Magictallguy

You hadn't checked if the user ID supplied actually exists.

Only sprintf()'ing a few things, the rest I left virtually intact

<?php /* MCCode V2 - Send.php Coded by Immortal; MAGICTALLGUY'S NOTICE Lines increased from 253 to 267. Code bytes increased from 8,701 to 10,726. Code fixed and correctly secured. Aesthetic updates, XHTML validated (if it doesn't show as validated, it's your fault, not mine ;)) END NOTICE; -- FREE TO ALL MEMBERS OF THE FORUM -- */ include(DIRNAME(__FILE__) . '/globals.php'); $_GET['ID'] = isset($_GET['ID']) && is_numeric($_GET['ID']) ? abs(@intval($_GET['ID'])) : false; $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : false; $_POST['points'] = isset($_POST['points']) && is_numeric($_POST['points']) ? abs(@intval($_POST['points'])) : null; switch($_GET['action']) { case 'sendbank': sendbank(); break; case 'sendoff': sendoff(); break; case 'sendcash': sendcash(); break; case 'sendpoints': sendpoints(); break; } if(!in_array($_GET['action'], array('sendbank', 'sendoff', 'sendcash', 'sendpoints'))) { echo "Operation not understood!"; $h->endpage(); exit; } function sendbank() { global $db, $h, $ir, $userid; if(!$_GET['ID']) { echo "Invalid ID. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_GET['ID'] == $userid) { echo "Is there a particular reason you are sending money to yourself? [url='index.php']Back[/url]"; $h->endpage(); exit; } $selectUser = sprintf("SELECT `userid`, `username`, `bankmoney`, `lastip` FROM `users` WHERE (`userid` = %u)", $_GET['ID']); $queryUser = $db->query($selectUser); if(!$db->num_rows($queryUser)) { echo "This player does not exist"; $h->endpage(); exit; } $er = $db->fetch_row($queryUser); if($er['bankmoney'] == -1 || $ir['bankmoney'] == -1) { echo "Sorry,you or the person you are sending cash to does not have a bank account. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_POST['points']) { if($_POST['points'] > $ir['bankmoney']) { echo "You are trying to send more than you have. [url='index.php']Back[/url]"; $h->endpage(); exit; } $db->query(sprintf("UPDATE `users` SET `bankmoney` = `bankmoney` - %u WHERE (`userid` = %u)", $_POST['points'], $userid)); $db->query(sprintf("UPDATE `users` SET `bankmoney` = `bankmoney` + %u WHERE (`userid` = %u)", $_POST['points'], $_GET['ID'])); echo sprintf("You transferred \$%sto %s's bank.", number_format($_POST['points']), stripslashes(htmlspecialchars($er['username']))); event_add($_GET['ID'],"You received \$".number_format($_POST['points'])." into your bank account from ".$ir['username']."."); $db->query(sprintf("INSERT INTO `bankxferlogs` VALUES ('', %u, %u, %u, %u, '%s', '%s', 'bank')", $userid, $_GET['ID'], $_POST['points'], time(), $ir['lastip'], $er['lastip'])); } else { echo "<h3>Bank Xfer</h3> You are sending bank money to [b]".stripslashes(htmlspecialchars($er['username']))."[/b]. You have [b]\$".number_format($ir['bankmoney'])."[/b] you can send. <form action='send.php?action=sendbank&ID=".$_GET['ID']."' method='post'> Money: <input type='text' name='points' /> <input type='submit' value='Send' /> </form>"; } } function sendoff() { global $db, $ir, $h, $userid; if(!$_GET['ID']) { echo "Invalid ID. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_GET['ID'] == $userid) { echo "Is there a particular reason you are sending money to yourself? [url='index.php']Back[/url]"; $h->endpage(); exit; } $selectUser = sprintf("SELECT `userid`, `username`, `cybermoney`, `lastip` FROM `users` WHERE (`userid` = %u)", $_GET['ID']); $queryUser = $db->query($selectUser); if(!$db->num_rows($queryUser)) { echo "This player does not exist"; $h->endpage(); exit; } $er = $db->fetch_row($queryUser); if($er['cybermoney'] == -1 || $ir['cybermoney'] == -1) { echo "Sorry,you or the person you are sending cash to does not have an off-shore account. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_POST['points']) { if($_POST['points'] > $ir['cybermoney']) { echo "You are trying to send more than you have. [url='index.php']Back[/url]"; $h->endpage(); exit; } $db->query(sprintf("UPDATE `users` SET `cybermoney` = `cybermoney` - %u WHERE (`userid` = %u)", $_POST['points'], $userid)); $db->query(sprintf("UPDATE `users` SET `cybermoney` = `cybermoney` + %u WHERE (`userid` = %u)", $_POST['points'], $_GET['ID'])); echo sprintf("You transferred \$%s to %s's Cyber Bank.", number_format($_POST['points']), stripslashes(htmlspecialchars($er['username']))); event_add($_GET['ID'],"You received \${$_POST['points']} into your cyber bank account from ".$ir['username']."."); $db->query(sprintf("INSERT INTO bankxferlogs VALUES ('', %u, %u, %u, %u, '%s', '%s', 'cyber')", $userid, $_GET['ID'], $_POST['points'], time(), $ir['lastip'], $er['lastip'])); } else { echo "<h3>Cyber Bank Transfer</h3> You are transferring money to the Cyber Bank of [b]".stripslashes(htmlspecialchars($er['username']))."[/b]. You have [b]\$".number_format($ir['cybermoney'])."[/b] you can send. <form action='send.php?action=sendoff&ID=".$_GET['ID']."' method='post'> Money: <input type='text' name='points' /> <input type='submit' value='Send' /> </form>"; } } function sendpoints() { global $db, $userid, $ir, $h; if(!$_GET['ID']) { echo "Invalid ID. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_GET['ID'] == $userid) { echo "Is there a particular reason you are sending points to yourself? [url='index.php']Back[/url]"; $h->endpage(); exit; } $selectUser = sprintf("SELECT userid, username, lastip FROM users WHERE (userid = %u)", $_GET['ID']); $queryUser = $db->query($selectUser); if(!$db->num_rows($queryUser)) { echo "This player does not exist"; $h->endpage(); exit; } $er = $db->fetch_row($queryUser); if($_POST['points']) { if($_POST['points'] > $ir['crystals']) { echo "You are trying to send more than you have. [url='index.php']Back[/url]"; $h->endpage(); exit; } $db->query(sprintf("UPDATE `users` SET `crystals` = `crystals` - %u WHERE (`userid` = %u)", $_POST['points'], $userid)); $db->query(sprintf("UPDATE `users` SET `crystals` = `crystals` + %u WHERE (`userid` = %u)", $_POST['points'], $_GET['ID'])); echo sprintf("You sent %s crystal%s to %s.", number_format($_POST['points']), ($_POST['points'] == 1) ? '' : 's', stripslashes(htmlspecialchars($er['username']))); event_add($_GET['ID'], sprintf("You received %s crystal%s from %s.", number_format($_POST['points']), ($_POST['points'] == 1) ? '' : 's', $ir['username'])); $db->query(sprintf("INSERT INTO `crystalxferlogs` VALUES ('', %u, %u, %u, %u, '%s', '%s')", $userid, $_GET['ID'], $_POST['points'], time(), $ir['lastip'], $er['lastip'])); } else { echo "<h3>Sending Crystals</h3> You are sending points to [b]".stripslashes(htmlspecialchars($er['username']))."[/b]. You have [b]".number_format($ir['crystals'])."[/b] points you can send. <form action='send.php?action=sendpoints&ID=".$_GET['ID']."' method='post'> Points: <input type='text' name='points' /> <input type='submit' value='Send' /> </form>"; echo "<h3>Latest 5 Transfers</h3> <table class='table' width='75%' border='2'> <tr> <th>Time</th> <th>User From</th> <th>User To</th> <th>Amount</th> </tr>"; $selectTransfers = sprintf( "SELECT cx.*, u1.username AS sender, u2.username AS receiver " . "FROM crystalxferlogs cx " . "LEFT JOIN users u1 ON (cx.cxFROM = u1.userid) " . "LEFT JOIN users u2 ON (cx.cxTO = u2.userid) " . "WHERE (cx.cxFROM = %u) " . "ORDER BY cx.cxTIME DESC LIMIT 5", $userid); $queryTransfers = $db->query($selectTransfers); while($log = $db->fetch_row($queryTransfers)) { echo "<tr>"; echo sprintf("<td>%s</td>", date("F j, Y, g:i:s a", $log['cxTIME'])); echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", $log['cxFROM'], stripslashes(htmlspecialchars($log['sender'])), number_format($log['cxFROM'])); echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", $log['cxTO'], stripslashes(htmlspecialchars($log['receiver'])), number_format($log['cxTO'])); echo sprintf("<td>%s crystal%s</td>", number_format($log['cxAMOUNT']), ($log['cxAMOUNT'] == 1) ? '' : 's'); echo "</tr>"; } echo "</table>"; } } function sendcash() { global $db, $ir, $userid, $h; if(!$_GET['ID']) { echo "Invalid ID. [url='index.php']Back[/url]"; $h->endpage(); exit; } if($_GET['ID'] == $userid) { echo "Is there a particular reason you are sending cash to yourself? [url='index.php']Back[/url]"; $h->endpage(); exit; } $selectUser = sprintf("SELECT userid, username, lastip FROM users WHERE (userid = %u)", $_GET['ID']); $queryUser = $db->query($selectUser); if(!$db->num_rows($queryUser)) { echo "This player does not exist"; $h->endpage(); exit; } $er = $db->fetch_row($queryUser); if(isset($_POST['cash'])) { $_POST['cash'] = abs(@intval($_POST['cash'])); if($_POST['cash'] > $ir['money']) { echo "You are trying to send more than you have. [url='index.php']Back[/url]"; $h->endpage(); exit; } $db->query(sprintf("UPDATE `users` SET `money` = `money` - %u WHERE (`userid` = %u)", $_POST['cash'], $userid)); $db->query(sprintf("UPDATE `users` SET `money` = `money` + %u WHERE (`userid` = %u)", $_POST['cash'], $_GET['ID'])); echo sprintf("You sent \$%s to %s.", number_format($_POST['cash']), stripslashes(htmlspecialchars($er['lastip']))); event_add($_GET['ID'], "You received \${$_POST['cash']} from {$ir['username']}."); $db->query(sprintf("INSERT INTO cashxferlogs VALUES ('', %u, %u, %u, %u, '%s', '%s')", $userid, $_GET['ID'], $_POST['cash'], time(), $ir['lastip'], $er['lastip'])); } else { echo "<h3> Sending Money</h3> You are sending money to [b]".stripslashes(htmlspecialchars($er['username']))."[/b]. You have [b]\$".number_format($ir['money'])."[/b] you can send. <form action='send.php?action=sendcash&ID=".$_GET['ID']."' method='post'> Amount: <input type='text' name='cash' /> <input type='submit' value='Send' /> </form>"; echo "<h3>Latest 5 Transfers</h3> <table class='table' width='75%' border='2'> <tr> <th>Time</th> <th>User From</th> <th>User To</th> <th>Amount</th> </tr>"; $selectTransfers = sprintf( "SELECT cx.*, u1.username AS sender, u2.username AS receiver " . "FROM cashxferlogs cx " . "LEFT JOIN users u1 ON (cx.cxFROM = u1.userid) " . "LEFT JOIN users u2 ON (cx.cxTO = u2.userid) " . "WHERE (cx.cxFROM = %u) " . "ORDER BY cx.cxTIME DESC LIMIT 5", $userid); $queryTransfers = $db->query($selectTransfers); while($log = $db->fetch_row($queryTransfers)) { echo "<tr>"; echo sprintf("<td>%s</td>", date("F j, Y, g:i:s a",$log['cxTIME'])); echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", $log['cxFROM'], stripslashes(htmlspecialchars($log['sender'])), number_format($log['cxFROM'])); echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", $log['cxTO'], stripslashes(htmlspecialchars($log['receiver'])), number_format($log['cxTO'])); echo sprintf("<td>\$%s</td>", number_format($log['cxAMOUNT'])); echo "</tr>"; } echo "</table>"; } } $h->endpage(); ?>

Dante, from the Devil May Cry (DMC) series.. I've also played this game too, it offers decent challenges to those old and new to this game.

Edit the BBCode Engine that comes standard with MC Craps v2 to include images - read up on basic RegEx to see in detail how it works, or simply learn from the code itself (as I did ;))

Why use files?   $rand = mt_rand(1,4); if($rand == 1) { $outcome = 'Some outcome - 1'; } else if($rand == 2) { $outcome = 'something else'; } else if($rand == 3) { $outcome = 'blah'; } else { $outcome == 'spoons!'; }   Simple stuff ;)

The IP address is normally inserted into the database - users table, lastip* column. It's a string that can be changed by the user who knows what they're doing. Escaping the incoming data would be a good practice ;) * = lastip, lastip_login, lastip_signup

Perhaps more than x amount of players found stretch the page ;) I've done it on my game ;)

Something isn't updating the database. Check all your queries, make sure they are updating what they're supposed to. If not, you could always use a SELECT COUNT() query.

If people cannot install their own game, they shouldn't have one.. When I first started, I knew nothing about coding, but I still managed to successfully run an installer

This is gonna sound odd coming from me... sprintf() doesn't really do that much (unless using numbers - because it DOES help to secure numbers when using the correct operators).. Yeah, I know, I'm really not the person to talk to about using sprintf() (considering my so-called overuse of it), but it's a personal preference, it does what I need, and I like it ^.^

Thanks for the offer, but I have received 8 more like it! It's not the hosting that is the problem, but getting my hands on an up-to-date backup. Due to my circumstances at the time, I was unable to get anything online..

http://snipplr.com/view/25649/zebra-table/ - 5 second Google search.. Alternate Table Rows - 5 second MWG search :)

Those snippets look fine to me, please post at least 10 lines either of each line posted.

time_format() is mine ;)

I play guitar, let's sing Kum Ba Yah :D SHAD, I'm trying to get it back up. Haunted Dawg sold the server - without notifying my first - and the guy he sold it to couldn't keep up with payments. Now I have to pay $170 (£105) to get my site from someone else's mistake! -.-

Cheeky bish, I've known AlabamaHit for a while..

That he is. Speaking of which.. AH, add me! MSN: [email protected]

Do *not* remove the die() statement - you want to know if your script isn't working.. All you need to do is make sure that the database is installed correctly, and all data in the configuration file matches (v1: mysql.php | v2: config.php)

You sound like you have a plan and a pretty decent head on your shoulders. I'm happy to be part of the team should you wish to accept me :)

WooP, I got mentioned again! :D Thanks for the compliment :)

2 to 3 months before you're a decent developer? I doubt it..   LMAO I know right Listen ehre is your steps. 1.Learn PHP before making a game (ETA before your decent: could be 2/3 months) 2.Learn CSS, HTML, (x)HTML, (ETA before your decent: could be 2/3 months also) Then buy a .com or get a free host at either http://ej.am, http://cxr.cc or http://host2x.com Then you upload the files. Install your game. Do the crons. Secure your game, Start adding items, weapons and etc. Get members Make money from the game <-- most people with MCC games don't make money unless it's developed really good That's my tutorial on how to do it. Your welcome ;)   EDIT: **-I wasn't flaming him in any way. I was just telling nicely-**

Played and completed. I think it's a pretty decent game, entaling different challenges.

A few criticisms, then I'll answer your question :P Using the str_replace() to remove the < and >, and then using strip_tags()? htmlspecialchars() is best used for output if you want to minimise what goes into your database. printf() isn't required for normal strings (no variables), or strings that you don't intend to format properly ;) What I'd do: 1st code: function mres($str) { return trim(mysql_real_escape_string($str, $connection_identifier)); }   2nd code: printf("Your current name is %s ", stripslashes(htmlspecialchars($get_name['users_name'])));   3rd code: $clean_name_input = sprintf("UPDATE users SET users_name = '%s' WHERE users_id = %u", $user, mres($_POST['do_name'])); $db->query($clean_name_input); printf('Your name has just been changed to %s', htmlspecialchars($_POST['do_name']));   Still secure, done properly, won't eat as much space on your database.. To answer your question; it didn't escape the apostrophie because there was no apostrophie - only it's HTML Entity " When assigning ENT_NOQUOTES to htmlspecialchars(), it'll do that :P

Ah, I didn't know that. Well, you learn something everyday xD