Snatchy

ok is what is happening is when someone buys something from a shop it allows the user to buy as many of whatever and go into negative values of money and crystals. i need the itembuy to not let them buy anyhting if they don't have enough money or crystals on hand. this is what i have at the moment.   <?php /*----------------------------------------------------- -- Mono Country v1.0 BETA -- A product of DBS-entertainment -- Copyright held 2005 by Dabomstew -- INDEX.php -----------------------------------------------------*/ session_start(); require "global_func.php"; if($_SESSION['loggedin']==0) { header("Location: login.php");exit; } $userid=$_SESSION['userid']; require "header.php"; $h = new headers; $h->startheaders(); include "mysql.php"; global $c; $is=mysql_query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid=$userid",$c) or die(mysql_error()); $ir=mysql_fetch_array($is); check_level(); $fm=money_formatter($ir['money']); $cm=money_formatter($ir['crystals'],''); $lv=date('F j, Y, g:i a',$ir['laston']); $h->userdata($ir,$lv,$fm,$cm); $h->menuarea(); $_GET['ID']= abs((int) $_GET['ID']); $_POST['qty']= abs((int) $_POST['qty']); if(!$_GET['ID'] || !$_POST['qty']) { print "Invalid use of file"; } else if($_POST['qty'] <= 0) { print "You have been added to the delete list for trying to cheat the game."; } else { $q=mysql_query("SELECT * FROM items WHERE itmid={$_GET['ID']}",$c); if(mysql_num_rows($q) == 0) { print "Invalid item ID"; } else { $itemd=mysql_fetch_array($q); if($ir['money'] < $itemd['itmbuyprice']*$_POST['qty']) //$itemn=mysql_fetch_array($q); //if($ir['crystals'] < $itemn['itmnugbuy']*$_POST['qty']) { print "You don't have enough money or nuggets to buy this item!"; } else //$h->endpage(); //exit; { $itemd=mysql_fetch_array($q); if($ir['crystals'] < $itemd['itmnugbuy']*$_POST['qty']) { print "You don't have enough nuggets to buy this item!"; $h->endpage(); exit; } if($itemd['itmbuyable'] == 0) { print "This item can't be bought!"; $h->endpage(); exit; } } $price=($itemd['itmbuyprice']*$_POST['qty']); $pricen=($itemd['itmnugbuy']*$_POST['qty']); mysql_query("INSERT INTO inventory VALUES('',{$_GET['ID']},$userid,{$_POST['qty']});",$c); mysql_query("UPDATE users SET money=money-$price WHERE userid=$userid",$c); mysql_query("UPDATE users SET crystals=crystals-$pricen WHERE userid=$userid",$c); mysql_query("INSERT INTO itembuylogs VALUES ('', $userid, {$_GET['ID']}, $price, {$_POST['qty']}, unix_timestamp(), '{$ir['username']} bought {$_POST['qty']} {$itemd['itmname']}(s) for {$price}')", $c); { print "You bought {$_POST['qty']} {$itemd['itmname']}(s) for \$$price and $pricen Nuggets"; } } } $h->endpage(); ?> i hope someone can shed some light on the problem. Cheers Snatchy

Re: mysql injection is there a chance we can get an example of what a check is? i'm about half way to understanding all this...lol... getting there slowly

Re: Gold Fusion Wars for sale that's right it's 1500 members strong and havn't spent a cent on advertising so imagine what it could be if someone was to invest some money into ads. The games members are all from word of mouth. so you may have got 1500 members in 3 months but how much did you spend on advertising?

Re: Gold Fusion Wars for sale *rude as they may be there is no need to get vulgar~Scarlet

hi guys, Much to my regret I'm about to start a new job and I'm running out of hours in the day to be able to keep up with Goldfusionwars. I want about $1000 for it. www.goldfusionwars.com. PM me your offers. I have 1500 members and doesn't do to bad on donations. Good for an up and coming game designer to buy. heaps of mods come with it. Cheers Snatchy

Re: Banning IP Addresses thanks for that, i know it was a bit of a noob question but ya don't know if you don't ask i spose... cheers

how do i add an IP address to the IP bans list?

Re: mysql injection well lets start the check list...lol.. - got plenty of hours to put into it. - when you say put checks in... how do i go about it? - Not sure what you mean by URL manipulation. - malicious little fucks.... yes, plenty of them, but I want to make it as hard as possible for the little fags to do it. hmmmm ok so can we kick off the post with how do we go about putting the sql checks in? I know this is going to be a bit complicated so one step at a time and hours upon hours of getting it right....lol. for instance on my gme with unequip, i need to make it do a check on the database so that people can't unequip items, doubling them in their inventory!

ok well we all keep hearing about it but no one seems to be posting any fixes to the ongoing problem of mysql injections. What do i need to do to stop this from happening?

Re: adding 1/4 will pot to the game woot woot it's working!!!! THANKING YOU DECEPTION

Re: adding 1/4 will pot to the game is there a reason why this wouldn't be working? mysql_query("UPDATE users SET will=maxwill WHERE will>maxwill WHERE userid=$userid",$c);

I'm adding a 1/4 will pot to the game but after many attempts at gettignt he query to work right the one i have working seems to add will to over 100% which is a bit of a pain in the but. I know there is something missing to make this work so i was just wondering if someone could help me add to it. The query i have so far that adds 25% is this... mysql_query("UPDATE users SET will=(will+(willmax*25/100)) WHERE userid=$userid",$c); Now i just need to make it so it stops at 100% and doesn't go over. any help is gratefull... Cheers Snatchy

Re: V1.1/V1 Does anyone no where the bugs are ? the refreshing on attack bug.... i need a fix for it myself. and the bug that lets you attack people even though your health is at zero... oh yeah the sending items bug, i have that fixed but one you should no about. hmmmmmm there's more than 8.... more like 800

Re: not sure why this wont work nope still not working

i'm trying to change the send money to send crystals... i just went through and changed all the fields from money to crystals but for some reson i can't get it to go pas the invalid user defined bit at the strat. i didn't alter anyhting that had to do with calling the user id bit so i'm turning to you guys for some help... Cheers     <?php session_start(); require "global_func.php"; if($_SESSION['loggedin']==0) { header("Location: login.php");exit; } $userid=$_SESSION['userid']; require "header.php"; $h = new headers; $h->startheaders(); include "mysql.php"; global $c; $is=mysql_query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid=$userid",$c) or die(mysql_error()); $ir=mysql_fetch_array($is); check_level(); $fm=money_formatter($ir['money']); $cm=money_formatter($ir['crystals'],''); $lv=date('F j, Y, g:i a',$ir['laston']); $h->userdata($ir,$lv,$fm,$cm); $h->menuarea(); $_GET['ID'] = abs($_GET['ID']); $_POST['crystals'] = abs($_POST['crystals']); if(!((int)$_GET['ID'])) { print "[b]Invalid User ID[/b]"; } else if($_GET['ID'] == $userid) { print "[b]Haha, what does sending Gold Nuggets do for yourself anyway?[/b]"; } else { if($_POST['crystals']) { if($_POST['crystals'] > $ir['crystals']) { print "[b]Die j00 abuser.[/b]"; } else { mysql_query("UPDATE users SET crystals=crystals-{$_POST['crystals']} WHERE userid=$userid",$c); mysql_query("UPDATE users SET crystals=crystals+{$_POST['crystals']} WHERE userid={$_GET['ID']}",$c); print "You sent \${$_POST['crystals']} to ID {$_GET['ID']}."; event_add($_GET['ID'],"You received \${$_POST['crystals']} from {$ir['username']}.",$c); $it=mysql_query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid={$_GET['ID']}",$c) or die(mysql_error()); $er=mysql_fetch_array($it); mysql_query("INSERT INTO nugxferlogs VALUES ('', $userid, {$_GET['ID']}, {$_POST['crystals']}, unix_timestamp(), '{$ir['lastip']}', '{$er['lastip']}', '')",$c); } } else { print "[b] Transfer Gold Nuggets[/b] Sending Gold Nuggets You are sending money to ID: [b]{$_GET['ID']}[/b]. [b]Amnt: [/b] Latest 5 Transfers Time User From User To Amount MULTI"; } else { $m=""; } print "" . date("F j, Y, g:i:s a",$r['nxTIME']) . "{$r['sender']} [{$r['nxFROM']}] {$r['sent']} [{$r['nxTO']}] \${$r['nxAMOUNT']} "; } } $h->endpage(); ?>

Re: Money Cap I pm'd you my msn dude... add me

Re: Money Cap and that thread doesn't have the answer to the question, neither does the three pages of crap that got posted when iasked the same question. no one seems to know how to get the stats page. The question is how can we overcome the problem of the stats page not displaying the output correctly? As we all know once the game hits a trillion dollars we start seein +12E and shit like that in the figures instead of them being displayed like 100,000,000,000,000,000.

Re: SQL querys ok I'm running version 1.1 of the code. i have an equipped table and unequipped is just a script and the unequip script is just a default case switch... I'm guessing that it's a default case switch as it has this at the top of it case 'eqdelete': eq_delete(); break; default: eq_delete(); break;

Re: SQL querys ummm any chance you could give me the query i need to check that something is there? I'm not sure how i go about writing it.

I got this mail about when people equip items. Ok say you have two windows open in the inventory and say i have any weapon on. In one window i take the weapon off I will have one in the inventory. Then in the other window if i hit unequip on the same wepon because you dont refresh you will end up with 2. Can anyone shed some light on this please. I got no idea how to stop this from happening.

Re: stats cap i'm not explaining it again, sorry but try reading the post before you ask a silly question lik what is the post about?

Re: stats cap and here we go again... completely off track from the original question... If your going to post in this post can you actually make it have something to do with the original topic as i am STILL WAITING FOR A FIX ON THIS!!!

ok well i'm just going to post the code for this one. On my items table i have added a couple of columns for buying and selling items with crystals. had that working fine and then added a column for item pics. Now when i go to edit an item it comes up with this.... Column count doesn't match value count at row 1 and deletes the item that i am trying to edit. I have tryed chopping and changing a few things to get it back working again but with no success. here is my edit item code from admin.php.   print "Editing Item You can edit any aspect of this item. Item: ".item_dropdown($c,'item')." "; } function edit_item_form() { global $ir,$c,$h; $d=mysql_query("SELECT * FROM items WHERE itmid={$_POST['item']}",$c); $itemi=mysql_fetch_array($d); $f=mysql_query("SELECT * FROM food WHERE item_id={$_POST['item']}",$c); if(mysql_num_rows($f) > 0) { $a=mysql_fetch_array($f); $energy=$a['energy']; } else { $energy=1; } $f=mysql_query("SELECT * FROM medical WHERE item_id={$_POST['item']}",$c); if(mysql_num_rows($f) > 0) { $a=mysql_fetch_array($f); $health=$a['health']; } else { $health=10; } $f=mysql_query("SELECT * FROM weapons WHERE item_id={$_POST['item']}",$c); if(mysql_num_rows($f) > 0) { $a=mysql_fetch_array($f); $damage=$a['damage']; } else { $damage=1; } $f=mysql_query("SELECT * FROM armour WHERE item_ID={$_POST['item']}",$c); if(mysql_num_rows($f) > 0) { $a=mysql_fetch_array($f); $def=$a['Defence']; } else { $def=10; } print "Editing Item Item Name: Item Desc.: Item Type: ".itemtype_dropdown($c,'itmtype',$itemi['itmtype'])." Item Buyable: if ($itemi['itmbuyable']) { print " checked='checked'"; } print " /> Item Price: Item Sell Value: Make Sure You put a value in both of the nugget price boxes or item will delete Item Nugget Price : Item Nugget Sell Price : [b]Specialized[/b] Item Energy Regen (food only): Item Health Regen (medical only): Power (weapons only): Damage Off (armor only): "; } function edit_item_sub() { global $ir,$c,$h,$userid; if(!isset($_POST['itmname'])|| !isset($_POST['itmtype'])|| !isset($_POST['itmname']) || !isset($_POST['itmdesc']) || !isset($_POST['itmbuyprice'])|| !isset($_POST['itmnugbuy'])|| !isset($_POST['itmsellprice']) || !isset($_POST['itmnugsell'])|| !isset($_POST['itmbuyable'])) { print "You missed one or more of the fields. Please go back and try again. [url='admin.php?action=edititem']> Back[/url]"; $h->endpage(); exit; } $itmname=mysql_escape($_POST['itmname']); $itmdesc=mysql_escape($_POST['itmdesc']); if($_POST['itmbuyable'] == 'on') { $itmbuy=1; } else { $itmbuy=0; } mysql_query("DELETE FROM items WHERE itmid={$_POST['itmid']}",$c); mysql_query("DELETE FROM food WHERE item_id={$_POST['itmid']}",$c); mysql_query("DELETE FROM weapons WHERE item_id={$_POST['itmid']}",$c); mysql_query("DELETE FROM medical WHERE item_id={$_POST['itmid']}",$c); mysql_query("DELETE FROM armour WHERE item_ID={$_POST['itmid']}",$c); $m=mysql_query("INSERT INTO items VALUES('{$_POST['itmid']}',{$_POST['itmtype']},'$itmname','$itmdesc',{$_POST['itmbuyprice']},{$_POST['itmnugbuy']},{$_POST['itmsellprice']},{$_POST['itmnugsell']},'$itmbuy')",$c) or die(mysql_error()); if($_POST['itmtype'] == 1) { mysql_query("INSERT INTO food VALUES({$_POST['itmid']},{$_POST['energy']})",$c) or die(mysql_error()); } if($_POST['itmtype'] == 5) { mysql_query("INSERT INTO medical VALUES({$_POST['itmid']},{$_POST['health']})",$c) or die(mysql_error()); } if($_POST['itmtype'] == 3 || $_POST['itmtype'] == 4) { mysql_query("INSERT INTO weapons VALUES({$_POST['itmid']},{$_POST['damage']})",$c) or die(mysql_error()); } if($_POST['itmtype'] == 7) { $i=mysql_insert_id(); mysql_query("INSERT INTO armour VALUES({$_POST['itmid']} ,{$_POST['Defence']})",$c) or die(mysql_error()); } print "The {$_POST['itmname']} Item was edited successfully."; }   Really really hope someone can shed some light on this as I am more than stuck with it!!! Cheers Snatchy

Re: stats cap change the house price to a big int on the databse.

Re: stats cap but won't that only give the amount of money that the player has? i want it to add the entire column of the table.... and how do you do it so it does averages?