
The pass that is sent to you *will* work, but the your old, original one from CE will *not*.
-
After you request it, you go to your email and click a link from us. Once you click that link, it will bring you back to MWG, and it will say your new password has been sent to your email. So, you go to your email and open the new message from us, and it will contain your new password. If you don't like it, you can change the password from your account settings. :)
-
Your old account is still around, along with everyone elses... you just have to pay attention enough to see that you have to request a new password, using the Lost Password function.
-
Re: Project: GladiatorsArena (MCCODES) Your first post with the link in it, didn't work, but I fixed it. Your latest with the link in it does though :P In your first one, you had www.gladiatorsarena.co.cc, instead of www.gladiatorarena.co.cc
-
Re: [mccode v2] Weather Gym [$1.00] Will be sent asap, and thanks for purchasing. As a side note: The rights to this mod has been transferred to Jeff. So, if you see someone else selling it, with the name Jeff, here of other related forums... it is ok and he has my permission(he has full rights to the mod). If you still want to buy it... just contact him, and see if he has plans on selling it. I'm not sure if he does... he might sell it, might improve it, might keep it to himself, whatever, it's his choice. Thanks :)
-
Re: [v2] Explore ReCode Good job... not make the whole explore page, with all the links and link titles in an array. It's not very hard, you can do it :)
-
Re: [V1 && V2]Change Username Color He has done that. $allowedColors = arrray("black","red","green","blue"); if(isset($_POST['color']) AND ctype_alpha($_POST['color']) AND in_array($_POST['color'],$allowedColors)) [...]
-
Re: New Game. Blow your mind's away. Lol, that's the problem around here, a lot of people think it only takes a few weeks or a few months to get a game together. Most good games will take a year or two, at least.
-
Re: [mccode v2] Weather Gym [$1.00] There has been no updates recently, you should have the latest update. But I will be more than happy to get it working for ya. If it's not getting the weather correctly, I have a feeling Yahoo might have changed up their Weather API. Send me a PM, or even better, try to catch me on MSN :)
-
Next Generation Browser Game Engine - Input Request
BlueDevil23 replied to mdshare's topic in General
Re: Next Generation Browser Game Engine - Input Request JSON will accomplish the same thing, while being quite a bit faster... -
Re: Content for sale, that's right. Me ;), i will charge you 0.50 USD per crime. Thus include's: Intro: "You walk up to XX Shop and look into the window. You notice a nice gold watch. You decide to steal it." Success: "You came back late at night and broke the window. You successfuly stole the gold watch" Failure: "You came back late at night and broke the window. You did not steal the gold watch, there was a guard inside. You managed to run away" Caught: "You came back late at night and broke the window. You did not steal the gold watch and you tried to run away from the guard, i think he was to fast for you!" Thanks for letting me know. Maybe someone will find your service useful.
-
Re: Content for sale, that's right. 50 bucks, that's not bad. If you can find a creative content writer that would write that many crimes(intros, success and failure text), for remotely that cheap, let me know. I'm making this statement, assuming the text is descriptive, and not something like: Intro: "You try stealing a CD...." Success: "You stole it." Failure: "You got caught"
-
Next Generation Browser Game Engine - Input Request
BlueDevil23 replied to mdshare's topic in General
Re: Next Generation Browser Game Engine - Input Request McCode? lol. McCode uses serialized strings somewhere, forgot where though. Possibly items or weapons, specifically(probably wrong though). -
Has anyone got a email validation mod for V1 for sale will pay $$$
BlueDevil23 replied to bennyh's topic in Game Support
Re: Has anyone got a email validation mod for V1 for sale will pay $$$ Hmmmm, email validation? $email = filter_var($email, FILTER_VALIDATE_EMAIL); There ya go, your email is validated. Free.. no problem. Hint hint: Give us more details! -
[IN PROGRESS V2] Bank High Sealed Security
BlueDevil23 replied to CainFool's topic in General Discussion
Re: [iN PROGRESS V2] Bank High Sealed Security I remember that too, I think it was Extermination/Joel. -
Re: please help with this one thanks Your using the event_add() function. Where does the event_add() function reside? Is it included in your script?
-
Re: Do you read any industry news...If yes which one? Love Nettuts, and the whole Envato Network, in general. But I also read the ThemeForest Blog(and I'm sure sheddie, does too) and Jeff Way's Blog. Not as often, but sometimes A List Apart and Smashing Magazine. Oh and not sure if you want to count this but: I follow quite a few of the leading programmers and designers on Twitter.
-
[TGM] Federal Jail Reporting System [TGM]
BlueDevil23 replied to Cronus's topic in Paid Modifications
Re: [TGM] Federal Jail Reporting System [TGM] Hmmm idk, there sure seems to have been an increasing amount of complaints lately.... -
Re: [mccode v2] User Search Yeah.... I wouldn't exactly recommend this for someone to use, anymore lol. I think this was probably the second mod I ever made... and it's not something I'm exactly proud of anymore haha. There's multiple things wrong with it: It's not X-Browser compatible. The pagination is horribly done, well you could hardly call it pagination, more like load all the results ... hide some of them ... and show another set amount, after the user clicks the button. What I'm trying to say is, if you're game has a decent amount of users, this script is *very* slow, because of this feature. Like Savager hinted at, the JS file is pretty hefty, but not too bad, and could probably be minimized. Oh, and not to mention the code is horribly written. I was a joke at PHP when I wrote this haha. Anyways... there is some precautions for you, if you still do, decide to use it.
-
Re: GFX Looking pretty good Miniman :) (the border on the top one looks distorted, with that image :/)
-
Re: Military Nation Provoked? It's quite obvious, that it was him.
-
Re: [mccode v2] Player Card ($8) We'll implement that, and send out an update ASAP, thanks for mentioning it AbsentCrisis, appreciate it.
-
Re: [mccode v2] Player Card ($8) Lol, thanks for the short post! I actually had time to read one of your posts! :P Thanks for the good comments. :) The person that made the original design, isn't on CE, so I guarantee most of everyone on CE wouldn't know him, with the exception of paralem lol. I can talk to Killah about your idea though, since he is the one doing the GFX for this :)