Magictallguy

Re: Updated Display Pic System [V2] Why you're viewuser? It goes into your Preferences...

Re: Cheats May post a secure forums soon :)

Re: [mod] Flash header all Versions of MCC Well I like it! Just gotta be careful about copyright issues. I'll do some checking later

Re: learning mysql_real_escape_string just need to verify. Looks good to me Killah :)

Re: Mccode username   $_POST['username'] = htmlentities(mysql_real_escape_string($_POST['username'])); Use that

Re: learning mysql_real_escape_string just need to verify. I know, I put that last night. Then, an hour later, I realised I was wrong lol

Re: learning mysql_real_escape_string just need to verify.   echo $user['signature']; // insecure, the data in the database may contain html echo mysql_real_escape_string(htmlentities($user['signature'])); // NOW secure, the html being displayed is now replaced with entities and all quote marks and apostrophies are escaped   You'd use it for any string that's likely to be outputted, so lets say, for profile sig, they input   <script>alert("xss")</script>   This would be XSS, I normally escape the HTML when its fetched from the DB, though some replace HTML before it actually enters the database. So..To secure this, its pretty simple...   echo $user['signature']; // insecure, the data in the database may contain html echo htmlentities($user['signature']); // secure, the html being displayed is now replaced with entities   More info: http://uk3.php.net/htmlentities

Re: Blow members minds with the ULTIMATE explore page Sounds like the perfect program! What's the downside?

Re: Cheats A secure cmarket.php for you too ;) Crystal Market - cmarket.php <?php include("globals.php"); echo ("<h3>Crystal Market</h3>"); //----------- $_GET['ID'] = abs(@intval($_GET['ID'])); //----------- $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : ""; //----------- switch($_GET['action']) { case "buy": crystal_buy(); break; case "remove": crystal_remove(); break; case "add": crystal_add(); break; default: cmarket_index(); break; } function cmarket_index() { global $db,$ir,$c,$userid,$h; print "[url='cmarket.php?action=add']> Add A Listing[/url] Viewing all listings... <table width='95%' cellspacing='2' cellpadding='2' class='table' border='1'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>"; $SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID = ( "SELECT cm.*, u.userid, u.username " . "FROM crystalmarket AS cm " . "LEFT JOIN users AS u ON (u.userid = cm.cmADDER) " . "ORDER BY cmPRICE/cmQTY ASC" ); $q = $db->query($SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID); while($r=$db->fetch_row($q)) { $link = ($r['cmADDER'] == $userid) ? sprintf("[url='cmarket.php?action=remove&ID=%u']Remove[/url]", $r['cmID']) : sprintf("[url='cmarket.php?action=buy&ID=%u']Buy[/url]", $r['cmID']); $each = abs(@intval($r['cmPRICE'])) / abs(@intval($r['cmQTY'])); echo ("<tr>"); echo sprintf("<td style='text-align:center;'>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", intval($r['userid']), htmlentities($r['username']), number_format($r['userid'])); echo sprintf("<td style='text-align:right;'>%s</td>", number_format($r['cmQTY'])); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($each)); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($r['cmPRICE'])); echo sprintf("<td style='text-align:center;'>[%s]</td>", $link); echo ("</tr>"); } echo ("</table>"); } function crystal_remove() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket WHERE cmID={$_GET['ID']} AND cmADDER=$userid"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or you are not the owner. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); $UpdateUsers = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], $userid); $DeleteFromCM = sprintf("DELETE FROM crystals WHERE (cmID = %u)", $_GET['ID']); $db->query($UpdateUsers); $db->query($DeleteFromCM); print "Crystals removed from market! [url='cmarket.php']> Back[/url]"; } function crystal_buy() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or they have already been bought. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); if($r['cmPRICE'] > $ir['money']) { die("Error, you do not have the funds to buy these crystals. [url='cmarket.php']> Back[/url]"); } $GiveCrystals = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], intval($userid)); $DeleteCMEntry = sprintf("DELETE FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $TakeMoney = sprintf("UPDATE users SET money = money - %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($userid)); $GiveMoney = sprintf("UPDATE users SET money = money + %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($r['cmADDER'])); $db->query($GiveCrystals); $db->query($DeleteCMEntry); $db->query($TakeMoney); $db->query($GiveMoney); $CrystalsBoughtEvent = sprintf("[url='viewuser.php?u=%u']%s[/url] [%s] bought your %s crystals from the market. You received %s as payment in full", intval($userid), htmlentites($ir['username']), intval(number_format($userid)), number_format($r['cmQTY']), number_format($r['cmPRICE'])); event_add($r['cmADDER'], $CrystalsBoughtEvent); echo sprintf("You bought the %s crystals from the market for \$%s.", intval($r['cmQTY']), number_format($r['cmPRICE'])); } function crystal_add() { global $db,$ir,$c,$userid,$h; $_POST['amnt'] = abs(@intval($_POST['amnt'])); $_POST['price'] = abs(@intval($_POST['price'])); if($_POST['amnt']) { if($_POST['amnt'] > $ir['crystals']) { die ("You are trying to add more crystals to the market than you have."); } $tp = $_POST['amnt'] * $_POST['price']; $CreateListing = sprintf("INSERT INTO crystalmarket VALUES ('', %u, %u, %u)", $_POST['amnt'], intval($userid), $tp); $DockCrystals = sprintf("UPDATE users SET crystals = crystals - %u WHERE (userid = %u)", $_POST['amnt'], intval($userid)); $db->query($CreateListing); $db->query($DockCrystals); print "Crystals added to market! [url='cmarket.php']> Back[/url]"; } else { echo ("[b]Adding a listing...[/b] "); $s = ($ir['crystals'] == 1) ? "" : "s"; echo sprintf("You have [b]%s[/b] crystal%s that you can add to the market.", number_format($ir['crystals']), $s); echo ("<form action='cmarket.php?action=add' method='post'>"); echo ("<table width=50% border=2>"); echo ("<tr>"); echo ("<td>Crystals:</td>"); echo sprintf("<td><input type='text' name='amnt' value='%u' /></td>", intval($ir['crystals'])); echo ("</tr>"); echo ("<tr>"); echo ("<td>Price Each:</td>"); echo ("<td><input type='text' name='price' /></td>"); echo ("</tr>"); echo ("<tr>"); echo ("<td colspan=2 align=center><input type='submit' value='Add To Market' /></td>"); echo ("</tr>"); echo ("</table>"); echo ("</form>"); } } $h->endpage(); ?>   Edit: Removed an include() where it's not needed

Re: Cheats SQL Injection into the cmarket.php most likely Unless you know how to secure your game, I'd suggest removing your forums too. Add this into your header for a quick fix. $_GET['ID'] = abs(@intval($_GET['ID'])); $_GET['viewtopic'] = abs(@intval($_GET['viewtopic'])); $_GET['viewforum'] = abs(@intval($_GET['viewforum']));

Re: Free 2 - Gym HAHA!! Oh Nyna you make me laugh 'tis always a good idea!

Re: User Rating Also pretty easy to spoof with decent IP tools... Deletion of the installer.php lessens the need for work. Why not just re-upload it when you need it (which shouldn't be ever if you do it right)!   ummm...you do know that u could keep the installer up and just make it where only ur ip can do it if seen games like that like this one game iplay has certain stuff like he can chosse to run his crons mainully witih one click ut onlyhis ip and his coder's can do it This is really quite simple to do. yes XD just like a simple few lines of code bam all ip's except the one ur running is workable with that feature/mod

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much. Something I just noticed, Nyna's code would break your page!! :O Unless you remove the quote mark (") from userid=%u"

Re: V2 Staff Applications! Slightly better version staff.php additions: <?php /* Be sure to remove the php tags! */ function app_view() { global $db,$ir,$c,$h,$userid; print "<h3>Staff Applications</h3> <font color=blue> This is where you may accept and or decline users staff applications! Please be sure that staff concur with eachother that a new member should be added to staff! <table width=80%> <tr style='background:gray'> <th>Applicant ID</th> <th>Position</th> <th>Application</th> <th>Links</th> </tr>"; $q = $db->query( "SELECT s.*, u.username, u.userid " . "FROM staffapps AS s " . "LEFT JOIN users AS u ON (s.applicant = u.userid) " "ORDER BY s.appID DESC",$c) or die(mysql_error()); while($r=$db->fetch_row($q)) { if($r['position'] == 2) { $position = "Admin"; } else if($r['position'] == 3) { $position = "Secretary"; } else if($r['position'] == 5) { $position = "Assistant"; } else { $position = "Unknown"; } echo ("<tr>"); echo sprintf("<td>[url='viewuser.php?u=%u']%s[/url] [%u]</td>", $r['applicant'], $r['username'], $r['applicant']); echo sprintf("<td>%s</td>", $position); echo sprintf("<td>%s</td>", nl2br($r['application'])); echo sprintf("<td>[url='staff.php?action=appaccept&ID=%u&user=%u&staff=%u']<font color=blue>Accept</font>[/url] ", $r['appID'], $r['applicant'], $r['position']); echo sprintf("[url='staff.php?action=appdeny&ID=%u&user=%u']<font color=red>Decline</font>[/url] </td>", $r['appID'], $r['applicant']); echo ("</tr>"); } print "</table> "; } function app_accept() { global $db,$ir,$c,$h,$userid; $_GET['ID'] = abs((int) $_GET['ID']); $db->query("DELETE FROM staffapps WHERE appID={$_GET['ID']}",$c); $db->query("UPDATE users SET user_level='{$_GET['staff']}' WHERE userid='{$_GET['user']}'",$c); $db->query("INSERT INTO mail VALUES('', '0', 'System', '{$_GET['user']}', unix_timestamp(),'Your Staff Application' ,'Congratulations, your application has been reviwed and you are now a staff member. Please view our rules so you do not loose this job.')",$c); print "Application Accepted [url='admin.php?action=appview']> Back[/url]"; } function app_deny() { global $db,$ir,$c,$h,$userid; $_GET['ID'] = abs((int) $_GET['ID']); $db->query("DELETE FROM staffapps WHERE appID={$_GET['ID']}",$c); $db->query("INSERT INTO mail VALUES('', '0', 'System', '{$_GET['user']}', unix_timestamp(),'Your Staff Application' ,'Our staff has reviewed your staff application and unfortunately we feel you are not qualified to be a staff member. Feel free to fill in another application.')",$c); print "Application Denied [url='admin.php?action=appview']> Back[/url]"; } /* Be sure to remove the php tags! */ ?>

Re: Have mails dont show Are you attempting to send a mass mail via the staff panel? If so, then it won't update unless you edit the code and tell it to update!

Re: Main Menu I hate IE anyway :P and reading through what you said now makes more sense to me than it did when you first posted it... Thanks again :)   Hmm... I suggest you read up on CSS selectors MTG. ID's are required to be unique within a page, however classes may be shared. Making basic assumptions here can cause a lot of problems later on down the line. Learn the basic CSS standards (which are of course generally ignored by Internet Explorer - but that's something you will have to live with).  

Re: Burn House for V2   $db->query(sprintf("UPDATE `users` SET `money` = `money` + '%d', `warehouse` = `warehouse` + '%d' WHERE `userid` = ('%u')", $cash, 1, $userid));  

Re: random.php Obviously...

Re: Crimes give random money Looking good jamboy :)

Re: learning mysql_real_escape_string just need to verify. htmlentities() / htmlspecialchars() comes into play here I believe?

Re: Simplify for V1 (and make it easier to use V2 mods) I put <?php session_start(); require "global_func.php"; if($_SESSION['loggedin']==0) { header('Location: login.php');exit; } $userid=$_SESSION['userid']; require "header.php"; $h = new headers; $h->startheaders(); include "mysql.php"; global $c; $is=mysql_query("SELECT u.*,us.*,h.*,p.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid LEFT JOIN houses h ON h.hWILL=u.maxwill LEFT JOIN persnotes p ON u.userid=p.notesID WHERE u.userid=$userid",$c) or die(mysql_error()); $ir=mysql_fetch_array($is); check_level(); check_crimexp(); get_gamerank(); $fm=money_formatter($ir['money']); $lv=date('F j, Y, g:i a',$ir['laston']); $h->userdata($ir,$lv,$fm); $h->menuarea(); ?> into a file called v1.php I created another file called status.php <?php include(DIRNAME(__FILE__) . '/v1.php'); if($ir['jail'] > 0) { echo sprintf("You're in jail for %s more minute%s ", number_format($ir['jail']), ($ir['jail'] == 1) ? "" : "s"); } if($ir['hospital'] > 0) { echo sprintf("You're in hospital for %s more minute%s ", number_format($ir['hospital']), ($ir['hospital'] == 1) ? "" : "s"); } ?> Then just include v1.php in every file (or leave as it is..) and include status.php in whichever files you want. Or you could change echo() into die() and include into the files you don't want your users to get into while in jail/hospital A slightly longer way, but it works for me!

Re: online/offline/total users This one: <?php //Be sure to remove this tag - I put it in because it looks nicer on here :P $sql = "SELECT COUNT(userid) FROM users"; $rs = mysql_query($sql); $row = mysql_fetch_array($rs); $total_users = $row[0]; $sql = sprintf("SELECT COUNT(userid) FROM users WHERE (laston > %u)", time() - 900); $rs = mysql_query($sql); $row = mysql_fetch_array($rs); $users_online = $row[0]; $users_offline = $total_users - $users_online; /* Be sure to remove this tag too!! */ ?>  

Re: random.php Just showing the irony in telling people to learn to spell when they, evidently, can't!

Re: Updated Explore V.2 I'm about to make it but I won't be posting it on here due to the fact that Joker is here... We've had an interesting dispute. Anything I make will not be provided to him. Anything who wishes to gain a copy will have to catch me on MSN or gain it via PM on here MSN: [email protected]

Re: random.php Maybe you should learn to spell please. Then maybe you could re-attempt it. And I guess it wasn't bad for a first try either All words in bold are words that you spelt wrong. Have a nice day.