Akash

Re: [Free V2] Lottery   hmm yeah, I just happen to notice Joker is a bit stupid. Not only does he attempt to hack games but apparently he hacked some guys email/msn... :-P (Course he did :wink:). I get MSN messages from him saying "try n hack my game". And he thinks it's impossible...well he's wrong. LOL

Re: [Free V2] Lottery It's not MCCodes? Well obviously it's not going to work then :|. Joker, I already told you on MSN that it works fine on V2 must be something you've edited elsewhere. The Jackpot goes out whenever you set it. I run that cron_weekly.php every week so the jackpot goes out weekly but you can do it daily or every few days.

Re: An introduction to security   Oh...I know you're not supposed to escape the maxbrave etc...well I do after I learnt a bit more after posting. I did that because I think I was so used to just escaping everything. Anyway, I have changed my ways, as you will see from my new Lottery Mod [Free] or my new paid 3 in 1 Bank :). BTW: That query does work...becuase i did define everything in $db->escape...maxbrave, etcetc And I've also read through things like mysql_real_escape_string and sprintf a bit more...as well as echo sprintf which I learnt through one of Nyna's mods... :-)

Re: [Free V2] Lottery Thanks guys :) If anyone out there is willing, please convert to V1 correctly, I've never used V1 so have no idea...as far as I know my conversion doesn't work. Thanks :)

This mod basically allows you to purchase upto 100 lottery tickets, which can be easily changed. Each ticket is x amount, $100 in my case, and everytime a user buys a ticket, $x is added to the jackpot. Then a weekly cron chooses a random winner and credits them with the jackpot. Please note I did create this myself :). Hope you all enjoy. Screenshots are unnecessary. I have posted for V1+V2 but not 100% if V1 is fully working. I'm testing it now.   For V2 ONLY! 1. Create a file called lottery.php <?php include("./globals.php"); $cost = 100; if(!$_GET['a']) { $sql = sprintf("SELECT * FROM `lottery`"); $query = $db->query($sql); $row = $db->fetch_row($query); echo sprintf("' <font color = red size = 5>[b] Welcome to the National Jackpot. You currently have %d tickets and are able to purchase upto %d tickets per week. Each ticket costs \$%d. The jackpot is \$%u", $ir['lottery'], $tick, $cost,$row['jackpot']); echo' <form action = "lottery.php?a=buy" method = "post"> <input type = "submit" value = "Buy a Lottery Ticket"> </form>'; } if($_GET['a'] == buy) { if($ir['money'] < 100) { die("You don't have enough cash"); }$tick = 100; $tickq = $db->query("SELECT * FROM `lottery` WHERE `userid` = '$ir['userid']'"); if($db->num_rows($tickq) > $tick) { die('You can olnly purchase ' .$tick. ' tickets maximum'); } echo' You purchased a lottery ticket'; $sql = sprintf("UPDATE `users` SET `lottery` = `lottery` + %d, `money` = `money` - %d WHERE `userid` = (%u)", 1, $cost, $userid); $db->query($sql); $sql1 = sprintf("INSERT INTO `lottery` (id,userid, amount) VALUES (%d,%u, %d)", '',$userid, $cost); $db->query($sql1); $sql2 = sprintf("UPDATE `lottery` SET `jackpot` = `jackpot` + %d", $cost); $db->query($sql2); } $h->endpage(); ?>   2. Then add the following sql:   ALTER TABLE `users` ADD `lottery` INT( 11 ) NOT NULL DEFAULT '0'; DROP TABLE IF EXISTS `lottery`; CREATE TABLE IF NOT EXISTS `lottery` ( `id` int(11) NOT NULL auto_increment, `userid` int(11) NOT NULL, `amount` int(11) NOT NULL, `jackpot` int(11) NOT NULL, PRIMARY KEY (`id`), UNIQUE KEY `id` (`id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;   3. Finally create a weekly cron file (cron_weekly.php) and add the following:   <?php include ("./config.php"); global $_CONFIG; if($_GET['code'] != $_CONFIG['code']) { die(""); } define("MONO_ON", 1); require "class/class_db_{$_CONFIG['driver']}.php"; $db=new database; $db->configure($_CONFIG['hostname'], $_CONFIG['username'], $_CONFIG['password'], $_CONFIG['database'], $_CONFIG['persistent']); $db->connect(); $c=$db->connection_id; include("./global_func.php"); $sql = $db->query("SELECT * FROM `lottery`"); $rows = $db->num_rows($sql); $row = $db->fetch_row($sql); $winner = rand(1,$rows); $winnerq = sprintf("SELECT `userid` FROM `lottery` WHERE `id` = %d", $winner); $winnerq1 = $db->query($winnerq); $user = $db->fetch_row($winnerq1); $credit = sprintf("UPDATE `users` SET `money` = `money` + %d WHERE `userid` = (%u)", $row['jackpot'], $user['userid']); event_add($user['userid'],"You won the weekly lottery and were credited \${$row['jackpot']}",$c); $db->query("UPDATE `users` SET `lottery` = 0"); $db->query("TRUNCATE TABLE `lottery`"); ?>       ENJOY :wink: Sorry if something similar has been made before, but I assure you the code style is different. Please report any bugs :).

Re: Password Protect Pages(v1 v2) You did not make this so give credit to the creator.

Re: 3 in 1 Bank System [$20] Thanks for the positive responses guys...glad people like it :).

Re: Updated Money & Crystal Bank [V2] In the mod you've edited, it's not bankcrystal, you've done it as crystal bank. Just thought I'd let you know so people don't come back saying ":( didnt work!"... :-)

Re: 3 in 1 Bank System [$20] Okay z-e-r-o firstly, my mod is made from scratch. I said that I made an investment bank and added the extra features to it. I eve said that its the first mod I made completely from scratch (except the display time in days,hours,mins etc). This was all clearly stated in the first post. Also you merit sytem is $10...or that's what the title says. 3 times cheaper would be $5 from my merit system, so get the facts right. And the reason your bank is cheaper may be because it's a bank with an extra feature. My one is alot more than that. I would appreciate if you would read my post clearly, i.e it is from scratch.

Re: 3 in 1 Bank System [$20] you sell for three times cheaper $20 and $5...I don't think so. But mine is 3 times moreas its 3mods. Your zbank is completely different :)

Re: 3 in 1 Bank System [$20] UPDATE: Bank and Loanshark screenies added below Please Note: When you deposit/withdraw from bank, borrow/pay from loanshark or invest/collect from investing, you will get a transaction receipt. But ONLY a complete invest will send one to your events. I've done transaction receipts so users can screenshot for evidence to staff if needed. Please Note: A few things like interest rates on bank...loanshark etc or the basic layout can be edited by me on request. I can also guide you fully throughout installation, add me on [email protected] or I can install the mod for you. This applies to all mods I make, even freebies :-P

Name: 3 in 1 Bank System Modification Type: Paid Version: 2 Cost: $20 Copies: 10/20 (Dependent) Files Included: 1. 2 PHP Files (investment.php && staff_invest.php) 2. 1 SQL File (db.sql) 3. 1 Instructions File (instructions.html) 4. 2/3 Crons Included in instructions.html At first glance, this modification may seem to be a simple investment bank, especially since the name [investment.php]. However, this mod is actually completely different and is just named this after I decided to edit the investment bank I made. A screenie below shows you an example of what the mod is: This is a normal bank, an investment bank and a loanshark all in one file. It is secured upto good standards and is the first modification I have coded from <?php to ?> :). Basically, the investment bank comes with staff functions. This allows the owner to create different interest rates for different periods of times. For example, they may choose for money to be invested for 10 days and return with an interest of 3.82% (all interests are to 2D.P). They can do this by entering the number of minutes in 10 days (14,400) which is calculated by a convertor in the staff functions I've created. They then enter 3.82 into the interest box. And they're done, a rate is created, as shown below: The user then goes to investment.php and is able to type in the ID of the investment they want, and how much cash to invest (minimum $10,000 - can be changed on request). The time here is not displayed in minutes but in days, hours, minutes...whatever is appropriate :). Some more screenshots show details on how it works. This is a table of the interest rates viewable by the user on investment.php. More are added through the staff functions mentioned. I've now typed in the ID [2] and money [$100,000]. Rest assured that in all of the input boxes here, I have disallowed them to have text entered. Now, I've chosen ID [2] and as seen from the table this will give me 2.32% interest. I've invested it and it tells me it's in for 2 days You may have noticed the collect cash buttons. I click this while I still have time for my loan to finish. And I get this error: Once an investment has been started, a notice appears telling me how long's left. The time has gone down, and it's displayed in days+minutes at present: The investment is over. I click collect cash and get a transaction receipt! :) I get this receipt sent to my events aswell! :) This mod costs $20 purely because of the amount of work I put into it. I did not use a single bit of any other mod (except one thing - the display time :P). I will update this post later on. The next post will have screenies of the Bank And LoanShark (no writing because it's late - bedtime :). Please contact me via PM or on msn: [email protected]. Paypal address is my MSN. You will receive a ZIP file if bought.

Re: Advanced Owner Pannel ($15) Hmm well I like it, like Extermination said, it's a good idea. But you don't have to create the staff functions, not if you copy and paste from the original ones :wink:. All you have to do, is secure em a bit, make a table with links and restrict users.

Re: Multiple Item Use Mod {v1} Yeah, I'm quite certain that Oxi made it. And what does this mean?   Is that some kind of copyright notice, because if someone steals, you don't take 'illegal' action against them.

Re: My Newist Discovery Well one reason is probably because she'd be here forever trying to secure mc. Do you really think she can be arsed to do the work for everyone when they can go and learn PHP security themselves?

Re: Travelling System ($5)/($10) Exactly my point :)...thanks Silver :-D

I was playing around a bit, and reading about securing overall. I noticed alot of places said don't let the errors, which occur in queries, be visible to users. This is mainly because they are then able to gain info on your database, making it easier for them to inject, hack or whatever else. Basically when you execute a query such as this: mysql_query("SELECT id,username FROM users WHERE id = '{$ir['userid']}'"); It will obviously not work because there's no such field as id in our table, but it's userid (unless you've edited it). And if the users (hackers) see this, they gain data from this error:   Unknown column 'id' in 'field list'   This makes it obvious that you're calling the users table and also that the id field is something like ID or userID or userid (not very difficult to guess)   Therefore, I have created a script, about 5-10 lines of length. There's no files involved, but I'd say create a file called stats.php and put this in there, just to test.   <?php include "globals.php"; $result = mysql_query("SELECT id,username FROM users WHERE id = '{$ir['userid']}'"); if (!$result) { $error = mysql_error(); $page = $_SERVER["PHP_SELF"]; echo 'Could not run query: Error Reported '; event_add(1,"Could not run query on $page: $error ",$c); exit; } ?>   This query will not work, but instead of the error showing up, it will be sent in an event to the admin. To make this work in every query would mean you having to add this to every single query, a great hassel. But there's no need to add it for every query, just the main ones that could cause people to hack. To add it for a query find the query and add '$result =' before it. Then below it add:   if (!$result) { $error = mysql_error(); $page = $_SERVER["PHP_SELF"]; echo 'Could not run query: Error Reported '; event_add(1,"Could not run query on $page: $error ",$c); exit; }   This will prevent the error from being shown and instead will send an event to userid 1 :)

Re: Av Bank [FREE]   $db->query("UPDATE users SET bankcrystals=bankcrystals+(bankcrystals/50) where bankcrystals>0 and donatordays>0");   Should be   $db->query("UPDATE users SET bankmoney=bankmoney+(bankmoney/50) where bankmoney>0 and donatordays>0");

Re: Free Starter Pack Both ways are good :). But Zero, your way, like Lost One said would load on evey page. :wink: Anyway Gulley, in $db->escape, you'd have to learn a bit more php :S...I'll try and explain. Basically, is used this as a query   $sql = sprintf(" UPDATE `users` SET `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = %d WHERE (`userid` = %u)", $db->escape= money, money, 10000, crystals, crystals, 100, donatordays, donatordays, 5, vip, vip, 5, donatorpack, 1, $userid); $db->query($sql);   The stuff in $db->escape actually make up all the %s etc. So I used ... SET `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = `%s` + %d, `%s` = %d WHERE (`userid` = %u)",   The first %s means nothing, because there's no money, crystals, points or whatever. So in $db->escape I put this   $db->escape= money, ...);   The word money now turns that first %s into money :). I'd do the same thing for the next, so the next %s after the = sign, would also be money. So now my code would look like this   $db->escape= money, money...);   %s I think would always be used for words and %d/%u for numbers (and other stuff ...I think...which I have no idea about :p) You'd continue to do this for all of the values so an example of %s = %s + %d. Lets say that %s is money and %d is a value you want to add on ($10,000). In $db->escape you would put $db->escape(money, money, 10000) Sorry if it's a bit confusing, not very good at explaining :(

Re: [mccode] Supporter Packs Okay alot of people were asking for the solution to having donator days and supporter days both show up. This snippet below is what I've done, works 100% fine for me. For V2 ONLY! In header.php FIND:   $d=""; $u=$ir['username']; if($ir['donatordays']) { $u = "<font color=red>{$ir['username']}</font>";$d="[img=donator.gif]"; }   Replace with:   $d = ""; $sup = ""; $u = $ir['username']; if($ir['donatordays']) { $u = "<font color = 'red'>{$ir['username']}</font>";$d = "[img=donator.gif]"; } if($ir['supporterdays']) { $u = "<font color = 'green'>{$ir['username']}</font>";$sup = "<img src = 'donator.gif alt = 'Supporter: {$ir['supporterdays']} Days Left' title = 'Supporter: {$ir['supporterdays']} Days Left' border = '0' />"; } if($ir['supporterdays'] && $ir['donatordays']) { $u = "<font color = 'blue'>{$ir['username']}</font>";$sup = "<img src = 'donator.gif' alt = 'Supporter: {$ir['supporterdays']} Days Left' title = 'Supporter: {$ir['supporterdays']} Days Left' border = '0' />";$d = "[img=donator.gif]"; }   Then FIND (still in header):   [b]Name:[/b] $gn{$u} [{$ir['userid']}] $d   And replace with:   [b]Name:[/b] $gn{$u} [{$ir['userid']}] $sup$d   $sup will show your the donator.gif image as will $d, so obviously find another image for supporters and change that. You can change the colour of the username obviously by editing the colours in the longest bit above. And it's simple :)

Re: An introduction to security Read through the post...just wanted to try out something. It works perfectly for me, and I'd just like to confirm that it's the safest way possible. I used this query, is there any way in which it could be improved even more?   $nerve=$ir['nerveinc']+1; $sql = sprintf("UPDATE `users` SET `%s` = `%s` + %d, `%s` = `%s` - %d, `%s` = `%s` + %d WHERE (`userid` = %u)", $db->escape=maxbrave, maxbrave, 1, merits, merits, $nerve, nerveinc, nerveinc, 1, $userid); $db->query($sql);

Re: Mccodes V2 Normal Bank.php NO FEES! You know guys, it might not be a real amazing mod and might be an edit of one number, but for god's sake, he said that! He clearly stated its for noobs, so obviously it's going to be simple. Also, scarface...did you mean he should post it in Submit a Free Mod? Because it doesn't really matter, it is still a 'Free Game Modification'... :|

Re: Donator Day Send [V2] Instead of <code>,</code>...it's [ code] and [ /code] without the spaces Sorry, forgot to mention it in my first post. but please change :)

Re: [FAQ] sprintf - no, it's not a phone company Great :-D I tried learning sprintf through php.net...this is so much easier to understand :)

Re: Donator Day Send [V2] :| Well not to offend you or anything but there's so many things you've done wrong here. 1. Please add the code tags, makes it alot easier to read. 2. This is simply a copy of cash xfer, as seen from $db->query("INSERT INTO cashxferlogs VALUES ('', $userid, {$_GET['ID']}, {$_POST['money']}, unix_timestamp(), '{$ir['lastip']}', '{$er['lastip']}')") 3. I'm learning php quite a bit from now on considering my exams are over, and I'm not 100% how to secure, but I'm fairly sure that your code is very insecure. 4. You said it says it adds it into cashxfer, but it doesn't. Well perhaps you should get rid of that and stop copying other files (at least have the courtesy to note that it was not made by you) Sorry for all the criticism but that's the only way you'll learn. Anyway nice try though on actually bothering to make something. You could go to http://www.w3schools.com or http://php.net to learn some php