Damond

Love the idea of this staff panel. Just a few errors so far. Trying to ban a user. edit: QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-bans WHERE userid = 100' at line 1 Query was SELECT ban_type, ban_until, banned_by FROM pusher_chat-bans WHERE userid = 100 If I had opened my eyes I would have seen the problem here: Line 113   $selectBan = $db->query("SELECT ban_type, ban_until, banned_by FROM pusher_chat-bans WHERE userid = ".$who);   Change too:   $selectBan = $db->query("SELECT ban_type, ban_until, banned_by FROM pusher_chat_bans WHERE userid = ".$who);   New error when trying to ban someone. ERROR You didn't select a valid ban type Trying to edit a room Select the one and only room that I have and change the name. ERROR You didn't select a valid room Add room works fine. Delete room works fine as well.

*waits on pins and needles* Hurry up pins and needles hurt! LOL [MENTION=65371]sniko[/MENTION] great work as always!

Veramis gave me a neat idea to try and take part. I can be a little creative when I want to be so here is this. I hope this qualifies me for this. I have been needing a new chat room for days now. We are Using Dave's but I really don't think it was built to handle the kind of traffic that is running through ours.

Our game is almost ready for beta testing. We have two more mods that really need to be installed/created, then going through each file and making sure to look for security issues. My coding partner is out of the picture for now with a snow causing him to have no power issue so I am going to turn to you guys for help in finishing the next mod. We are working on stat potions. AKA elixirs in Flight of Dragons. Veramis was able to create a start to the system which I have in turn been able to make work but not correctly. This is in the item use file:   if($r['effect1_on']){ if ($r['itmid'] == 135) { $s = $ir['strength']; $d = (.5); $text = "strength"; $stat = $s * $d; $statt = $stat + $ir['strength']; $db->query("INSERT INTO statsbonus VALUES($userid,$stat,135,30,'$text’,1)”); $db->query("UPDATE userstats SET strength=strength+$stat WHERE userid={$userid}"); print"You used an Elixer of Strength and can feel yourself getting stronger, your strength is now ".number_format($statt)." for the next 30 minutes."; } }   This is in the new Cron file: Thank you [MENTION=68774]HauntedDawg[/MENTION]   $query_stat = sprintf("UPDATE statsbonus SET wait_time=wait_time - %u WHERE wait_time <> 0", $statsbonus); $db->query($query_stat); $db->query("UPDATE `statsbonus` SET `wait_time` = 0 WHERE `wait_time` < 0"); $e = $db->query("SELECT * FROM statsbonus WHERE wait_time = 0 and userid=$userid"); $f = $db->fetch_row($e); if($f['wait_time'] == 0){ $stat = $f['bonus']; $text = $f['stat']; if($text == 'strength'){ $db->query("UPDATE userstats SET strength=strength-$stat WHERE userid=".$f['userid'].""); event_add($userid, "Your {$text} elixir wore off.", $c); } } $db->query("DELETE FROM statsbonus WHERE wait_time = 0");   My table is set up: userid bonus <—— What the bonus amt is. elixir <—— Item number wait_time <—— How long it lasts stat <—— What stat its effecting stack_atm <—— How many have been used in a row   Where my problem come in is if you use more then one at a time. I know it is going to need to be something more like:   if ($r['itmid'] == 135) { $s = $ir['strength']; $d = (.5); $text = "strength"; $stat = $s * $d; $statt = $stat + $ir['strength']; $sb = $db->query(“SELECT * FROM stats bonus WHERE userid = $userid”); $bonus = $db->fetch_row($sb); if ($bonus[’stat’] == ‘strength’) { $db->query(“UPDATE statsbonus SET bonus = bonus + $stat, stack_amt = stack_amt + 1”); $db->query("UPDATE userstats SET strength=strength+$stat WHERE userid={$userid}"); print"You used an Elixir of Strength and can feel yourself getting stronger, your strength is now ".number_format($statt)." for the next 30 minutes."; } else { $db->query("INSERT INTO statsbonus VALUES($userid,$stat,135,30,'$text’,1)”); $db->query("UPDATE userstats SET strength=strength+$stat WHERE userid={$userid}"); print"You used an Elixir of Strength and can feel yourself getting stronger, your strength is now ".number_format($statt)." for the next 30 minutes."; } }   I know its wrong but hey I have been coding PHP and SQL for a total of three months now. Right now as long as you don't use more then one it works exactly as it is supposed too. But we want users to be able to use more then one. So the idea is: You use the elixir. Your strength goes up by 50% for 30 minutes. You use a second elixir. Your NEW strength go up by 50% again for 30 minutes. And so on stacking as many as you want When the first 30 minutes are up you get an event telling you. Total strength is now - the first bonus. Same with the second and so forth until you are again at your normal stat. I can feel that I am on the right path. I just need a little more direction.

It is updating the timestamp by sixty second, but it is doing it with every click. I don't think it is supposed to do that. You know what... I looked at this other version of doing the same thing. http://makewebgames.io/showthread.php/32642-any-version-Removal-of-1-minute-crons This works some much better.

I found this to be really interesting as I am developing on a local host and didn't REALLY want to go to all the effort of setting up cron jobs. We set it up several weeks ago and it has been working fine up to yesterday. Now I don't understand what has gone wrong.   <?php $file = 'crons/minute.php'; $time = time(); $q = $db->query("SELECT `nextUpdate` FROM `crons` WHERE `file`='{$file}' AND `nextUpdate` <= unix_timestamp()"); $r = $q->fetch_row(); $lastUpdate = $r[0]; $diff = $time - $lastUpdate; $updates = floor($diff / 60); // 300 for 5 min crons. 3600 for hour. 3600*24 for day if ($updates > 0) { $db->query("UPDATE users SET hospital=hospital-(1*$updates) WHERE hospital > 0"); $db->query("UPDATE users SET jail=jail-(1*$updates) WHERE `jail` > 0"); $db->query("UPDATE users SET travel_time=travel_time-(1*$updates) WHERE user_level!=2 AND `travel_time` > 0"); $db->query("UPDATE users SET quest_time=quest_time-(1*$updates) WHERE quest_time > 0"); $db->query("UPDATE users SET quest_time=0 WHERE quest_time < 0"); $db->query("UPDATE users SET hospital=0 WHERE hospital < 0"); $db->query("UPDATE users SET jail=0 WHERE jail < 0"); $db->query("UPDATE users SET travel_time=0 WHERE travel_time < 0"); $times = time()+60; $db->query("UPDATE `crons` SET `nextUpdate`={$times} WHERE `file`='{$file}'"); } ?>   No one is going to the hospital, or jail. I have gone into the DB and added times to these rows and as soon as you click in the game it is resetting it to 0.

[MENTION=64603]Sim[/MENTION] We tried while($inv = mysqli_fetch_array($res)) But it gives the same result. I was wrong before in saying they are all saying 'none' the last one is actually reading out correctly.

[MENTION=64603]Sim[/MENTION] While much cleaner for some reason all of them are showing as 'None' I did change all my IF statements to match the $inv.

I know there is a way.... Can some one show me how to make this much MUCH shorter?   $invs = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 84")); $invs2 = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 87")); $invs3 = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 90")); $invs4 = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 93")); $invs5 = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 96")); $invs6 = $db->fetch_row($db->query("SELECT * FROM inventory WHERE inv_userid = {$ir['userid']} AND inv_itemid = 99")); if ($invs['inv_itemid'] == 84 && $invs['inv_qty'] > 0){ $on_hand = $invs['inv_qty']; } else { $on_hand = 'None'; } if ($invs2['inv_itemid'] == 87 && $invs2['inv_qty'] > 0){ $on_hand2 = $invs2['inv_qty']; } else { $on_hand2 = 'None'; } if ($invs3['inv_itemid'] == 90 && $invs3['inv_qty'] > 0){ $on_hand3 = $invs3['inv_qty']; } else { $on_hand3 = 'None'; } if ($invs4['inv_itemid'] == 93 && $invs4['inv_qty'] > 0){ $on_hand4 = $invs4['inv_qty']; } else { $on_hand4 = 'None'; } if ($invs5['inv_itemid'] == 96 && $invs5['inv_qty'] > 0){ $on_hand5 = $invs5['inv_qty']; } else { $on_hand5 = 'None'; } if ($invs6['inv_itemid'] == 99 && $invs6['inv_qty'] > 0){ $on_hand6 = $invs6['inv_qty']; } else { $on_hand6 = 'None'; }   There are so many items in the inventory and we are trying to target these 6. I have been reading about arrays and imploding and exploding and my damn head is about to explode.. Thanks in advance. I always get the best advice here.

Here is what the trade looks like from the user end: Here is an example of what I am expecting the Database to look like: You can see in the items needed on lines 2 and 3 that there are two items listed in the items_needed column as well as in the qty_needed. This is what I am expecting my code to do but for some reason it is not.

So my coding partner and I have been working on a bit of an advanced trade system and we just can't seem to get it to work the way it should. He has been sick for several days now and we are really behind on getting this game out to beta testing so I thought I would ask you guys. The way it works: Player A wants to trade items with Player B. Using a trade box player A can add items and/or gold. Once this is finished the trade box waits there for player B to add to it. If there is nothing to be added both players must accept the trade before it is completed. Simple right? We found a simple version of this here that needed a little re-coding and adjusting to make it work, but the problem is that you could only trade one item at a time and you could only have on trade box at a time. We want player to be able to have as many trades as they want with the ability to have up to 10 items of any amounts as well as gold. So here is what we have: CREATE TABLE IF NOT EXISTS `trades` ( `trID` int(11) NOT NULL AUTO_INCREMENT, `trFROM` int(11) NOT NULL DEFAULT '0', `trUSER` int(11) NOT NULL DEFAULT '0', `trGOLD` int(11) NOT NULL DEFAULT '0', `trITEM` varchar(70) NOT NULL DEFAULT '', `trQTY` varchar(70) NOT NULL DEFAULT '', `trACC` tinyint(1) DEFAULT '0', `trRGOLD` int(11) NOT NULL DEFAULT '0', `trRITEM` varchar(70) NOT NULL DEFAULT '', `trRQTY` varchar(70) NOT NULL DEFAULT '', `trRACC` tinyint(1) NOT NULL DEFAULT '0', PRIMARY KEY (`trID`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=15 ; The row trITEM is set to archer(70) so that player A can get more then one item in there, as well as trRITEM for Player B. We did the same with the two QTY rows so that it will hold the amount of each item. Now all we needed where the functions for viewing, accepting, declining, and making a trade. Making the trade is where we are having a problem. Here is the function and the form: function begin_trade() { global $db, $ir, $c, $userid, $h; if($_POST) { $_POST['user'] = filter_var($_POST['user'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['user']) : 0; $_POST['gold'] = filter_var($_POST['gold'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['gold']) : 0; $_POST['userid'] = filter_var($_POST['userid'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['userid']) : 0; $_POST['item'] = filter_var($_POST['item'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['item']) : 0; $items = $_POST['item']; $qty = $_POST['amt'] = filter_var($_POST['amt'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['amt']) : 0; for($i = 1; $i <= 5; $i++) { $_POST["item".$i] = filter_var($_POST["item".$i], FILTER_VALIDATE_INT) ? abs( (int) $_POST["item".$i]) : 0; $_POST['amt'] = filter_var($_POST['amt'], FILTER_VALIDATE_INT) ? abs( (int) $_POST['amt']) : 0; if($_POST['item'.$i] > 0) { $items .= ",". $_POST['item'.$i]; $qty .= ",". $_POST['amt']; } } $us = $db->query("SELECT * FROM users WHERE userid = {$_POST['user']}"); if ($db->num_rows($us) == 0) { showErrMsg('You are trying to trade with an invalid user!'); } if ($gold > $ir['gold']) { showErrMsg('You don\'t have enough gold to trade!'); } if ($qty < 0) { showErrMsg('You can\'t trade a negative amount.'); } $db->query("INSERT INTO trades VALUES (NULL,{$userid},{$_POST['user']},{$_POST['gold']},{$items},{$qty},0,0,0,0,0)"); print "The trade has been entered!"; exit($h->endpage()); } ?> <form id="trade" method="post"> <fieldset style='width:50%;'><legend>Trading</legend> Userid: <input type='text' name='user' length='7' maxlength='7' value='0' /> <br /> <div id="input1" style="margin-bottom:4px;" class="clonedInput"> Item Needed: <?php echo inv_dropdown($c, "item") ?> x <input type='text' name='amt' size='2' value='0' /> </div> <div> <input type="button" id="btnAdd" value="&plus;" /> <input type="button" id="btnDel" value="−" /> </div> <br /> Gold: <input type='text' name='gold' value='0' /> <br /> </fieldset> <input type='submit' value='trade' /> </form> <?php } In our form we call to a javascript that is in the header as it is used in several places. This script is what allows us to add multiple items to the trade: <script type="text/javascript"> $(document).ready(function() { $('#btnAdd').click(function() { var num = $('.clonedInput').length; var newNum = new Number(num + 1); var newElem = $('#input' + num).clone().attr('id', 'input' + newNum); newElem.children(':first').attr('id', 'item_needed' + newNum).attr('name', 'item_needed' + newNum); $('#input' + num).after(newElem); $('#btnDel').attr('disabled',''); if (newNum == 10) $('#btnAdd').attr('disabled','disabled'); }); $('#btnDel').click(function() { var num = $('.clonedInput').length; $('#input' + num).remove(); $('#btnAdd').attr('disabled',''); if (num-1 == 1) $('#btnDel').attr('disabled','disabled'); }); $('#btnDel').attr('disabled','disabled'); }); </script> Now everything runs fine except that when you add more then one item to the trade it is not being added to the data base. It is only adding the first item and the first quantity. I have seen this done before with the varchar holding multiple variables I'm just really unsure why it is not working for me now.

[MENTION=70485]G7470[/MENTION] Thanks for the quick response. That worked perfectly. I'm still trying to get a handle on this PHP stuff but with people like you around I'm learning more and more.

I have been working on a Questing mod for my game and I am expecting to constantly be adding new quests. So instead of having to go in edit the page all the time I have added a column to my database take called "active". This way users only see what ever quests are set to active. For the admin side it lists every quest in the game with two extra columns on showing if the quest is active and the other showing a link to edit the quest. Where I am having my problem is the "active" column. Starting about line 61 here. No mater what the first quest is set too all of the others are shown the same. Meaning if the first quest is set to "yes" all the quests listed after are set to yes even if they are not in the db. Logging in as a normal use I still only see the quests that are set to active in the database.   if ($_GET['qstart']) { $_GET['qstart'] = abs((int) $_GET['qstart']); //Verify. $cd = $db->query("SELECT * FROM questing WHERE qID={$_GET['qstart']}"); $coud = $db->fetch_row($cd); $item = $db->query("SELECT * FROM inventory WHERE inv_itemid={$coud['qItem']}"); $f = $db->fetch_row($item); if ($db->num_rows($cd) == 0) { showErrMsg('You are trying to start a nonexistent quest!'); } if ($db->num_rows($item) < 1) { showErrMsg('You don\'t have the '.$coud["qItem"].'. You must get one before starting this quest.'); } $cd = $db->query("SELECT * FROM questing WHERE qID={$_GET['qstart']}"); $coud = $db->fetch_row($cd); $db->query("UPDATE users SET quest=".$coud['qID'].",quest_time=".$coud['qStart'].", quest_step=1 WHERE userid=$userid"); print "".$coud['qStartText'].", it will take ".$coud['qStart']." minutes to finish this step."; } else { //list courses print "Here is a list of quests that are available to you."; if ($ir['user_level'] == 2) { $q = $db->query("SELECT * FROM questing ORDER BY qID ASC"); } else { $q = $db->query("SELECT * FROM questing WHERE qActive=1 ORDER BY qID ASC"); } print "<br> <table id='demo-table3' width=100% cellspacing=1 class='table'> <tr> <th>Quest</th> <th>Description</th> <th>Item Needed</th> <th>Start</th>"; if ($ir['user_level']==2) { print" <th>Active</th> <th>Edit</th>"; } print "</tr>"; while ($r = $db->fetch_row($q)) { $cdo = $db->query("SELECT * FROM quest_done WHERE userid=$userid AND questid={$r['qID']}"); if ($db->num_rows($cdo) == 5) { // 5 allowed per day $do = "<i>Done</i>"; } else { $do = "<a href='questing.php?qstart={$r['qID']}'>Take</a>"; } $cd = $db->query("SELECT * FROM questing"); $coud = $db->fetch_row($cd); $n = $db->query("SELECT itmname FROM items WHERE itmid={$coud['qItem']}"); $need = $db->fetch_row($n); print " <tr align=center> <td width=20%>".$r['qName']."</td> <td>".$r['qDescription']."</td> <td width=15%>".$need['itmname']."</td> <td width=10%>$do</td>"; if ($ir['user_level']==2) { print" <td width=7%>"; if ($coud['qActive'] == 1) { print"<font color=green>Yes</font>"; } else { print"<font color=red>No</font>"; } print"</td> <td width=7%><a href='staff_quest.php?action=editquest'>Edit</a></td>"; } print"</tr>"; } print "</table>"; } }

Reduced Damage So here I go again messing with my attack file. I got a nice little bit of help from [MENTION=50378]Guest[/MENTION] and finally got it working just the way I want it too, and now I'm going to go messing with it again. Just another one of those little things that will make my game unique. So there are several weapons in my game but they all come in four basic types. Fire, Ice, Lightning, and Poison. I added an extra column to my items table so that each of these can have their own type other than itm_type. Its very simple types 1 - 4. Now the theory is both player A and player B are using a type 1 weapon. Because they are both using a type 1 weapon we want them to cause less damage. It is hard coded in the game that these types of weapons MUST be equip_secondary. Here is what we are starting with: if ($_GET['wepid'] == $ir['equip_primary'] || $_GET['wepid'] == $ir['equip_secondary']) { $qo = $db->query("SELECT i.* FROM items i WHERE i.itmid={$_GET['wepid']}"); // selecting all from items $r1 = $db->fetch_row($qo); $mydamage = (int) (($r1['weapon']*$youdata['strength']/($odata['defense']/1.5))*(rand(8000,12000)/10000)); $hitratio = max(10,min(60*$ir['agility']/$odata['speed'],95)); if (rand(1,100) <= $hitratio) { $q3=$db->query("SELECT i.armor FROM items i WHERE itmid={$odata['equip_armor']} ORDER BY rand()"); if ($db->num_rows($q3)) { $mydamage-=$db->fetch_single($q3); } if ($mydamage < -100000) { $mydamage=abs($mydamage); } else if ($mydamage < 1) { $mydamage=1; } $crit=rand(1,40); if ($crit==17) { $mydamage*=rand(20,40)/10; } else if ($crit==25 or $crit == 8) { $mydamage/=(rand(20,40)/10); } $mydamage=round($mydamage); $odata['hp']-=$mydamage; if ($odata['hp']==1) { $odata['hp']=0;$mydamage+=1; } $db->query("UPDATE users SET hp=hp-$mydamage WHERE userid={$_GET['ID']}"); print "<font color=red>{$_GET['nextstep']}. Using your {$r1['itmname']} you hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; $_SESSION['attackdmg']+=$mydamage; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r1['itmname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; if ($_GET['wepid'] == $ir['equip_secondary'] and $ir['breath_use']>0) { $db->query("UPDATE users SET breath_use=breath_use-1 WHERE userid=$userid"); } }   We are already selecting all from the items table. I have been scratching my head all day in how to code the next part correctly for the call the the row "type" in my items as it relates to the weapons being used.   if ($_GET['wepid'] == $ir['equip_secondary'] && $ir['weapon type'] == $odata['weapon type'] { //insert call here $mydamage = (int) (($r1['weapon']*$youdata['strength']/($odata['defense']/1.5))*(rand(8000,12000)/10000)/3); } else if { $mydamage = (int) (($r1['weapon']*$youdata['strength']/($odata['defense']/1.5))*(rand(8000,12000)/10000)); }   I'm telling you its staring me right in the face and I just can't put my finger on it. Any ideas? Thanks in advance.

Your right in that there is not a second check on the submit side to insure that they own this item, but then again if they don't own the item in the first place it does not appear in the drop down. If they get past that point and have added an item that they do not own, when they get to the quick link it checks their inventory for that item and gives a warning that they do not have any of this item. This is assuming that they input the correct inventory id and not the item id. If they try and use an item id they will get an invalid use of file warning.   $_GET['ID'] = abs((int) $_GET['ID']); //Food if(!$_GET['ID']) { print "Invalid use of file"; } else { $i=$db->query("SELECT iv.*,i.*,it.* FROM inventory iv LEFT JOIN items i ON iv.inv_itemid=i.itmid LEFT JOIN itemtypes it ON i.itmtype=it.itmtypeid WHERE iv.inv_id={$_GET['ID']} AND iv.inv_userid=$userid"); if(mysql_num_rows($i) == 0) { print "You don't have any of that item!<br>"; print "<a href='preferences.php?action=itemchange'><button>Preferences</button></a>"; print "<a href='inventory.php'><button>Inventory</button></a>"; }

So all this said, is there a "best" way of protecting yourself with out having to add lines and lines of extra coding for every user input? Understand most of what has been said in this thread is way over my head. I have done so much reading on SQL injection security and CSRF security in the last two days that I am completely at a loss as to what actually needs to be done.

My mistake.

I'm sorry but you guys seem to be really over complicating this. There is a set of three drop down menus. Healing, Jail, and Feed. These lists are populated only from what a user has in their inventory. There is no actual user input other then picking an item from menus to be set as a quick link and hitting the submit button. IF they where to somehow change the id of the item to be set in the user table they would still run into an invalid use of file as the quick links use a inventory id not the actual item id. And even at that it still checks again to insure that you do have this item in your inventory before letting you use it.

Thank you guys for all the great input. As it turns out not only was a missing something in the second function but I also forgot to add the second function to my switch. Everything is working great now. My database is being updated with the selections users make and because of your guys at least this part of my coding is well protected. When my site is all said and done I might have to look into hiring out the task of securing my whole site. Thanks again and happy new year.

[MENTION=70600]SHPXLBH[/MENTION] Thanks so much. I was WAY off on this one. Lucky for me I have good people like you to come along and point out my errors. I did know about the security risk the way that it was I just wanted to get it to work before I worried about that part. As soon as I get home from this little new years gathering with my family I will change the code around and maybe show a nice screen shot if I can figure out how to post one. LOL

I have created some little links that are coded to pop up during certain situations such as being in jail or the hospital... Just a little quick link where the user doesn't have to go the their inventory every time to use and item. That was the easy part. Next I created some drop down menus in the preferences page that will allow the users to pick which item from their own inventory they would like to set to this quick link. And this is where I am running in to an SQL problem. I know it is just a little bit of something that I am missing to get the DB to update. I have been going over this code for three days now and can't see what it is that I am missing.   function item_change() { global $db,$ir,$c,$userid,$h; print "<h3> Set your healing, feeding, and jail quick menu items here</h3> <form action='preferences.php?action=itemchange2' method='post'> <table> <tr> <th>Healing</th> <th>Feeding</th> <th>Jail</th> </tr> <tr> <td>"; print "".healitem_dropdown(NULL, "healitem").""; print "</td><td>"; print "".fooditem_dropdown(NULL, "fooditem").""; print "</td><td>"; print "".jailitem_dropdown(NULL, "jailitem").""; print "</td> </tr> <tr> <td colspan=3 align='center'><input type=submit value=Change></td> </tr> </table> "; } function do_item_change() { global $db,$ir,$c,$userid,$h; $db->query("UPDATE users SET heal_item='{$_POST['healitem']}', feed_item='{$_POST['fooditem']}', jail_item='{$_POST['jailitem']}' WHERE userid=$userid"); print "Items changed"; }   All three menus are set up in the global functions page with all the rest of my drop downs and work perfectly. I'm sure someone is going to look at this and say "What is this idiot doing!?" The answer is simple. I'm trying to learn PHP and MySQL as I go. I think I am not doing to bad so far.

My SQL is correct. If you read in my first post using an if/elseif/else I was getting the right read out but it was running both lines of code. So which ever one I was chosing was correct while the other was coming up blank. I will try escaping all the variables like you suggested and see if that makes a difference.

From reading another thread I decided to try using switch. I'm sure I have it in place correctly. At least as correctly as I can see. I am getting no errors anyplace but I am still not getting the right read out when I try and attack with a spell. With my claw/bite or breath weapon everything works fine. Then when I move to try and use the next case spells I am back to getting: Using your you hit Demo doing 1 damage. Spell use counter is not counting down either. Again I feel it is just skipping my code for some reason.   switch ($_GET['wepid']){ case $ir['equip_primary'] || $ir['equip_secondary']: $qo=$db->query("SELECT i.* FROM items i WHERE i.itmid={$_GET['wepid']}"); $r1=$db->fetch_row($qo); $mydamage=(int) (($r1['weapon']*$youdata['strength']/($odata['defense']/1.5))*(rand(8000,12000)/10000)); $hitratio=max(10,min(60*$ir['agility']/$odata['speed'],95)); if(rand(1,100) <= $hitratio ) { $q3=$db->query("SELECT i.armor FROM items i WHERE itmid={$odata['equip_armor']} ORDER BY rand()"); if($db->num_rows($q3)) { $mydamage-=$db->fetch_single($q3); } if($mydamage < -100000) { $mydamage=abs($mydamage); } else if($mydamage < 1) { $mydamage=1; } $crit=rand(1,40); if($crit==17) { $mydamage*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $mydamage/=(rand(20,40)/10); } $mydamage=round($mydamage); $odata['hp']-=$mydamage; if($odata['hp']==1) { $odata['hp']=0;$mydamage+=1; } $db->query("UPDATE users SET hp=hp-$mydamage WHERE userid={$_GET['ID']}"); print "<font color=red>{$_GET['nextstep']}. Using your {$r1['itmname']} you hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; $_SESSION['attackdmg']+=$mydamage; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r1['itmname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; if ($_GET['wepid'] == $ir['equip_secondary'] and $ir['breath_use']>0){ $db->query("UPDATE users SET breath_use=breath_use-1 WHERE userid=$userid"); } } break; //If you use spells case $ir['equip_spell1'] || $ir['equip_spell2']: $qq=$db->query("SELECT s.* FROM spells s WHERE s.spellid={$_GET['wepid']}"); $r2=$db->fetch_row($qq); $mydamage2=(int) (($r2['weapon']*$youdata['IQ']/($odata['IQ']/1.5))*(rand(8000,12000)/10000)); $hitratio=max(10,min(60*$ir['agility']/$odata['speed'],95)); if(rand(1,100) <= $hitratio ) { $q3=$db->query("SELECT i.armor FROM items i WHERE itmid={$odata['equip_armor']} ORDER BY rand()"); if($db->num_rows($q3)) { $mydamage-=$db->fetch_single($q3); } if($mydamage2 < -100000) { $mydamage2=abs($mydamage2); } else if($mydamage2 < 1) { $mydamage2=1; } $crit=rand(1,40); if($crit==17) { $mydamage2*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $mydamage2/=(rand(20,40)/10); } $mydamage2=round($mydamage2); $odata['hp']-=$mydamage2; if($odata['hp']==1) { $odata['hp']=0;$mydamage2+=1; } $db->query("UPDATE users SET hp=hp-$mydamage2 WHERE userid={$_GET['ID']}"); print "<font color=red>{$_GET['nextstep']}. Using your {$r2['spellname']} you hit {$odata['username']} doing $mydamage2 damage ({$odata['hp']})</font><br />\n"; $_SESSION['attackdmg']+=$mydamage2; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r2['spellname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; if ($_GET['wepid'] == $ir['equip_spell1'] || $ir['equip_spell2'] and $ir['spell_use']>0){ $db->query("UPDATE users SET spell_use=spell_use-1 WHERE userid=$userid"); } } break; default: print "<font color=red>{$_GET['nextstep']}. You tried to hit {$odata['username']} but missed ({$odata['hp']})</font><br />\n"; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. {$ir['username']} tried to hit {$odata['username']} but missed ({$odata['hp']})</font><br />\n"; }

Hope everyone had a happy holiday. So let me give you a little background so you can understand why I am trying to do what I am trying to do. All the characters in my game are "born" with two forms of attack that stay with them through out the whole game. As users level these attack automatically get stronger. The base attack codes are fine with a little tweaking to fit my needs. Since you already have two forms of attack that you can never change I decided to add a third even if it is going to be in a limited way. The first attack is a bite/claw attack. You have unlimited use of this. The second is a breath weapon. For this one you start out limited to using it only twice per attack session. As you level that goes up The third is a spell of your choosing. This one will start out limited to twice a day as the spells get very powerful. Again as you level the number of spells per day you can cast goes up as well as maybe the number that can be equipped. Now to try and keep things organized and easy for the user to find when you buy a spell it is listed in your Spell book which is an extension of your inventory. I have added a new tables to store spells and spell types and spell effects... All my queries for listing the spells in your spell book and as an equipped spell work just fine. My problem is coming in on the attack screen. Because I don't want the effectiveness you your spells to be based on strength or defense, because lets face it just because your strong does not make your mind strong, I decided to base them on IQ. This means that I needed a second set of attack codes.   //damage if($_GET['wepid'] != $ir['equip_primary'] && $_GET['wepid'] != $ir['equip_secondary'] && $_GET['wepid'] != $ir['equip_spell1'] && $_GET['wepid'] != $ir['equip_spell2']) { print "<div class='box-style7'> <div class='title12'> <h2>Stop trying to abuse a game bug.</h2> </div> <a href='index.php'><button>Back</button></a> </div>"; $db->query("UPDATE users SET exp=0 where userid=$userid",$c); die(""); } // if you use normal bite or breath weapon if($_GET['wepid'] == $ir['equip_primary'] || $ir['equip_secondary']){ $qo=$db->query("SELECT i.* FROM items i WHERE i.itmid={$_GET['wepid']}"); $r1=$db->fetch_row($qo); $mydamage=(int) (($r1['weapon']*$youdata['strength']/($odata['defense']/1.5))*(rand(8000,12000)/10000)); $hitratio=max(10,min(60*$ir['agility']/$odata['speed'],95)); if(rand(1,100) <= $hitratio ) { $q3=$db->query("SELECT i.armor FROM items i WHERE itmid={$odata['equip_armor']} ORDER BY rand()"); if($db->num_rows($q3)) { $mydamage-=$db->fetch_single($q3); } if($mydamage < -100000) { $mydamage=abs($mydamage); } else if($mydamage < 1) { $mydamage=1; } $crit=rand(1,40); if($crit==17) { $mydamage*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $mydamage/=(rand(20,40)/10); } $mydamage=round($mydamage); $odata['hp']-=$mydamage; if($odata['hp']==1) { $odata['hp']=0;$mydamage+=1; } $db->query("UPDATE users SET hp=hp-$mydamage WHERE userid={$_GET['ID']}"); print "<font color=red>{$_GET['nextstep']}. Using your {$r1['itmname']} you hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; $_SESSION['attackdmg']+=$mydamage; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r1['itmname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; if ($_GET['wepid'] == $ir['equip_secondary'] and $ir['breath_use']>0){ $db->query("UPDATE users SET breath_use=breath_use-1 WHERE userid=$userid"); } } } //If you use spells else if ($_GET['wepid'] == $ir['equip_spell1'] || $ir['equip_spell2']){ $qq=$db->query("SELECT s.* FROM spells s WHERE s.spellid={$_GET['wepid']}"); $r2=$db->fetch_row($qq); $mydamage2=(int) (($r2['weapon']*$youdata['IQ']/($odata['IQ']/1.5))*(rand(8000,12000)/10000)); $hitratio=max(10,min(60*$ir['agility']/$odata['speed'],95)); if(rand(1,100) <= $hitratio ) { $q3=$db->query("SELECT i.armor FROM items i WHERE itmid={$odata['equip_armor']} ORDER BY rand()"); if($db->num_rows($q3)) { $mydamage-=$db->fetch_single($q3); } if($mydamage2 < -100000) { $mydamage2=abs($mydamage2); } else if($mydamage2 < 1) { $mydamage2=1; } $crit=rand(1,40); if($crit==17) { $mydamage2*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $mydamage2/=(rand(20,40)/10); } $mydamage2=round($mydamage2); $odata['hp']-=$mydamage2; if($odata['hp']==1) { $odata['hp']=0;$mydamage2+=1; } $db->query("UPDATE users SET hp=hp-$mydamage2 WHERE userid={$_GET['ID']}"); print "<font color=red>{$_GET['nextstep']}. Using your {$r2['spellname']} you hit {$odata['username']} doing $mydamage2 damage ({$odata['hp']})</font><br />\n"; $_SESSION['attackdmg']+=$mydamage2; $_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r2['spellname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n"; if ($_GET['wepid'] == $ir['equip_spell1'] || $ir['equip_spell2'] and $ir['spell_use']>0){ $db->query("UPDATE users SET spell_use=spell_use-1 WHERE userid=$userid"); } } }   I was sure this would work. A simple if/else if/else statement with the two primary weapons in the "IF" and the two spells in the "Else if" BUT using else if it seems to ignore that statement altogether. The primary weapons "If" works fine. When I attack with a spell I get 1. Using your you hit Demo with doing 1 damage. No spell name no actual damage and my spell use count does not change. Now if I change that "else if" to just "if" I get 1. Using your you hit Demo with doing 1 damage. 1. Using your Acid Orb you hit Demo doing 26 damage. 2. Using his Bite/Claw Demo hit you doing 17 damage. And the spell count goes down as it is supposed to. I don't understand why it is ignoring my 'else if' or why it is giving me the line with no weapon name and only one damage. Edit: After a little more research I understand now that it is giving me two attack lines when I use 'if' for the spells line because it is in fact running both lines. Any advice on how I could combined the two? If the user picks bite claw or breath run the first code else if the user casts a spell run the second

Your right it was a lot of work with some trial and error but I was happy all the same because it did accomplish what I wanted. As I said in the beginning of my last post I couldn't understand on my own how a session would work for this. Now seeing your post I will go back and try it that way just for the sake of learning something new.