Magictallguy
-
Posts
2,124 -
Joined
-
Last visited
-
Days Won
144
Content Type
Profiles
Forums
Events
Everything posted by Magictallguy
-
A small security tutorial, hope its somewhat helpful.
Magictallguy replied to a topic in Tips and tutorials
1 question, why would you use mysql_real_escape_string() on a numerical value. It is designed to add backslashes (binary safe) to strings that contain apostrophies and quote marks. $_POST['someText'] = mysql_real_escape_string($_POST['someText']); mysql_query("INSERT INTO `table` VALUES ('".$_POST['someText']."')") or die(mysql_error()); It has no effect on numbers, and therefore is a waste of space in that use ;) -
Happy to help :)
-
Oh baby! Sam, Jordan? 3-some? :D
-
He's got me to fall back on if he's stuck, don't worry Jordan :P
-
Thanks, but it was your idea -.-
-
Right, well.. You have my messenger, contct me whenever ;)
-
Sorry guys, code modified..
-
Maybe so, but is it secure?
-
Original post updated, you can now choose which one you want *mutters under his breath: annoying little {censored} so bothered a less than a millisecond of parsing speed* *angel icon*
-
If you're really so bothered about speed, I'm happy to "convert" my code out of sprintf() -.-
-
strip_tags(), htmlspecialchars()/htmlentities(), and str_replace() can help you here
-
UPDATE: The ability to notify the players friends (in their friendslist) has been added - suggested by cjholder. I've left it off by default, simply change $notifyFriends = 0; to $notifyFriends = 1; Simple stuff. Here you go :) [mysql]CREATE TABLE `username_requests` ( `req_id` INT( 11 ) NOT NULL AUTO_INCREMENT PRIMARY KEY, `req_time` INT( 11 ) NOT NULL DEFAULT 0, `req_user` INT( 11 ) NOT NULL DEFAULT 0, `req_name` VARCHAR( 255 ) NOT NULL DEFAULT 'n/a' ) ENGINE = MyISAM;[/mysql] Edit smenu.php Add this link: [url='staff_requests.php?action=view']View Username Requests[/url] For those of you bothered about a few milliseconds of speed, use the codes posted in the SECOND (2ND) expander [expander=Slightly slower method (by a few milliseconds)]Edit: preferences.php Replace the entire name_change() function with this: function name_change() { global $ir, $db, $userid, $h; echo "<h3>Changing your username</h3>"; $select = sprintf("SELECT req_id FROM username_requests WHERE (req_user = %u)", $userid); $query = $db->query($select); if($db->num_rows($query)) { echo "You have already requested a username change. Please wait until your current request is dealt with. [url='preferences.php']Back[/url]"; $h->endpage(); exit; } if(!isset($_POST['submit'])) { echo "<form action='preferences.php?action=namechange' method='post'>"; echo "<table class='table' width='50%' style='text-align:center;'>"; echo "<tr>"; echo "<th>New Name</th>"; echo sprintf("<td><input type='text' name='newName' value=\"%s\" /></td>", stripslashes(htmlspecialchars($ir['username']))); echo "</tr>"; echo "<tr>"; echo "<td colspan='2'><input type='submit' name='submit' value='Request Name Change' /></td>"; echo "</tr>"; echo "</table>"; echo "</form>"; } else { if(empty($_POST['newName']) OR trim($_POST['newName']) == '') { echo "You cannot request a blank name"; $h->endpage(); exit; } $_POST['newName'] = $db->escape($_POST['newName']); $insert = sprintf("INSERT INTO username_requests VALUES ('', %u, %u, '%s')", time(), $userid, $_POST['newName']); $db->query($insert); echo "You username request has been successfully submitted"; } } Create file: staff_requests.php <?php include(DIRNAME(__FILE__) . '/sglobals.php'); if($ir['user_level'] != 2) { echo "Access denied"; $h->endpage(); exit; } $notifyFriends = 0; $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : false; switch($_GET['action']) { case 'view': viewRequests(); break; case 'accept': acceptRequest(); break; case 'decline': declineRequest(); break; default: echo "Action not specified"; break; } function viewRequests() { global $db; echo "<h3>Viewing Username Change Requests</h3>"; $select = $db->query( "SELECT r.*, u.username " . "FROM username_requests r " . "LEFT JOIN users u ON (r.req_user = u.userid) " . "ORDER BY r.req_time ASC"); echo "<table class='table' width='75%'>"; echo "<tr>"; echo "<th>User</th>"; echo "<th>Time</th>"; echo "<th>Request</th>"; echo "<th>Actions</th>"; echo "</tr>"; if(!$db->num_rows($select)) { echo "<tr>"; echo "<td colspan='3' style='text-align:center;'>There are currently no requests</td>"; echo "</tr>"; } else { while($row = $db->fetch_row($select)) { echo "<tr>"; echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</a></td>", $row['req_user'], stripslashes(htmlspecialchars($row['username'])), number_format($row['userid'])); echo sprintf("<td>%s</td>", date('H:i:s d/m/y', $row['req_time'])); echo sprintf("<td>%s</td>", stripslashes(htmlspecialchars($row['req_name']))); echo sprintf("<td>[[url='staff_requests.php?action=accept&ID=%u']Accept[/url]] [[url='staff_requests.php?action=decline&ID=%u']Decline[/url]]</td>", $row['req_id'], $row['req_id']); echo "</tr>"; } echo "</table>"; stafflog_add("View the username change requests"); } } function acceptRequest() { global $db, $h, $notifyFriends; echo "<h3>Accepting a username change request</h3>"; $_GET['ID'] = abs(@intval($_GET['ID'])); if(!$_GET['ID']) { echo "No ID specified"; $h->endpage(); exit; } $select = sprintf("SELECT * FROM username_requests WHERE (req_id = %u)", $_GET['ID']); $query = $db->query($select); if(!$db->num_rows($query)) { echo "This request does not exist"; $h->endpage(); exit; } $row = $db->fetch_row($query); $oldName = $db->fetch_single($db->query(sprintf("SELECT username FROM users WHERE (userid = %u)", $row['req_user']))); $updateUser = sprintf("UPDATE users SET username = '%s' WHERE (userid = %u)", $row['req_name'], $row['req_user']); $deleteReq = sprintf("DELETE FROM username_requests WHERE (req_id = %u)", $row['req_id']); $db->query($updateUser); $db->query($deleteReq); event_add($row['req_user'], sprintf("Your username change request that was requested on %s has been accepted.", date('H:i:s, d/m/y', $row['req_time'])); if($notifyFriends) { $selectFriends = sprintf("SELECT fl_ADDED FROM friendslist WHERE (fl_ADDER = %u)", $row['req_user']); $queryFriends = $db->query($selectFriends); if($db->num_rows($queryFriends)) { while($friend = $db->fetch_row($queryFriends)) { event_add($friend['fl_ADDED'], sprintf("[url='viewuser.php?u=%u']%s[/url] [%s] has changed their name to “%s”", $row['req_user'], $oldName, number_format($row['req_user']), $row['req_name'])); } } } stafflog_add(sprintf("Accepted the username change request from %s - now known as %s", $oldName, $row['req_name'])); echo "You have accepted the request"; } function declineRequest() { global $db, $h; echo "<h3>Declining a username change request</h3>"; $_GET['ID'] = abs(@intval($_GET['ID'])); if(!$_GET['ID']) { echo "No ID specified"; $h->endpage(); exit; } $select = sprintf("SELECT * FROM username_requests WHERE (req_id = %u)", $_GET['ID']); $query = $db->query($select); if(!$db->num_rows($query)) { echo "This request does not exist"; $h->endpage(); exit; } $row = $db->fetch_row($query); $currentName = $db->fetch_single($db->query(sprintf("SELECT username FROM users WHERE (userid = %u)", $row['req_user']))); $deleteReq = sprintf("DELETE FROM username_requests WHERE (req_id = %u)", $row['req_id']); $db->query($deleteReq); event_add($row['req_user'], sprintf("Your username change request that was requested on %s has been declined.", date('H:i:s, d/m/y', $row['req_time'])); stafflog_add(sprintf("Declined the username change request from %s", $currentName); echo "You have declined the request"; } $h->endpage(); ?> [/expander] [expander=Slightly faster method]preferences.php edit function name_change() { global $ir, $db, $userid, $h; echo "<h3>Changing your username</h3>"; $query = $db->query("SELECT req_id FROM username_requests WHERE (req_user = ".$userid.")"); if($db->num_rows($query)) { echo "You have already requested a username change. Please wait until your current request is dealt with. [url='preferences.php']Back[/url]"; $h->endpage(); exit; } if(!isset($_POST['submit'])) { echo "<form action='preferences.php?action=namechange' method='post'> <table class='table' width='50%' style='text-align:center;'> <tr> <th>New Name</th> <td><input type='text' name='newName' value=\"".stripslashes(htmlspecialchars($ir['username']))."\" /></td> </tr> <tr> <td colspan='2'><input type='submit' name='submit' value='Request Name Change' /></td> </tr> </table> </form>"; } else { if(empty($_POST['newName']) OR trim($_POST['newName']) == '') { echo "You cannot request a blank name"; $h->endpage(); exit; } $db->query("INSERT INTO username_requests VALUES ('', ".time().", ".$userid.", '".$db->escape($_POST['newName'])."')"); echo "You username request has been successfully submitted"; } } staff_requests.php <?php include(DIRNAME(__FILE__) . '/sglobals.php'); if($ir['user_level'] != 2) { echo "Access denied"; $h->endpage(); exit; } $notifyFriends = 0; $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : false; switch($_GET['action']) { case 'view': viewRequests(); break; case 'accept': acceptRequest(); break; case 'decline': declineRequest(); break; default: echo "Action not specified"; break; } function viewRequests() { global $db; echo "<h3>Viewing Username Change Requests</h3>"; $select = $db->query( "SELECT r.*, u.username " . "FROM username_requests r " . "LEFT JOIN users u ON (r.req_user = u.userid) " . "ORDER BY r.req_time ASC"); echo "<table class='table' width='75%'> <tr> <th>User</th> <th>Time</th> <th>Request</th> <th>Actions</th> </tr>"; if(!$db->num_rows($select)) { echo "<tr> <td colspan='3' style='text-align:center;'>There are currently no requests</td> </tr>"; } else { while($row = $db->fetch_row($select)) { echo "<tr> <td>[url='viewuser.php?u=".$row[']".stripslashes(htmlspecialchars($row['username']))."[/url] [".number_format($row['userid'])."]</a></td> <td>".date('H:i:s d/m/y', $row['req_time'])."</td> <td>".stripslashes(htmlspecialchars($row['req_name']))."</td> <td>[[url='staff_requests.php?action=accept&ID=".$row[']Accept[/url]] [[url='staff_requests.php?action=decline&ID=".$row[']Decline[/url]]</td> </tr>"; } echo "</table>"; stafflog_add("View the username change requests"); } } function acceptRequest() { global $db, $h, $notifyFriends; echo "<h3>Accepting a username change request</h3>"; $_GET['ID'] = abs(@intval($_GET['ID'])); if(!$_GET['ID']) { echo "No ID specified"; $h->endpage(); exit; } $query = $db->query("SELECT * FROM username_requests WHERE (req_id = ".$_GET['ID'].")"); if(!$db->num_rows($query)) { echo "This request does not exist"; $h->endpage(); exit; } $row = $db->fetch_row($query); $oldName = $db->fetch_single($db->query("SELECT username FROM users WHERE (userid = ".$row['req_user'].")")); $db->query("UPDATE users SET username = '".$row['req_name']."' WHERE (userid = ".$row['req_user'].")"); $db->query("DELETE FROM username_requests WHERE (req_id = ".$row['req_id'].")"); event_add($row['req_user'], "Your username change request that was requested on ".date('H:i:sd/m/y', $row['req_time'])." has been accepted."); if($notifyFriends) { $queryFriends = $db->query("SELECT fl_ADDED FROM friendslist WHERE (fl_ADDER = ".$row['req_user'].")"); if($db->num_rows($queryFriends)) { while($friend = $db->fetch_row($queryFriends)) { event_add($friend['fl_ADDED'], "[url='viewuser.php?u=".$row[']".$oldName."[/url] [".number_format($row['req_user'])."] has changed their name to “".$row['req_name']."”"); } } } stafflog_add("Accepted the username change request from ".$oldName." - now known as ".$row['req_name']); echo "You have accepted the request"; } function declineRequest() { global $db, $h; echo "<h3>Declining a username change request</h3>"; $_GET['ID'] = abs(@intval($_GET['ID'])); if(!$_GET['ID']) { echo "No ID specified"; $h->endpage(); exit; } $query = $db->query("SELECT * FROM username_requests WHERE (req_id = ".$_GET['ID'].")"); if(!$db->num_rows($query)) { echo "This request does not exist"; $h->endpage(); exit; } $row = $db->fetch_row($query); $currentName = $db->fetch_single($db->query("SELECT username FROM users WHERE (userid = ".$row['req_user'].")")); $db->query("DELETE FROM username_requests WHERE (req_id = ".$row['req_id'].")"); event_add($row['req_user'], "Your username change request that was requested on ".date('H:i:sd/m/y', $row['req_time'])." has been declined."); stafflog_add("Declined the username change request from ".$currentName); echo "You have declined the request"; } $h->endpage(); ?> [/expander] Code is tested, and works fine
-
What you fail to realise is my ship is dragging mines! Sorry, your post reminded me of Galaxy Quest (the film) xD
-
Reasons why I hate Wotlabb.. They need to send out a patch, or MWG admins need to fix it :P
-
<?php include(DIRNAME(__FILE__) . '/globals.php'); echo "<font size='4' face='Arial, Helvetica, sans-serif'>Your Attack Logs</font> <hr width='75%'> "; switch($_GET['step']) { case 'ayw': ayw(); break; case 'ayl': ayl(); break; default; index(); break; } function index() { echo "So you want to see you attack logs huh? Please choose a section. "; echo "• [url='pal.php?step=ayw']Attacks you've won[/url]. • [url='pal.php?step=ayl']Attacks you've lost[/url]."; echo " <hr width='75%'>> [url='index.php']Home[/url]<hr width='75%'>"; } function ayw() { global $db,$userid; $atks = $db->query( "SELECT a.*, u1.username AS attackern, u2.username AS attackedn " . "FROM attacklogs a " . "LEFT JOIN users u1 ON (a.attacker = u1.userid) " . "LEFT JOIN users u2 ON (a.attacked = u2.userid) " . "WHERE ((u1.userid = $userid) AND (result = 'won')) " . "ORDER BY time DESC LIMIT 100"); echo "The last 100 players you have killed. <table width='75%' cellspacing='1' class='table' style='text-align:center;'> <tr style='background-color:#999;'> <th>Time</th> <th>Attacked</th> </tr>"; while($r = $db->fetch_row($atks)) { $bgcolor = ($bgcolor == "#dfdfdf") ? "#cccccc" : "#dfdfdf"; $d = date('F j, Y, g:i:s a', $r['time']); echo "<tr style='background-color:$bgcolor;'> <td>$d</td> <td>[url='viewuser.php?u={$r[']{$r['attackedn']}[/url]</td> </tr>"; } echo "</table>"; echo " <hr width='75%'>> [url='pal.php']Back[/url]<hr width='75%'>"; } function ayl() { global $db, $userid; $atks = $db->query( "SELECT a.*, u1.username AS attackern, u2.username AS attackedn " . "FROM attacklogs a " . "LEFT JOIN users u1 ON (a.attacker = u1.userid) " . "LEFT JOIN users u2 ON (a.attacked = u2.userid) " . "WHERE ((u2.userid = $userid) AND (result = 'won')) " . "ORDER BY time DESC LIMIT 100"); echo "The last 100 players that killed you. <table width='75%' cellspacing='1' class='table' style='text-align:center;'> <tr style='background-color:#999;'> <th>Time</th> <th>Attacker</th> </tr>"; while($r = $db->fetch_row($atks)) { $bgcolor = ($bgcolor == "#dfdfdf") ? "#cccccc" : "#dfdfdf"; $d = date('F j, Y, g:i:s a', $r['time']); echo "<tr style='background-color:$bgcolor;'> <td>$d</td> <td>[url='viewuser.php?u={$r[']{$r['attackern']}[/url]</td> </tr>"; } echo "</table>"; echo " <hr width='75%'>> [url='pal.php']Back[/url]<hr width='75%'>"; } $h->endpage(); ?> Works fine for me
-
<?php include "sglobals.php"; if($ir['user_level'] > 2) { echo "Access Denied"; $h->endpage(); exit; } //This contains course stuffs switch($_GET['action']) { case 'newcrime': new_crime_form(); break; case 'newcrimesub': new_crime_submit(); break; case 'editcrime': edit_crime_begin(); break; case 'editcrimeform': edit_crime_form(); break; case 'editcrimesub': edit_crime_sub(); break; case 'delcrime': delcrime(); break; case 'newcrimegroup': new_crimegroup_form(); break; case 'newcrimegroupsub': new_crimegroup_submit(); break; case 'editcrimegroup': edit_crimegroup_begin(); break; case 'editcrimegroupform': edit_crimegroup_form(); break; case 'editcrimegroupsub': edit_crimegroup_sub(); break; case 'delcrimegroup': delcrimegroup(); break; case 'reorder': reorder_crimegroups(); break; default: print "Error: This script requires an action."; break; } function new_crime_form() { global $ir, $c, $db; print "Adding a new crime. <form action='staff_crimes.php?action=newcrimesub' method='post'> Name: <input type='text' name='name' /> Brave Cost: <input type='text' name='brave' /> Item Needed: ".item2_dropdown($c, 'itemneed')." Success % Formula: <input type='text' name='percform' value='((WILL*0.8)/2.5)+(LEVEL/4)' /> Min Money: <input type='text' name='minmoney' /> Max Money: <input type='text' name='maxmoney' /> Success Crystals: <input type='text' name='crys' /> Success Item: ".item2_dropdown($c, 'item')." Group: ".crimegroup_dropdown($c,'group')." Initial Text: <textarea rows=4 cols=40 name='itext'/></textarea> Success Text: <textarea rows=4 cols=40 name='stext' /></textarea> Failure Text: <textarea rows=4 cols=40 name='ftext' /></textarea> Jail Text: <textarea rows=4 cols=40 name='jtext' /></textarea> Jail Time: <input type='text' name='jailtime' /> Jail Reason: <input type='text' name='jailreason' /> Crime XP Given: <input type='text' name='crimexp' /> <input type='submit' value='Create Crime' /> </form>"; } function new_crime_submit() { global $ir,$c,$userid, $db; if($_POST['itemon'] != "on") { $_POST['item'] = 0; } if(empty($_POST['crys'])) { $_POST['crys'] = 0; } $db->query("INSERT INTO crimes(crimeNAME, crimeBRAVE, crimePERCFORM, crimeMINMONEY, crimesMAXMONEY, crimeSUCCESSCRYS, crimeSUCCESSITEM, crimeGROUP, crimeITEXT, crimeSTEXT, crimeFTEXT, crimeJTEXT, crimeJAILTIME, crimeJREASON, crimeXP, crimeITEM) VALUES('{$_POST['name']}', '{$_POST['brave']}', '{$_POST['percform']}', '{$_POST['minmoney']}', '{$_POST['maxmoney']}', {$_POST['crys']}, {$_POST['item']}, '{$_POST['group']}', '{$_POST['itext']}', '{$_POST['stext']}', '{$_POST['ftext']}', '{$_POST['jtext']}', {$_POST['jailtime']}, '{$_POST['jailreason']}', {$_POST['crimexp']}, {$_POST['itemneed']})"); print "Crime created!"; stafflog_add("Created crime {$_POST['name']}"); } function edit_crime_begin() { global $ir,$c,$h,$userid,$db; print "<h3>Editing Crime</h3>You can edit any aspect of this crime. <form action='staff_crimes.php?action=editcrimeform' method='post'> Crime: ".crime_dropdown($c,'crime')." <input type='submit' value='Edit Crime' /> </form>"; } function edit_crime_form() { global $ir,$c,$h,$userid,$db; $d = $db->query("SELECT * FROM crimes WHERE crimeID={$_POST['crime']}"); $itemi = $db->fetch_row($d); print "<h3>Editing Crime</h3> <form action='staff_crimes.php?action=editcrimesub' method='post'> <input type='hidden' name='crimeID' value='{$_POST['crime']}' /> Name: <input type='text' name='crimeNAME' value='{$itemi['crimeNAME']}' /> Brave Cost: <input type='text' name='crimeBRAVE' value='{$itemi['crimeBRAVE']}' /> Item Needed: ".item2_dropdown($c, 'crimeITEM', $itemi['crimeITEM'])." Success % Formula: <input type='text' name='crimePERCFORM' value='{$itemi['crimePERCFORM']}' /> Min Money: <input type='text' name='crimeMINMONEY' value='{$itemi['crimeMINMONEY']}' /> Min Money: <input type='text' name='crimeMAXMONEY' value='{$itemi['crimeMAXMONEY']}' /> Success Crystals: <input type='text' name='crimeSUCCESSCRYS' value='{$itemi['crimeSUCCESSCRYS']}' /> Success Item: ".item2_dropdown($c, 'crimeSUCCESSITEM', $itemi['crimeSUCCESSITEM'])." Group: ".crimegroup_dropdown($c,'crimeGROUP', $itemi['crimeGROUP'])." Initial Text: <textarea rows=4 cols=40 name='crimeITEXT'/>{$itemi['crimeITEXT']}'</textarea> Success Text: <textarea rows=4 cols=40 name='crimeSTEXT' />{$itemi['crimeSTEXT']}</textarea> Failure Text: <textarea rows=4 cols=40 name='crimeFTEXT' />{$itemi['crimeFTEXT']}</textarea> Jail Text: <textarea rows=4 cols=40 name='crimeJTEXT' />{$itemi['crimeJTEXT']}</textarea> Jail Time: <input type='text' name='crimeJAILTIME' value='{$itemi['crimeJAILTIME']}' /> Jail Reason: <input type='text' name='crimeJREASON' value='{$itemi['crimeJREASON']}' /> Crime XP Given: <input type='text' name='crimeXP' value='{$itemi['crimeXP']}' /> <input type='submit' value='Edit Crime' /> </form>"; } function edit_crime_sub() { global $ir,$c,$h,$userid, $db; $db->query("UPDATE crimes SETcrimeNAME='{$_POST['crimeNAME']}', crimeBRAVE='{$_POST['crimeBRAVE']}', crimePERCFORM='{$_POST['crimePERCFORM']}', crimeSUCCESSMUNY='{$_POST['crimeSUCCESSMUNY']}', crimeSUCCESSCRYS='{$_POST['crimeSUCCESSCRYS']}', crimeSUCCESSITEM='{$_POST['crimeSUCCESSITEM']}', crimeGROUP='{$_POST['crimeGROUP']}', crimeITEXT='{$_POST['crimeITEXT']}', crimeSTEXT='{$_POST['crimeSTEXT']}', crimeFTEXT='{$_POST['crimeFTEXT']}', crimeJTEXT='{$_POST['crimeJTEXT']}', crimeJAILTIME={$_POST['crimeJAILTIME']}, crimeJREASON='{$_POST['crimeJREASON']}', crimeXP={$_POST['crimeXP']}, crimeITEM={$_POST['crimeITEM']}WHERE crimeID={$_POST['crimeID']}"); print "Crime edited..."; stafflog_add("Edited crime {$_POST['crimeNAME']}"); } function delcrime() { global $ir,$c,$h,$userid, $db; switch($_GET['step']) { default: echo "<h3>Deleting Crime</h3> Here you can delete a crime. <form action='staff_crimes.php?action=delcrime&step=2' method='post'> Crime: ".crime_dropdown($c,'crime')." <input type='submit' value='Delete Crime' /> </form>"; break; case 2: $target = $_POST['crime']; $d = $db->query("SELECT crimeNAME FROM crimes WHERE crimeID='$target'"); $itemi = $db->fetch_row($d); print "<h3>Confirm</h3> Delete crime -".$itemi["crimeNAME"]."? <form action='staff_crimes.php?action=delcrime&step=3' method='post'> <input type='hidden' name='crimeID' value='$target' /> <input type='submit' name='yesorno' value='Yes' /> <input type='submit' name='yesorno' value='No' onclick=\"window.location='staff_crimes.php?action=delcrime';\" /> </form>"; break; case 3: $target = $_POST['crimeID']; if($_POST['yesorno']=='No') { echo "Crime not deleted. [url='staff_crimes.php?action=delcrime']>Back to main delete crimes page.[/url]"; $h->endpage(); exit; } if(!in_array($_POST['yesorno'], array("No", "Yes"))) { echo "Invalid choice"; $h->endpage(); exit; } $d = $db->query("SELECT crimeNAME FROM crimes WHERE crimeID='$target'"); $itemi = $db->fetch_row($d); $db->query("DELETE FROM crimes WHERE crimeID='$target'"); echo "Crime {$itemi['crimeNAME']} Deleted. [url='staff_crimes.php?action=delcrime']>Back to main delete crimes page.[/url]"; stafflog_add("Deleted crime {$itemi['crimeNAME']}"); break; } } function new_crimegroup_form() { global $ir, $c,$db; print "Adding a new crime group. <form action='staff_crimes.php?action=newcrimegroupsub' method='post'> Name: <input type='text' name='cgNAME' /> Order Number: <input type='text' name='cgORDER' /> <input type='submit' value='Create Crime Group' /> </form>"; } function new_crimegroup_submit() { global $ir,$c,$userid,$db; if(!isset($_POST['cgNAME']) || !isset($_POST['cgORDER'])) { print "You missed one or more of the required fields. Please go back and try again. [url='staff_crimes.php?action=newcrimegroup']> Back[/url]"; $h->endpage(); exit; } $db->query("INSERT INTO `crimegroups`(`cgNAME`, `cgORDER`) VALUES('{$_POST['cgNAME']}','{$_POST['cgORDER']}')"); print "Crime Group created!"; stafflog_add("Created Crime Group {$_POST['cgNAME']}"); } function edit_crimegroup_begin() { global $ir,$c,$h,$userid,$db; print "<h3>Editing A Crime Group</h3> <form action='staff_crimes.php?action=editcrimegroupform' method='post'> Crime Group: ".crimegroup_dropdown($c,'crimeGROUP')." <input type='submit' value='Edit Crime Group' /> </form>"; } function edit_crimegroup_form() { global $ir,$c,$h,$userid,$db; $d=$db->query("SELECT * FROM crimegroups WHERE cgID={$_POST['crimeGROUP']}"); $itemi=$db->fetch_row($d); print "<h3>Editing Crime Group</h3> <form action='staff_crimes.php?action=editcrimegroupsub' method='post'> <input type='hidden' name='cgID' value='{$_POST['crimeGROUP']}' /> Name: <input type='text' name='cgNAME' value='{$itemi['cgNAME']}' /> Order Number: <input type='text' name='cgORDER' value='{$itemi['cgORDER']}' /> <input type='submit' value='Edit Crime Group' /> </form>"; } function edit_crimegroup_sub() { global $ir,$c,$h,$userid, $db; if(!isset($_POST['cgORDER']) || !isset($_POST['cgNAME'])) { print "You missed one or more of the required fields. Please go back and try again. [url='staff_crimes.php?action=editcrimegroup']> Back[/url]"; $h->endpage(); exit; } else { $db->query("UPDATE crimegroups SETcgNAME='{$_POST['cgNAME']}', cgORDER='{$_POST['cgORDER']}' WHERE cgID='{$_POST['cgID']}'"); print "Crime Group edited..."; stafflog_add("Edited Crime Group {$_POST['cgNAME']}"); } } function delcrimegroup() { global $ir,$c,$h,$userid, $db; switch($_GET['step']) { default: echo "<h3>Deleting Crime Group</h3> <script type='text/javascript'> function checkme() { if(document.theform.crimeGROUP.value == document.theform.crimeGROUP2.value) { alert('You cannot select the same crime group to move the crimes to.'); return false; } return true; } </script> <form action='staff_crimes.php?action=delcrimegroup&step=2' method='post' name='theform' onsubmit='return checkme();'> Crime Group: ".crimegroup_dropdown($c,'crimeGROUP')." Move crimes in deleted group to: ".crimegroup_dropdown($c, 'crimeGROUP2')." <input type='submit' value='Delete Crime Group' /> </form>"; break; case 2: $target = $_POST['crimeGROUP']; $target2 = $_POST['crimeGROUP2']; if($target==$target2) { echo "You cannot select the same crime group to move the crimes to."; $h->endpage(); exit; } $d=$db->query("SELECT cgNAME FROM crimegroups WHERE cgID='$target'"); $itemi=$db->fetch_row($d); print "<h3>Confirm</h3> Delete crime group -".$itemi["cgNAME"]."? <form action='staff_crimes.php?action=delcrimegroup&step=3' method='post'> <input type='hidden' name='cgID' value='$target' /> <input type='hidden' name='cgID2' value='$target2' /> <input type='submit' name='yesorno' value='Yes' /> <input type='submit' name='yesorno' value='No' onclick=\"window.location='staff_crimes.php?action=delcrimegroup';\" /> </form>"; break; case 3: $target = $_POST['cgID']; $target2 = $_POST['cgID2']; if($_POST['yesorno']=='No') { echo "Crime Group not deleted."; $h->endpage(); exit; } if($_POST['yesorno'] !=("No" || "Yes")) die('This shouldnt happen'); $d=$db->query("SELECT cgNAME FROM crimegroups WHERE cgID='$target'"); $itemi=$db->fetch_row($d); $db->query("DELETE FROM crimegroups WHERE cgID='{$_POST['cgID']}'"); $db->query("UPDATE crimes SET crimeGROUP={$target2} WHERE crimeGROUP={$target}"); stafflog_add("Deleted crime group {$itemi['cgNAME']}"); echo "Crime Group deleted."; break; } } function reorder_crimegroups() { global $db,$ir,$c,$h,$userid; if($_POST['submit']) { unset($_POST['submit']); $used = array(); foreach($_POST as $v) { if(in_array($v, $used)) { print "You have used the same order number twice! Go back and try again."; $h->endpage(); exit; } $used[] = $v; } foreach($_POST as $k => $v) { $cg = str_replace("order","", $k); if(is_numeric($cg)) { $db->query("UPDATE crimegroups SET cgORDER={$v} WHERE cgID={$cg}"); } } print "Crime group order updated!"; stafflog_add("Reordered crime groups"); } else { $q = $db->query("SELECT * FROM crimegroups ORDER BY cgORDER ASC, cgID ASC"); $rows = $db->num_rows($q); $i = 0; print "<h3>Re-ordering Crime Groups</h3><hr /> <form action='staff_crimes.php?action=reorder' method='post'> <input type='hidden' name='submit' value='1' /> <table width='80%' cellspacing='1' class='table'> <tr> <th>Crime Group</th> <th>Order</th> </tr>\n\n"; while($r=$db->fetch_row($q)) { $i++; print "<tr> <td>{$r['cgNAME']}</td> <td><select name='order{$r['cgID']}' type='dropdown'>"; for($j = 1; $j <= $rows; $j++) { if($j == $i) { print "<option value='{$j}' selected='selected'>{$j} </option>"; } else { print "<option value='{$j}'>{$j}</option>"; } } print "</select></td> </tr>"; } print "<tr> <td colspan='2' align='center'><input type='submit' value='Reorder' /></td> </tr> </table> </form>"; } } function report_clear() { global $db,$ir,$c,$h,$userid; if($ir['user_level'] > 3) { echo "Access Denied"; $h->endpage(); exit; } $_GET['ID'] = abs(@intval($_GET['ID'])); stafflog_add("Cleared player report ID {$_GET['ID']}"); $db->query("DELETE FROM preports WHERE prID={$_GET['ID']}"); print "Report cleared and deleted! [url='staff_users.php?action=reportsview']> Back[/url]"; } $h->endpage(); ?> For the create crime, you must fill in *all* boxes, settings crystals to 0 if you don't wish to use them. - I have edited the code so you no longer have to worry about that. For the edit crime, install your code properly next time..
-
That, or you could log all queries that involve user input. Yes, it's a taxing system, but used in short bursts can help you
-
Topic needs splitting then my friend ;)
-
O.o Dr. Juklaensna :D
-
The Cruciatus Curse is what you are referring to CrimGame.com ;) Crucio!
-
By typing {money} in the success text
-
/me randomly passes by and casts a spell on you.. Levicorpus - I CAN FLY!! :D
-
Mccodes v1 Crime failure with both hospital time and jail time
Magictallguy replied to HITMAN 17's topic in Engine Support
MC Codes is mostly 4 languages combined :P (X)HTML, CSS, PHP, and MySQL -
By default, it's the $gain variable. Search for it in the gym.php and edit the formula
-
Meh, may as well list mine seeing as we're going from a help topic to whatever you want to call this :P Anthony Anth Ant Tony Magictallguy Magic MTG Man-whore Man-slut