Magictallguy

If people cannot install their own game, they shouldn't have one.. When I first started, I knew nothing about coding, but I still managed to successfully run an installer

This is gonna sound odd coming from me... sprintf() doesn't really do that much (unless using numbers - because it DOES help to secure numbers when using the correct operators).. Yeah, I know, I'm really not the person to talk to about using sprintf() (considering my so-called overuse of it), but it's a personal preference, it does what I need, and I like it ^.^

Thanks for the offer, but I have received 8 more like it! It's not the hosting that is the problem, but getting my hands on an up-to-date backup. Due to my circumstances at the time, I was unable to get anything online..

http://snipplr.com/view/25649/zebra-table/ - 5 second Google search.. Alternate Table Rows - 5 second MWG search :)

Those snippets look fine to me, please post at least 10 lines either of each line posted.

time_format() is mine ;)

I play guitar, let's sing Kum Ba Yah :D SHAD, I'm trying to get it back up. Haunted Dawg sold the server - without notifying my first - and the guy he sold it to couldn't keep up with payments. Now I have to pay $170 (£105) to get my site from someone else's mistake! -.-

Cheeky bish, I've known AlabamaHit for a while..

That he is. Speaking of which.. AH, add me! MSN: [email protected]

Do *not* remove the die() statement - you want to know if your script isn't working.. All you need to do is make sure that the database is installed correctly, and all data in the configuration file matches (v1: mysql.php | v2: config.php)

You sound like you have a plan and a pretty decent head on your shoulders. I'm happy to be part of the team should you wish to accept me :)

WooP, I got mentioned again! :D Thanks for the compliment :)

2 to 3 months before you're a decent developer? I doubt it..   LMAO I know right Listen ehre is your steps. 1.Learn PHP before making a game (ETA before your decent: could be 2/3 months) 2.Learn CSS, HTML, (x)HTML, (ETA before your decent: could be 2/3 months also) Then buy a .com or get a free host at either http://ej.am, http://cxr.cc or http://host2x.com Then you upload the files. Install your game. Do the crons. Secure your game, Start adding items, weapons and etc. Get members Make money from the game <-- most people with MCC games don't make money unless it's developed really good That's my tutorial on how to do it. Your welcome ;)   EDIT: **-I wasn't flaming him in any way. I was just telling nicely-**

Played and completed. I think it's a pretty decent game, entaling different challenges.

A few criticisms, then I'll answer your question :P Using the str_replace() to remove the < and >, and then using strip_tags()? htmlspecialchars() is best used for output if you want to minimise what goes into your database. printf() isn't required for normal strings (no variables), or strings that you don't intend to format properly ;) What I'd do: 1st code: function mres($str) { return trim(mysql_real_escape_string($str, $connection_identifier)); }   2nd code: printf("Your current name is %s ", stripslashes(htmlspecialchars($get_name['users_name'])));   3rd code: $clean_name_input = sprintf("UPDATE users SET users_name = '%s' WHERE users_id = %u", $user, mres($_POST['do_name'])); $db->query($clean_name_input); printf('Your name has just been changed to %s', htmlspecialchars($_POST['do_name']));   Still secure, done properly, won't eat as much space on your database.. To answer your question; it didn't escape the apostrophie because there was no apostrophie - only it's HTML Entity " When assigning ENT_NOQUOTES to htmlspecialchars(), it'll do that :P

Ah, I didn't know that. Well, you learn something everyday xD

Code posted, thanks to Djkanna for finding it for me xD   <?php //Crystal Market, free for Dev Forum //Copyright (c), 2009 Magictallguy //Not for resale //If you don't understand it, leave it alone include(DIRNAME(__FILE__) . '/globals.php'); echo "<h3>Crystal Market</h3>"; $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : false; $_GET['act2'] = isset($_GET['act2']) && is_string($_GET['act2']) ? strtolower(trim($_GET['act2'])) : false; $_GET['ID'] = isset($_GET['ID']) && is_numeric($_GET['ID']) ? abs(@intval($_GET['ID'])) : false; switch($_GET['action']) { case 'add': add_listing(); break; case 'remove': remove_listing(); break; case 'buy': buy_crystals(); break; default: index(); break; } function index() { global $db, $userid; echo "Viewing all listings "; echo "[url='cmarket.php?action=add']Add a listing[/url] "; echo "<table class='table' width='100%'>"; echo "<tr>"; echo "<th>Player</th>"; echo "<th>Crystals</th>"; echo "<th>Price</th>"; echo "<th>Link</th>"; echo "</tr>"; $query = $db->query( "SELECT c.*, u.username " . "FROM crystalmarket c " . "LEFT JOIN users u ON (u.userid = c.cmADDER) " . "ORDER BY c.cmQTY ASC, c.cmPRICE ASC"); if(!$db->num_rows($query)) { echo "<tr>"; echo "<td colspan='4' style='text-align:center;'>There are no listings</td>"; echo "</tr>"; } while($row = $db->fetch_row($query)) { $total = $row['cmQTY'] * $row['cmPRICE']; $link = ($row['cmADDER'] == $userid) ? sprintf("[url='cmarket.php?action=remove&ID=%u']Remove[/url]", $row['cmID']) : sprintf("[url='cmarket.php?action=buy&ID=%u']Buy[/url]", $row['cmID']); echo "<tr style='text-align:center;'>"; echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", $row['cmADDER'], stripslashes(htmlspecialchars($row['username'])), number_format($row['cmADDER'])); echo sprintf("<td style='text-align:right;'>%s</td>", number_format($row['cmQTY'])); echo sprintf("<td style='text-align:right;'>Total: \$%s <span style='font-size:10px;'>(Each: \$%s)</span></td>", number_format($total), number_format($row['cmPRICE'])); echo sprintf("<td>%s</td>", $link); echo "</tr>"; } echo "</table>"; } function buy_crystals() { global $ir, $db, $userid, $h; if(!$_GET['ID']) { echo "Listing ID not specified. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } if(!$ir['money']) { echo "You have no money. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $select = sprintf("SELECT * FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $query = $db->query($select); if(!$db->num_rows($query)) { echo "This listing does not exist. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $row = $db->fetch_row($query); if($row['cmADDER'] == $userid) { echo "You can't buy your own listing. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $total = $row['cmQTY'] * $row['cmPRICE']; $icanbuy = floor($ir['money'] / $row['cmPRICE']); $cost = $icanbuy * $row['cmPRICE']; $name = $db->fetch_single($db->query(sprintf("SELECT username FROM users WHERE (userid = %u)", $row['cmADDER']))); if($total > $ir['money']) { $_GET['act2'] = 'buysome'; } if(!$icanbuy) { echo "You don't have enough money. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } switch($_GET['act2']) { default: $update1 = sprintf("UPDATE users SET money = money - %s, crystals = crystals + %u WHERE (userid = %u)", $total, $row['cmQTY'], $userid); $update2 = sprintf("UPDATE users SET money = money + %s WHERE (userid = %u)", $total, $row['cmADDER']); $delete = sprintf("DELETE FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $db->query($update1); $db->query($update2); $db->query($delete); $event = sprintf("[url='viewuser.php?u=%u']%s[/url] bought your %s crystal%s for \$%s from the crystal market", $userid, $ir['username'], number_format($row['cmQTY']), ($row['cmQTY'] == 1) ? '' : 's', number_format($total)); event_add($row['cmADDER'], $event); echo sprintf("You bought the %s crystal%s from %s for \$%s. [url='cmarket.php']Back[/url]", number_format($row['cmQTY']), ($row['cmQTY'] == 1) ? '' : 's', stripslashes(htmlspecialchars($name)), number_format($total)); break; case 'buysome': if($ir['money'] < $row['cmPRICE']) { echo "You don't have enough money. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } if(!isset($_POST['buy'])) { echo "You don't have enough money to buy all of the crystals listed. "; echo sprintf("But you do have enough to buy %s crystal%s, costing you \$%s. ", number_format($icanbuy), ($icanbuy == 1) ? '' : 's', number_format($cost)); echo "Would you like to buy that amount instead? "; echo sprintf("<form action='cmarket.php?action=buy&ID=%u&act2=buysome' method='post'>", $_GET['ID']); echo "<input type='submit' name='buy' value='Yes' /> <input type='button' value='No' onclick='location.href=\"cmarket.php\"' />"; echo "</form>"; } else { $update1 = sprintf("UPDATE users SET money = money - %s, crystals = crystals + %u WHERE (userid = %u)", $cost, $icanbuy, $userid); $update2 = sprintf("UPDATE users SET money = money + %s WHERE (userid = %u)", $cost, $row['cmADDER']); $update3 = sprintf("UPDATE crystalmarket SET cmQTY = cmQTY - %u WHERE (cmID = %u)", $icanbuy, $_GET['ID']); $db->query($update1); $db->query($update2); $db->query($update3); $event = sprintf("[url='viewuser.php?u=%u']%s[/url] bought %s of your %s crystal%s for \$%s from the crystal market", $userid, $ir['username'], number_format($icanbuy), number_format($row['cmQTY']), ($row['cmQTY'] == 1) ? '' : 's', number_format($cost)); event_add($row['cmADDER'], $event); echo sprintf("You have bought %s crystal%s from %s for \$%s. [url='cmarket.php']Back[/url]", number_format($icanbuy), ($icanbuy == 1) ? '' : 's', stripslashes(htmlspecialchars($name)), number_format($cost)); } break; } } function remove_listing() { global $db, $userid, $h; if(!$_GET['ID']) { echo "Listing ID not specified. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $select = sprintf("SELECT * FROM crystalmarket WHERE ((cmID = %u) AND (cmADDER = %u))", $_GET['ID'], $userid); $query = $db->query($select); if(!$db->num_rows($query)) { echo "Either this listing does not exist, or you don't own it. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $row = $db->fetch_row($query); $update = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $row['cmQTY'], $userid); $delete = sprintf("DELETE FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $db->query($update); $db->query($delete); echo "Your crystals have been returned to you"; } function add_listing() { global $db, $userid, $h, $ir; echo "<h4>Adding a listing to the Crystal Market</h4>"; if(!$ir['crystals']) { echo "You don't have any crystals. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } if(!isset($_POST['crystals']) || empty($_POST['price'])) { echo "<form action='cmarket.php?action=add' method='post'>"; echo "<table class='table' width='50%' style='text-align:center;'>"; echo "<tr>"; echo "<th>Amount</th>"; echo "<td><input type='text' name='crystals' /></td>"; echo "</tr>"; echo "<tr>"; echo "<th>Price</th>"; echo "<td><input type='text' name='price' /></td>"; echo "</tr>"; echo "<tr>"; echo "<td colspan='2'><input type='submit' value='Submit' /></td>"; echo "</tr>"; echo "</table>"; echo "</form>"; } else { if($_POST['crystals'] > $ir['crystals']) { echo "You don't have enough crystals. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $_POST['price'] = abs(@intval($_POST['price'])); if(!$_POST['price']) { echo "You didn't enter a valid price. [url='cmarket.php']Back[/url]"; $h->endpage(); exit; } $update = sprintf("UPDATE users SET crystals = crystals - %u WHERE (userid = %u)", $_POST['crystals'], $userid); $insert = sprintf("INSERT INTO crystalmarket VALUES ('', %u, %u, %u)", $_POST['crystals'], $userid, $_POST['price']); $db->query($update); $db->query($insert); echo "Your listing has been added to the market. [url='cmarket.php']Back[/url]"; } } $h->endpage(); ?>

That code is heavily insecure, I would suggest securing that before uploading it.

As an option to hosts without crons - use either MySQL events or timestamps. (Or "Cronless Crons" as I call them).. As for hosting, find yourself a decent host (paid would be preferable, as you really do get what you pay for when looking for hosting), and learn to code.

If you don't have an auto_increment (though why you wouldn't is beyond me), you can use LAST_INSERT_ID(). It's a good MySQL function that works similar, in principal, to an auto_increment

SQL/HTML injections, XSS attacks, etc. What hacks exactly do you secure each file from?

I'm creating one for you as we speak :P

I'm not too bothered. Unless I claim copyright of it with a notice somewhere, they can do what they like with the code. Security is pretty easy to learn, just time-consuming - which is why I charge for security/recodes

I have already created this and posted on Dev Forum (currently down - server issues). Once it's back up, I'll link you (saves me coding it out again)

Once I secure a code, they can do whatever they liek with it, it's their code.. I don't give much of a flying biscuit about it xD