SteveDave Posted April 14, 2009 Posted April 14, 2009 Well I just recently added a Mod to my game, came back a few hours later and found billions of dollars going around in my game due to someone stumbling upon a bug. I thought I had it covered with: elseif($_POST['amount'] > $ir['money'] or $_POST['crystals'] > $ir['crystals']) { die ("[b]You dont have enough funds.[/b]"); } But it seems the old +9999999--99999999999999 worked and let someone give themselves ridiculous amounts of crystals/money. I thought this code (in header) protected against that: $count = 3; $x = -1; while($x < $count) { $places_to_be_secured = array("ID","viewforum","viewtopic"); $x++; $_GET[$places_to_be_secured[$x]] = abs(@intval($_GET[$places_to_be_secured[$x]])); } But apparently not. I can't seem to find a way around this, I've tried several things but can't seem to fix it. Any ideas? Quote
Magictallguy Posted April 14, 2009 Posted April 14, 2009 Re: +9999--99999999 ( Bug ) Placing this, underneath the globals.php include, will secure that :) <?php //Remove this, added it for the colours only! xD $_POST['amount'] = isset($_POST['amount']) && ctype_digit($_POST['amount']) ? abs(@intval($_POST['amount'])) : false; $_POST['crystals'] = isset($_POST['crystals']) && ctype_digit($_POST['crystals']) ? abs(@intval($_POST['crystals'])) : false; Quote
AlabamaHit Posted April 14, 2009 Posted April 14, 2009 Re: +9999--99999999 ( Bug ) I thought this code (in header) protected against that: Code: [select] $count = 3; $x = -1; while($x < $count) { $places_to_be_secured = array("ID","viewforum","viewtopic"); $x++; $_GET[$places_to_be_secured[$x]] = abs(@intval($_GET[$places_to_be_secured[$x]])); } But apparently not. I can't seem to find a way around this, I've tried several things but can't seem to fix it. Any ideas? lol, i have been waiting for someone to say that. That is nothing but a quick fix..that not security. What MTG gave you will secure up you page. If you want to secure your site. Do it on the pages. No one page fix will ever work. Quote
SteveDave Posted April 14, 2009 Author Posted April 14, 2009 Re: +9999--99999999 ( Bug ) Thanks guys I'll try that, +1's for both of you I appreciate the help. Quote
Magictallguy Posted April 14, 2009 Posted April 14, 2009 Re: +9999--99999999 ( Bug ) Thanks guys I'll try that, +1's for both of you I appreciate the help. Feel free to overwrite your cmarket.php with this one: http://criminalexistence.com/ceforums/h ... 34#p134734 Quote
POG1 Posted April 14, 2009 Posted April 14, 2009 Re: +9999--99999999 ( Bug ) if(isset($_POST['ammount']) AND ctype_digit($_POST['ammount'])) { // let them do stuff } else { // show something else } You will want to use validation and ensure that you only allow what you want to allow. Check the php manual for the ctype functions, ctype_digit and ctype_alnum are two very useful functions you should be getting to use. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.