Curt

lol...this thread is pretty old....

im aware that sprintf only formats (like i said ive been all through these forums and read everything relating to security)..but doesnt the adding the query to a vairable then using the %u for the values secure it ?...if im wrong at doin this please let me know...I started last night and spent a few hours securing pages and if im doing it wrong, then im just wasting my own time.... The_Past ok, im gonna simply remove the "$c" and if i get an error, ill try doing the "$c $db->query($query1,$c);" method that u mentioned...lol...and if that dont work...ill be back :P thanks for the help guys

I have been all through these forums and learned a lot about securing my game..I have started to secure my site but one thing is throwing me off a bit... Ive been using Optimus Prime's tutorial as reference, located here : How to secure a few things! now the thing that is throwing me off a bit is this : the "$c" at the end of the query... $db->query("UPDATE users SET crystals=crystals + 1 WHERE userid=$userid", $c); can i remove that and things will be ok ?...this is how I would do it: $query1=sprintf("UPDATE users SET crystals=crystals + %u WHERE userid= %u ", 1, $userid); $db->query($query1) will the above be good ?...this query came from a free v1 mod i converted to v2... thanks for any help

lol...no offence to you but a simple google search would have gave you this answer... <table background='imagelocation'>

im not sure how you would do this....but i know what you would need to do it..lol if you want it so that each time you refresh the page it will show the time remaining you will need to use timestamps i believe.. but if you want it so it continuously countsdown with out refreshing you would need javascript i believe... im interesting in seeing this get solved because i wanna do something like this with my mug system...so it says how much time is left before they can mug again..

thanks alot seanybob, that works perfectly... :thumbsup:

thanks, ill search the site for an example...i have never used timestamps..

I created my own mugging event, all works fine but I am not sure how I would go about setting a time limit between muggings...like you can only mug someone every 30 seconds.. lol...i can mug someone 100 times in one minute :P any help ? if so thank you...im sure this is a simple one...and remember you only have to show me once :P

I set up a game online, and I found a website that offers up to 5 crons for free. >http://www.onlinecronjobs.com< I set the crons up successfully and the least time they offer for free is 15 min intervals...anyway my crons never run... if i manually click run, then they execute successfully... Just wondering is there something wrong with this site ?...or did i do something wrong ? lol...i tried to message support but it seems there inbox is full and the mail was returned back to me...this leads me to believe it is the site... thanks if anyone can help... later   EDIT: LOL...well i figured out the problem...

I was wondering how difficult it would be to base weapon/armor effectiveness off of a percentage of your current strength/guard...im new to the coding scene and not sure how i could do this...if you don't understand, let me know and i will go into more details... any help would be great if it is a very difficult task, then nevermind..ill make due with what i have until i gain the skills to do this myself :P i read through all the topics the other day and not sure if this has been asked or not, if so please point me in the right direction cause i searched the forum and came up with nothing useful :(

sorry..i had the topic opened while i coded that...after i posted i noticed yours..

Im not a great coder but this is what i came up with...its not secure tho...but i tested it and it works fine for V2   <?php require "globals.php"; echo '<h1>TURN VACATION ON/OFF</h> '; if ($_GET['action'] != 'turnon') { } else { $db->query("UPDATE users SET vacation=1 WHERE userid=$userid",$c); echo ' You turned Vacation On.'; } if ($_GET['action'] != 'turnoff') { } else { $db->query("UPDATE users SET vacation=0 WHERE userid=$userid",$c); echo ' You turned Vacation Off.'; } { print "<form method=post action=vacation.php?action=turnon><input type=hidden name=action value=turnon><input type=submit value='Turn On'></form> <form method=post action=vacation.php?action=turnoff><input type=hidden name=action value=turnoff><input type=submit value='Turn Off'> </form>"; } $h->endpage(); ?>

BlueDevil23 you are awsome :) Thank you very much for taking the time to help me out. lol...the reason i simply used a table because I haven't learned enough about arrays yet to use them but i understand exactly what its good for. I will be studying this script for a while...and any minor errors if there is any im sure I can fix :) Oh yea JDS137, the tut is like two topics down.. http://makewebgames.io//index.php?page=Thread&threadID=28945

gym.php   <?php $macropage="gym.php"; require "globals.php"; if($ir['hospital']) { die("<prb>You cannot train while in the hospital.</prb>"); } $statnames=array( 'Strength' => 'strength', 'Agility' => 'agility', 'Guard' => 'guard', 'Labour' => 'labour'); $_POST['amnt']=abs((int) $_POST['amnt']); if(!$ir['jail']) { print "<h1>Gym</h1><hr>"; } else { print "<h1>Jail Gym</h1><hr>"; } $ts=$ir['strength']+$ir['agility']+$ir['guard']+$ir['labour']+$ir['IQ']; $ir['strank']=get_rank($ir['strength'],'strength'); $ir['agirank']=get_rank($ir['agility'],'agility'); $ir['guarank']=get_rank($ir['guard'],'guard'); $ir['labrank']=get_rank($ir['labour'],'labour'); $ir['IQrank']=get_rank($ir['IQ'],'IQ'); $tsrank=get_rank($ts,'strength+agility+guard+labour+IQ'); $ir['strength']=number_format($ir['strength']); $ir['agility']=number_format($ir['agility']); $ir['guard']=number_format($ir['guard']); $ir['labour']=number_format($ir['labour']); $ir['IQ']=number_format($ir['IQ']); $ts=number_format($ts); print "[b]<big>[b]Your Current Stats:[/b]</big>[/b] <table><tr><td>[b]Strength:[/b] {$ir['strength']} [Ranked: {$ir['strank']}]</td><td>[b]Speed:[/b] {$ir['agility']} [Ranked: {$ir['agirank']}]</td></tr> <tr><td>[b]Guard:[/b] {$ir['guard']} [Ranked: {$ir['guarank']}]</td><td>[b]Labour:[/b] {$ir['labour']} [Ranked: {$ir['labrank']}]</td></tr> <tr><td>[b]IQ: [/b] {$ir['IQ']} [Ranked: {$ir['IQrank']}]</td><td>[b]Total stats:[/b] {$ts} [Ranked: $tsrank]</td></tr></table> <hr> [b]<big>[b]You can train up to <prb>{$ir['energy']}</prb> times.[/b]</big>[/b] <hr>"; if($_POST['stat'] && $_POST['amnt']) { $stat=$statnames[$_POST['stat']]; if(!$stat) { die("<prb>This stat cannot be trained.</prb>"); } if($_POST['amnt'] > $ir['energy']) { print("<prb>You do not have enough energy to train that much.</prb><hr width='70%' align='left' />"); } else { $gain=0; for($i=0; $i<$_POST['amnt']; $i++) { $gain+=rand(1,3)/rand(800,1000)*rand(800,1000)*(($ir['will']+20)/150); $ir['will']-=rand(1,3); if($ir['will'] < 0) { $ir['will']=0;} } if($ir['jail']) { $gain/=2; } $db->query("UPDATE `userstats` SET `{$stat}` = `{$stat}` + $gain WHERE `userid` = $userid"); $db->query("UPDATE `users` SET `will` = {$ir['will']}, energy = energy - {$_POST['amnt']} WHERE `userid` = $userid"); $inc=$ir[$stat]+$gain; $inc2=$ir['energy']-$_POST['amnt']; if($stat=="strength") { print "You trained {$_POST['amnt']} times and gained a total of $gain Strength !"; } elseif($stat=="agility") { print "You trained {$_POST['amnt']} times and gained a total of $gain Agility !"; } elseif($stat=="guard") { print "You trained {$_POST['amnt']} times and gained a total of $gain Guard !"; } elseif($stat=="labour") { print "You trained {$_POST['amnt']} times and gained a total of $gain Labour !"; } print "<hr />"; $ir['energy']-=$_POST['amnt']; $ir[$stat]+=$gain; } } if ($_GET['action'] != 'maxstr') { } else { $_POST['amnt']=$ir['energy']; $gain=0; for($i=0; $i<$_POST['amnt']; $i++) { $gain+=rand(1,3)/rand(800,1000)*rand(800,1000)*(($ir['will']+20)/150); $ir['will']-=rand(1,3); if($ir['will'] < 0) { $ir['will']=0;} } if($ir['jail']) { $gain/=2; } print " You trained {$_POST['amnt']} times and gained a total of $gain Strength ! <hr> "; $db->query("UPDATE `userstats` SET strength=strength + $gain WHERE `userid` = $userid"); $db->query("UPDATE `users` SET `will` = {$ir['will']}, energy = energy-energy WHERE `userid` = $userid"); } if ($_GET['action'] != 'maxagi') { } else { $_POST['amnt']=$ir['energy']; $gain=0; for($i=0; $i<$_POST['amnt']; $i++) { $gain+=rand(1,3)/rand(800,1000)*rand(800,1000)*(($ir['will']+20)/150); $ir['will']-=rand(1,3); if($ir['will'] < 0) { $ir['will']=0; $gain=0;} } if($ir['jail']) { $gain/=2; } print " You trained {$_POST['amnt']} times and gained a total of $gain Agility ! <hr> "; $db->query("UPDATE `userstats` SET agility=agility + $gain WHERE `userid` = $userid"); $db->query("UPDATE `users` SET `will` = {$ir['will']}, energy = energy-energy WHERE `userid` = $userid"); } if ($_GET['action'] != 'maxdef') { } else { $_POST['amnt']=$ir['energy']; $gain=0; for($i=0; $i<$_POST['amnt']; $i++) { $gain+=rand(1,3)/rand(800,1000)*rand(800,1000)*(($ir['will']+20)/150); $ir['will']-=rand(1,3); if($ir['will'] < 0) { $ir['will']=0; $gain=0;} } if($ir['jail']) { $gain/=2; } print " You trained {$_POST['amnt']} times and gained a total of $gain Defense ! <hr> "; $db->query("UPDATE `userstats` SET guard=guard + $gain WHERE `userid` = $userid"); $db->query("UPDATE `users` SET `will` = {$ir['will']}, energy = energy-energy WHERE `userid` = $userid"); } if ($_GET['action'] != 'maxlab') { } else { $_POST['amnt']=$ir['energy']; $gain=0; for($i=0; $i<$_POST['amnt']; $i++) { $gain+=rand(1,3)/rand(800,1000)*rand(800,1000)*(($ir['will']+20)/150); $ir['will']-=rand(1,3); if($ir['will'] < 0) { $ir['will']=0; $gain=0;} } if($ir['jail']) { $gain/=2; } print " You trained {$_POST['amnt']} times and gained a total of $gain Labour ! <hr> "; $db->query("UPDATE `userstats` SET labour=labour + $gain WHERE `userid` = $userid"); $db->query("UPDATE `users` SET `will` = {$ir['will']}, energy = energy-energy WHERE `userid` = $userid"); } print "<form action='gym.php' method='post'> Times To Train: <input type='text' value='{$ir['energy']}' size='4' name='amnt'> <select type='dropdown' name='stat'> <option value='Strength'>Strength</option> <option value='Agility'>Speed</option> <option value='Guard'>Guard</option> <option value='Labour'>Labour</option> <input type='submit' value='Train' /> </form> "; print "<table width='50%' cellspacing=0 border=0 > <tr><td><form method=post action=gym.php?action=maxstr><input type=hidden name=action value=maxstr><input type=submit value='Max Strength'></form></td> <td><form method=post action=gym.php?action=maxdef><input type=hidden name=action value=maxdef><input type=submit value='Max Defense'></form></td> <td><form method=post action=gym.php?action=maxagi><input type=hidden name=action value=maxagi><input type=submit value='Max Speed'></form></td> <td><form method=post action=gym.php?action=maxlab><input type=hidden name=action value=maxlab><input type=submit value='Max Labor'></form></td><td></table>"; print " <hr> [url='spendpoints.php?spend=refill']Refill Energy [/url]- {$set['ct_refillprice']} Points [url='spendpoints.php?spend=refill3']Refill Awake [/url]- 75 Points "; $h->endpage(); ?>

I made a simple modified version of the gym for my game...maybe someone will like it..It include your stats and rank at the top of page..drop down menu to train also with Max Train Skill buttons.....i was thinking of adding a crititical training to it...good chance i will...this is my first release..I dont claim to have created the gym.php...just edited it. Im sure it could use some work...lol..if this exact look has been posted before..srry :( I havent had time to go through every page yet. Also im learning security atm, so im pretty sure this is not secure....but from what ive read its not too difficult to secure it... Enjoy and Comments are welcome and wanted :) Screen Shot Included:

Very nice explanation. I have learned alot from this thank you.

<?php include "globals.php"; $_GET['refill'] = stripslashes(htmlspecialchars($_GET['refill'])); $_GET['refill0'] = stripslashes(htmlspecialchars($_GET['refill0'])); $_GET['refill2'] = stripslashes(htmlspecialchars($_GET['refill2'])); $_GET['refill3'] = stripslashes(htmlspecialchars($_GET['refill3'])); $_GET['hospitalheal'] = stripslashes(htmlspecialchars($_GET['hospitalheal'])); $_GET['getoutjail'] = stripslashes(htmlspecialchars($_GET['getoutjail'])); $_GET['turnsfill'] = stripslashes(htmlspecialchars($_GET['turnsfill'])); $_GET['turnsfill2'] = stripslashes(htmlspecialchars($_GET['turnsfill2'])); $_GET['IQ'] = stripslashes(htmlspecialchars($_GET['IQ'])); $_GET['money'] = stripslashes(htmlspecialchars($_GET['money'])); { print "<h1>Welcome to the Points Store!</h1> You have [b]<big>{$ir['crystals']}</big>[/b] Points to spend.[/b] <hr> "; } if(!$_GET['spend']) { print "<table width='50%' border=1> <tr> <th width='20%'><ph2>What would you like to spend your Points on?</ph2></th> </tr> <tr> <td width='10%'>Spend 1 Point to refill your Health.</td> <td width='3%'>[url='spendpoints.php?spend=refill0'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend {$set['ct_refillprice']} Points to refill your Energy.</td> <td width='3%'>[url='spendpoints.php?spend=refill'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend {$set['ct_refillprice']} Points to refill your Nerve.</td> <td width='3%'>[url='spendpoints.php?spend=refill2'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend 75 Points to refill your Awake.</td> <td width='3%'>[url='spendpoints.php?spend=refill3'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend 5 Points to get out of the Hospital.</td> <td width='3%'>[url='spendpoints.php?spend=hospitalheal'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend 5 Points to Bail out of Jail.</td> <td width='3%'>[url='spendpoints.php?spend=getoutjail'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend 50 Points to Reset your Downtown Search.</td> <td width='3%'>[url='spendpoints.php?spend=turnsfill'](click here)[/url]</td> </tr> <tr> <td width='10%'>Spend 25 Points to Reset your Lucky Dip.</td> <td width='3%'>[url='spendpoints.php?spend=turnsfill2'](click here)[/url]</td> </tr> <tr> <td width='10%'>Gain {$set['ct_iqpercrys']} IQ per Point Spent.</td> <td width='3%'>[url='spendpoints.php?spend=IQ'](click here)[/url]</td> </tr> <tr> <td width='10%'>Sell Points. {$set['ct_moneypercrys']} per point.</td> <td width='3%'>[url='spendpoints.php?spend=money'](click here)[/url]</td> </tr>"; } else { if($_GET['spend'] == 'refill0') { if($ir['crystals'] <1) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['hp'] == $ir['maxhp']) { print "You already have Full Health. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET hp=maxhp,crystals=crystals - %d WHERE (`userid` = $userid)", abs(@intval(1))); $db->query($sprintf); print "You have paid 1 Point to refill your Health Bar. <a href='spendpoints.php'> [i] Back to Points Store [/i]<a/> or <a href='explore.php'>[i]Back to City[/i]<a/>"; } } else if($_GET['spend'] == 'getoutjail') { if($ir['crystals'] <9) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['jail'] == 0) { print "You are not in jail. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET jail=jail-jail,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(10))); $db->query($sprintf); print " [b]You have paid 10 Points Get out of Jail.[/b] [b]<big>[url='explore.php']Back to City[/url][/b]</big>[/b]"; } } else if($_GET['spend'] == 'refill') { if($ir['crystals'] <$set['ct_refillprice']) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['energy'] == $ir['maxenergy']) { print "You already have full energy. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET energy=maxenergy,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($set['ct_refillprice']))); $db->query($sprintf); print " [b]You have paid {$set['ct_refillprice']} Points to refill your energy bar.[/b] [b]<big>[url='gym.php']Go to Gym[/url][/b]</big>[/b]"; } } else if($_GET['spend'] == 'refill2') { if($ir['crystals'] <$set['ct_refillprice']) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['brave'] == $ir['maxbrave']) { print "You already have full Nerve. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET brave=maxbrave,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($set['ct_refillprice']))); $db->query($sprintf); print "You have paid {$set['ct_refillprice']} Points to refill your Nerve Bar."; } } else if($_GET['spend'] == 'hospitalheal') { if($ir['crystals'] <9) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['hospital'] <1) { print " [b]You are not in the Hospital ![/b] <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET hospital=0,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(10))); $db->query($sprintf); print " [b]<big>You have paid [b]<big>[b]10[/b]</big>[/b] Points to get out of the hospital.[/b]</big> [url='explore.php']Back to City[/url][/b]"; } } else if($_GET['spend'] == 'turnsfill') { if($ir['crystals'] <74) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['turns'] >1) { print " You still have some searches left ! [url='streets.php']Go to Downtown Search[/url][/b] or <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(50))); $db->query($sprintf); $sprintf=sprintf("UPDATE users SET turns=turns+%d WHERE (`userid` = $userid)", abs(@intval(100))); $db->query($sprintf); print " [b]<big>You have paid to [b]<big>[b]50[/b]</big>[/b] Points to reset your Downtown Search.[/b]</big> [url='streets.php']Go to Downtown Search[/url][/b] or <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } } else if($_GET['spend'] == 'refill3') { if($ir['crystals'] <65) { print "You don't have enough Points! <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else if($ir['will'] == $ir['maxwill']) { print "You Awake is already Maxed out. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } else { $sprintf=sprintf("UPDATE users SET will=maxwill,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(75))); $db->query($sprintf); print "You have paid 75 Points to refill your Will Bar. <a href='spendpoints.php'> [i] Go Back [/i]<a/>"; } } else if($_GET['spend'] == 'IQ') { print "Type in the amount of Points you want to swap for IQ. You have [b]{$ir['crystals']}[/b] Points. One crystal = {$set['ct_iqpercrys']} IQ.<form action='spendpoints.php?spend=IQ2' method='post'><input type='text' name='crystals' /> <input type='submit' value='Swap' /></form>"; } else if($_GET['spend'] == 'IQ2') { $_POST['crystals'] = abs(@intval($_POST['crystals'])); if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals']) { print "Error, you either do not have enough Points or did not fill out the form. [url='spendpoints.php?spend=IQ']Back[/url]"; } else { $iqgain=$_POST['crystals']*$set['ct_iqpercrys']; $sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($_POST['crystals']))); $db->query($sprintf); $sprintf=sprintf("UPDATE userstats SET IQ=IQ+%d WHERE (`userid` = $userid)", abs(@intval($iqgain))); $db->query($sprintf); print "You traded {$_POST['crystals']} Points for $iqgain IQ."; } } else if($_GET['spend'] == 'money') { print "Type in the amount of Points you want to swap for money. You have [b]{$ir['crystals']}[/b] Points. One crystal = \$".number_format($set['ct_moneypercrys']).".<form action='spendpoints.php?spend=money2' method='post'><input type='text' name='crystals' /> <input type='submit' value='Swap' /></form>"; } else if($_GET['spend'] == 'money2') { $_POST['crystals'] = abs(@intval($_POST['crystals'])); if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals']) { print "Error, you either do not have enough Points or did not fill out the form. [url='spendpoints.php?spend=money']Back[/url]"; } else { $iqgain=$_POST['crystals']*$set['ct_moneypercrys']; $sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($_POST['crystals']))); $db->query($sprintf); $sprintf=sprintf("UPDATE users SET money=money+%d WHERE (`userid` = $userid)", abs(@intval($iqgain))); $db->query($sprintf); print "You traded {$_POST['crystals']} Points for \$".number_format($iqgain)."."; } } else if($_GET['spend'] == 'turnsfill2') { if($ir['crystals'] <24) { print "You don't have enough Points!"; } else if($ir['luckydip_turns'] ==0) { $sprintf=sprintf("UPDATE users SET luckydip_turns=luckydip_turns+%d WHERE (`userid` = $userid)", abs(@intval(1))); $db->query($sprintf); $sprintf=sprintf("UPDATE users SET crystals=crystals-$d WHERE (`userid` = $userid)", abs(@intval(25))); $db->query($sprintf); print " [b]<big>You have paid [b]<big>[b]25[/b]</big>[/b] Points to reset your Lucky Dip.[/b]</big> [url='luckydip.php']Go to Lucky Dip[/url][/b]"; } else { print " You still have chances left ! [url='luckydip.php']Go to Lucky Dip[/url][/b]"; } } } $h->endpage(); ?>

Well I started a few days ago and begin reading from the very first page and have to say this is one of the best sites I have found with info about mccodes......I started reading from the first page 114...I have to say there is some good information there. I just finished checking out all the pages today and my biggest concern atm is Security...I read alot about people getting hacked..also I read alot about how to prevent this. I have noted a few explainations i seen...then I made it to Optimus Prime's "tutorial"..and have to say it is really good from my point of veiw...any way I had a go at securing my spendpoints.php(previously crystalmarket.php) and Ill post the code below..i checked the page everything looks to be running fine. Just wanted to know if i do the same for all my pages will my game be secure ?...also i found this back on page wte... Quick FIx - Add into header.php: $_GET['viewforum'] = abs(@intval($_GET['viewforum'])); $_GET['viewtopic'] = abs(@intval($_GET['viewtopic'])); would that secure my site ?...or would it be better to use the method outlined in Optimus Primes tut ? thanks guys << Im still studing PHP but im learning so much :D later