Magictallguy

Not a hack, just a basic exploit. Secure your source, or hire someone to do so

Well said sir :)

Easily done, simply link up your BBCode Parser (normally something like bccode_engine.php), and make it parse what it should ;)

Code updated :)

I presume you're using MC Codes. If so, then you want to change `admin` to `user_level`. The second error I can't help with until I see the rest of that form code

Already created, and can be seen working at Deadly Country

include(DIRNAME(DIRNAME(__FILE__)) . '/includes/functions.php');

<?php include(DIRNAME(__FILE__) . '/globals.php'); $_GET['time'] = isset($_GET['time']) && is_string($_GET['time']) ? strtolower(trim($_GET['time'])) : false; if($_GET['time'] == 'fiveminutes') { $time = 300; } else if($_GET['time'] == 'thirtyminutes') { $time = 1800; } else if($_GET['time'] == 'onehour') { $time = 3600; } else { $time = 86400; } echo "<table width='90%' border='1' height='20' class='table'> <tr> <th><u>[url='usersonline.php?online=fiveminutes']Five Minutes[/url]</u></th> <th><u>[url='usersonline.php?online=thirtyminutes']Thirty Minutes[/url]</u></th> <th><u>[url='usersonline.php?online=onehour']One Hour[/url]</u></th> <th><u>[url='usersonline.php?online=oneday']One Day[/url]</u></th> </tr> </table>"; echo "<table width='90%' border='1' height='20' class='table'> <tr style='text-decoration:underline;'> <th height='6'>Order</th> <th>Name</th> <th>ID</th> <th>Level</th> <th>Gender</th> <th>Last Action</th> <th>Money</th> <th>Attack</th> </tr>"; $q = $db->query("SELECT `username`,`userid`,`laston`,`gender`,`money`,`level` FROM users WHERE laston > (unix_timestamp() - ".$time.") ORDER BY laston DESC"); while($r = $db->fetch_row($q)) { $la = time() - $r['laston']; $unit = "secs"; if($la >= 60) { $la = (int) ($la / 60); $unit = "mins"; } if($la >= 60) { $la = (int) ($la / 60); $unit = "hours"; if($la >= 24) { $la = (int) ($la / 24); $unit = "days"; } } if($r['laston'] > 0) { $unit = "seconds"; if($la >= 60) { $la = (int) ($la / 60); $unit = "minutes"; } if($la >= 60) { $la = (int) ($la / 60); $unit = "hours"; if($la >= 24) { $la = (int) ($la / 24); $unit = "days"; } } $str = $la." ".$unit." ago"; } else { $str = "--"; } if($r['last_login'] > 0) { $ll = time() - $r['last_login']; $unit2 = "seconds"; if($ll >= 60) { $ll = (int) ($ll / 60); $unit2 = "minutes"; } if($ll >= 60) { $ll = (int) ($ll / 60); $unit2 = "hours"; if($ll >= 24) { $ll = (int) ($ll / 24); $unit2 = "days"; } } $str2 = $ll." ".$unit2." ago"; } else { $str2 = "--"; } $cn++; echo "<tr> <th>".$cn."</th> <th>[url='viewuser.php?u=".$r[']".rasheed($r['username'])."[/url]</th> <th>".rasheed($r['userid'])."</th> <th>".rasheed($r['level'])."</th> <th>".$r['gender']."</th> <th>".$str."</th> <th>\$".rasheed($r['money'])."</th> <th><a href='attack.php?ID=".$r['userid']."'>Attack "; echo ($r['gender'] == 'Female') ? "her" : "him"; echo "</a></th> </tr>"; } echo "</table>"; $h->endpage(); ?>   Untested, but should work fine

You are welcome to do some yourself if you want ;)

Source for the JavaScript http://www.dynamicdrive.com/dynamicindex11/arrowtitle.htm And it does work on the login/register

Ah, my Bank PIN mod. Haven't seen that for a while.. I should really update that sometime lol

Looks like Karlos' code ;)

Hey John, welcome to Make Web Games :) Got any questions, just give me a shout

Fair enough :)

Revisited this thread after randomly searching my name and noticed I hadn't updated the code in a while.. Here's my update - functionality is very similar, it just runs slightly faster (and obviously has no errors lol) <?php include(DIRNAME(__FILE__) . '/globals.php'); echo "<h3>Crystal Bank</h3>"; if($ir['crystalbank'] > -1) { $_GET['action'] = isset($_GET['action']) && ctype_alpha($_GET['action']) ? strtolower(trim($_GET['action'])) : false; switch($_GET['action']) { case "deposit": deposit(); break; case "withdraw": withdraw(); break; default: index(); break; } } else { $cost = 25000; #Change this to the price you would like $s = ($cost == 1) ? '' : 's'; #Do not change this line $currency = 'money'; #Change money to crystals if you would prefer to charge crystals for a crystal bank account $display = ($currency == 'money') ? '$'.number_format($cost) : number_format($cost).'crystal'.$s; #Do not change this line if(isset($_GET['buy'])) { if($ir[$currency] > $cost) { echo "Congratulations, you bought a crystal bank account for ".$what."! [url='crystalbank.php']Start using my account[/url]"; $db->query("UPDATE users SET ".$currency." = ".$currency." - ".$cost.", crystalbank = 0 WHERE (userid = ".$userid.")"); } else { echo "You do not have enough ".$currency." to open an account. [url='explore.php']Back to town...[/url]"; } } else { echo "Open a crystal bank account today, just ".$display."! [url='crystalbank.php?buy']> Yes, sign me up![/url]"; } } function index() { global $db, $ir,$c,$userid,$h; $s = ($ir['crystalbank'] == 1) ? '' : 's'; echo "[b]You currently have ".number_format($ir['crystalbank'])." crystal".$s." in your Crystal bank.[/b] <table width='75%' cellspacing='1' class='table'> <tr> <td width='50%'>[b]Deposit Crystals[/b] <form action='crystalbank.php?action=deposit' method='post'> Amount: <input type='text' name='deposit' value='".number_format($ir['crystals'])."' /> <input type='submit' value='Deposit' /> </form></td> <td>[b]Withdraw Crystals[/b] <form action='crystalbank.php?action=withdraw' method='post'> Amount: <input type='text' name='withdraw' value='".number_format($ir['crystalbank'])."' /> <input type='submit' value='Withdraw' /> </form></td> </tr> </table>"; } function deposit() { global $db, $ir, $userid, $h; $_POST['deposit'] = str_replace(',', '', $_POST['deposit']); $_POST['deposit'] = abs(@floatval($_POST['deposit'])); if($_POST['deposit'] > $ir['crystals']) { echo "You do not have enough crystals to deposit in the bank."; $h->endpage(); exit; } $gain = $_POST['deposit'] - $fee; $ir['crystals'] += $gain; $db->query("UPDATE users SET crystalbank = crystalbank + ".$gain.", crystals = crystals - ".$_POST['deposit']." WHERE (userid = ".$userid.")"); $s = ($_POST['deposit'] == 1) ? '' : 's'; $s2 = ($ir['crystalbank'] == 1) ? '' : 's'; echo "You hand over ".number_format($_POST['deposit'])." crystal".$s." to be deposited, ".number_format($gain)." crystal".$s." are added to your account. [b]You now have ".number_format($ir['crystalbank'])." crystal".$s2." in the crystal bank.[/b] [url='crystalbank.php']> Back[/url]"; } function withdraw() { global $db, $ir, $userid, $h; $_POST['withdraw'] = str_replace(',', '', $_POST['withdraw']); $_POST['withdraw'] = abs(@floatval($_POST['withdraw'])); if($_POST['withdraw'] > $ir['crystalbank']) { echo "You do not have enough crystals to withdraw from the bank."; $h->endpage(); exit; } $gain = $_POST['withdraw']; $ir['crystalbank'] -= $gain; $db->query("UPDATE users SET crystalbank = crystalbank - ".$gain.", crystals = crystals + ".$gain." WHERE (userid = ".$userid.")"); $s = ($gain == 1) ? '' : 's'; $s2 = ($ir['crystalbank'] == 1) ? '' : 's'; echo "You ask to withdraw ".number_format($gain)." crystal".$s.", the banking lady grudgingly hands it over. [b]You now have ".number_format($ir['crystalbank'])." crystal".$s2." in the bank.[/b] [url='crystalbank.php']> Back[/url]"; } $h->endpage(); ?>

Remove the print from that code. It'll error if you don't

1 question, why would you use mysql_real_escape_string() on a numerical value. It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks.   $_POST['someText'] = mysql_real_escape_string($_POST['someText']); mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error());   It has no effect on numbers, and therefore is a waste of space in that use ;)

Happy to help :)

Oh baby! Sam, Jordan? 3-some? :D

He's got me to fall back on if he's stuck, don't worry Jordan :P

Thanks, but it was your idea -.-

Right, well.. You have my messenger, contct me whenever ;)

Sorry guys, code modified..

Maybe so, but is it secure?

Original post updated, you can now choose which one you want *mutters under his breath: annoying little {censored} so bothered a less than a millisecond of parsing speed* *angel icon*