Jump to content
MakeWebGames

Securing your game mccodes V2

Curt

By Curt
in General Discussion

 Share

Recommended Posts

Curt Newbie

Curt

Posted
Posted

Well I started a few days ago and begin reading from the very first page and have to say this is one of the best sites I have found with info about mccodes......I started reading from the first page 114...I have to say there is some good information there. I just finished checking out all the pages today and my biggest concern atm is Security...I read alot about people getting hacked..also I read alot about how to prevent this. I have noted a few explainations i seen...then I made it to

Optimus Prime's "tutorial"..and have to say it is really good from my point of veiw...any way I had a go at securing my spendpoints.php(previously crystalmarket.php)

and Ill post the code below..i checked the page everything looks to be running fine.

Just wanted to know if i do the same for all my pages will my game be secure ?...also i found this back on page wte...

Quick FIx - Add into header.php:

$_GET['viewforum'] = abs(@intval($_GET['viewforum']));

$_GET['viewtopic'] = abs(@intval($_GET['viewtopic']));

would that secure my site ?...or would it be better to use the method outlined in Optimus Primes tut ?

thanks guys << Im still studing PHP but im learning so much :D

later

Curt Newbie

Curt

Posted
  • Author
Posted 
<?php
include "globals.php";
$_GET['refill'] = stripslashes(htmlspecialchars($_GET['refill']));
$_GET['refill0'] = stripslashes(htmlspecialchars($_GET['refill0']));
$_GET['refill2'] = stripslashes(htmlspecialchars($_GET['refill2']));
$_GET['refill3'] = stripslashes(htmlspecialchars($_GET['refill3']));
$_GET['hospitalheal'] = stripslashes(htmlspecialchars($_GET['hospitalheal']));
$_GET['getoutjail'] = stripslashes(htmlspecialchars($_GET['getoutjail']));
$_GET['turnsfill'] = stripslashes(htmlspecialchars($_GET['turnsfill']));
$_GET['turnsfill2'] = stripslashes(htmlspecialchars($_GET['turnsfill2']));
$_GET['IQ'] = stripslashes(htmlspecialchars($_GET['IQ']));
$_GET['money'] = stripslashes(htmlspecialchars($_GET['money']));
{
print "<h1>Welcome to the Points Store!</h1>


You have [b]<big>{$ir['crystals']}</big>[/b] Points to spend.[/b]
<hr>

";
}
if(!$_GET['spend'])
{
print "<table width='50%' border=1>
<tr>
<th width='20%'><ph2>What would you like to spend your Points on?</ph2></th>
</tr>
<tr>
<td width='10%'>Spend 1 Point to refill your Health.</td>
<td width='3%'>[url='spendpoints.php?spend=refill0'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend {$set['ct_refillprice']} Points to refill your Energy.</td>
<td width='3%'>[url='spendpoints.php?spend=refill'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend {$set['ct_refillprice']} Points to refill your Nerve.</td>
<td width='3%'>[url='spendpoints.php?spend=refill2'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend 75 Points to refill your Awake.</td>
<td width='3%'>[url='spendpoints.php?spend=refill3'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend 5 Points to get out of the Hospital.</td>
<td width='3%'>[url='spendpoints.php?spend=hospitalheal'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend 5 Points to Bail out of Jail.</td>
<td width='3%'>[url='spendpoints.php?spend=getoutjail'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend 50 Points to Reset your Downtown Search.</td>
<td width='3%'>[url='spendpoints.php?spend=turnsfill'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Spend 25 Points to Reset your Lucky Dip.</td>
<td width='3%'>[url='spendpoints.php?spend=turnsfill2'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Gain {$set['ct_iqpercrys']} IQ per Point Spent.</td>
<td width='3%'>[url='spendpoints.php?spend=IQ'](click here)[/url]</td>
</tr>
<tr>
<td width='10%'>Sell Points. {$set['ct_moneypercrys']} per point.</td>
<td width='3%'>[url='spendpoints.php?spend=money'](click here)[/url]</td>
</tr>";
}
else
{
if($_GET['spend'] == 'refill0')
{
if($ir['crystals'] <1)
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['hp'] == $ir['maxhp'])
{
print "You already have Full Health.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET hp=maxhp,crystals=crystals - %d WHERE  (`userid` = $userid)", abs(@intval(1)));
$db->query($sprintf);
print "You have paid 1 Point to refill your Health Bar.


<a href='spendpoints.php'> [i] Back to Points Store [/i]<a/>

or


<a href='explore.php'>[i]Back to City[/i]<a/>";
}
}
else if($_GET['spend'] == 'getoutjail')
{
if($ir['crystals'] <9)
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['jail'] == 0)
{
print "You are not in jail.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET jail=jail-jail,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(10)));
$db->query($sprintf);
print "
[b]You have paid 10 Points Get out of Jail.[/b]


[b]<big>[url='explore.php']Back to City[/url][/b]</big>[/b]";
}
}
else if($_GET['spend'] == 'refill')
{
if($ir['crystals'] <$set['ct_refillprice'])
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['energy'] == $ir['maxenergy'])
{
print "You already have full energy.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET energy=maxenergy,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($set['ct_refillprice'])));
$db->query($sprintf);
print "
[b]You have paid {$set['ct_refillprice']} Points to refill your energy bar.[/b]


[b]<big>[url='gym.php']Go to Gym[/url][/b]</big>[/b]";
}
}
else if($_GET['spend'] == 'refill2')
{
if($ir['crystals'] <$set['ct_refillprice'])
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['brave'] == $ir['maxbrave'])
{
print "You already have full Nerve.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET brave=maxbrave,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($set['ct_refillprice'])));
$db->query($sprintf);
print "You have paid {$set['ct_refillprice']} Points to refill your Nerve Bar.";
}
}
else if($_GET['spend'] == 'hospitalheal')
{
if($ir['crystals'] <9)
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['hospital'] <1)
{
print "
[b]You are not in the Hospital ![/b]




<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET hospital=0,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(10)));
$db->query($sprintf);
print "
[b]<big>You have paid [b]<big>[b]10[/b]</big>[/b] Points to get out of the hospital.[/b]</big>


[url='explore.php']Back to City[/url][/b]";
}
}
else if($_GET['spend'] == 'turnsfill')
{
if($ir['crystals'] <74)
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['turns'] >1)
{
print "
You still have some searches left !

[url='streets.php']Go to Downtown Search[/url][/b]

or




<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(50)));
$db->query($sprintf);
$sprintf=sprintf("UPDATE users SET turns=turns+%d WHERE (`userid` = $userid)", abs(@intval(100)));
$db->query($sprintf);
print "
[b]<big>You have paid to [b]<big>[b]50[/b]</big>[/b] Points to reset your Downtown Search.[/b]</big>


[url='streets.php']Go to Downtown Search[/url][/b]

or




<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
}
else if($_GET['spend'] == 'refill3')
{
if($ir['crystals'] <65)
{
print "You don't have enough Points!


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else if($ir['will'] == $ir['maxwill'])
{
print "You Awake is already Maxed out.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
else
{
$sprintf=sprintf("UPDATE users SET will=maxwill,crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval(75)));
$db->query($sprintf);
print "You have paid 75 Points to refill your Will Bar.


<a href='spendpoints.php'> [i] Go Back [/i]<a/>";
}
}
else if($_GET['spend'] == 'IQ')
{
print "Type in the amount of Points you want to swap for IQ.

You have [b]{$ir['crystals']}[/b] Points.

One crystal = {$set['ct_iqpercrys']} IQ.<form action='spendpoints.php?spend=IQ2' method='post'><input type='text' name='crystals' />
<input type='submit' value='Swap' /></form>";
}
else if($_GET['spend'] == 'IQ2')
{
$_POST['crystals'] = abs(@intval($_POST['crystals']));
if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals'])
{
print "Error, you either do not have enough Points or did not fill out the form.

[url='spendpoints.php?spend=IQ']Back[/url]";
}
else
{
$iqgain=$_POST['crystals']*$set['ct_iqpercrys'];
$sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($_POST['crystals'])));
$db->query($sprintf);
$sprintf=sprintf("UPDATE userstats SET IQ=IQ+%d WHERE (`userid` = $userid)", abs(@intval($iqgain)));
$db->query($sprintf);
print "You traded {$_POST['crystals']} Points for $iqgain IQ.";
}
}
else if($_GET['spend'] == 'money')
{
print "Type in the amount of Points you want to swap for money.

You have [b]{$ir['crystals']}[/b] Points.

One crystal = \$".number_format($set['ct_moneypercrys']).".<form action='spendpoints.php?spend=money2' method='post'><input type='text' name='crystals' />
<input type='submit' value='Swap' /></form>";
}
else if($_GET['spend'] == 'money2')
{
$_POST['crystals'] = abs(@intval($_POST['crystals']));
if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals'])
{
print "Error, you either do not have enough Points or did not fill out the form.

[url='spendpoints.php?spend=money']Back[/url]";
}
else
{
$iqgain=$_POST['crystals']*$set['ct_moneypercrys'];
$sprintf=sprintf("UPDATE users SET crystals=crystals-%d WHERE (`userid` = $userid)", abs(@intval($_POST['crystals'])));
$db->query($sprintf);
$sprintf=sprintf("UPDATE users SET money=money+%d WHERE (`userid` = $userid)", abs(@intval($iqgain)));
$db->query($sprintf);
print "You traded {$_POST['crystals']} Points for \$".number_format($iqgain).".";
}
}
else if($_GET['spend'] == 'turnsfill2')
{
if($ir['crystals'] <24)
{
print "You don't have enough Points!";
}
else if($ir['luckydip_turns'] ==0)
{
$sprintf=sprintf("UPDATE users SET luckydip_turns=luckydip_turns+%d WHERE (`userid` = $userid)", abs(@intval(1)));
$db->query($sprintf);
$sprintf=sprintf("UPDATE users SET crystals=crystals-$d WHERE (`userid` = $userid)", abs(@intval(25)));
$db->query($sprintf);
print "
[b]<big>You have paid [b]<big>[b]25[/b]</big>[/b] Points to reset your Lucky Dip.[/b]</big>


[url='luckydip.php']Go to Lucky Dip[/url][/b]";

}
else
{
print "
You still have chances left !

[url='luckydip.php']Go to Lucky Dip[/url][/b]";
}
}
}

$h->endpage();
?>
BlueDevil23 Newbie

BlueDevil23

Posted
Posted

Here ya go, I littered comments throughout it, to help you understand what's going on, and how it is securing it. If you need more info, don't be afraid to ask :)

Oh, I'm not sure it 100% works the way you had it working.... there's a possibility I named a link wrong or something minor... but I'm about 95% sure I didn't. Though I know there is no PHP syntax errors. So, if there's a link pointing to the wrong place or the switch() isn't full working, let me know, and I'll help you fix it, if you can't. :)

 

<?php


include_once('globals.php');

?>

<style type="text/css">

span.bigBold {
font-weight: bold;
font-size: larger;
}

table#spend_points {
width: 50%;
border: 1px black solid;
}

#spend_points {
 width: 20%;
}

td.spendOn {
 width: 10%
}

td.spendOn_accept {
 width: 3%;
}

label {
display: block;
}


form {
text-align: center;
}


</style>


<?php

//I've left this code in here, for you to see the difference, and how easy it can be to secure a switch() like this,
//by understanding some simple PHP functions
//My version of all this, is found on lines 138-145
/*$_GET['refill'] = stripslashes(htmlspecialchars($_GET['refill']));
$_GET['refill0'] = stripslashes(htmlspecialchars($_GET['refill0']));
$_GET['refill2'] = stripslashes(htmlspecialchars($_GET['refill2']));
$_GET['refill3'] = stripslashes(htmlspecialchars($_GET['refill3']));
$_GET['hospitalheal'] = stripslashes(htmlspecialchars($_GET['hospitalheal']));
$_GET['getoutjail'] = stripslashes(htmlspecialchars($_GET['getoutjail']));
$_GET['turnsfill'] = stripslashes(htmlspecialchars($_GET['turnsfill']));
$_GET['turnsfill2'] = stripslashes(htmlspecialchars($_GET['turnsfill2']));
$_GET['IQ'] = stripslashes(htmlspecialchars($_GET['IQ']));
$_GET['money'] = stripslashes(htmlspecialchars($_GET['money']));
*/

//I know you were mainly wondering about the security of this
//but while we're at, let's clean up the HTML abit.
//Small thing, but if you're going to write new code, it's worth doing
//use echo with single quotes, as it is the fastest of the basic write-to-document options
//Though I don't exactly recommend going through old, already written code and doing this
//as the speed gain from it, is usually so miniscule, it's not worth it.

echo '<h1>Welcome to the Points Store!</h1>';
echo '

You have <span class="bigBold">', $ir['crystals'], '</span> Points to spend.';

if(!$_GET['spend'])
{

//Another small thing that makes a *big* difference, is to indent you're code.
//Without doing this, the code becomes increasingly unreadable.


//Now technically here, if it was me, I would turn this into a list, but it could go either-or
//I'll leave it as a table, assuming you would rather have it that way.
//And since this is mainly a lot of HTML, and barely any PHP, I'm going to close out the PHP tags
//and simply open them back up when I need to use a variable.
?>
<table id="spend_points">
<tr>
   	<th>What would you like to spend your Points on?</th>
</tr>
<tr>
   	<td class="spendOn">Spend 1 Point to refill your Health.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=refill0'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend <?php $set['ct_refillprice'] ?> Points to refill your Energy.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=refill'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend <?php $set['ct_refillprice'] ?> Points to refill your Nerve.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=refill2'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend 75 Points to refill your Awake.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=refill3'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend 5 Points to get out of the Hospital.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=hospitalheal'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend 5 Points to Bail out of Jail.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=getoutjail'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend 50 Points to Reset your Downtown Search.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=turnsfill'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Spend 25 Points to Reset your Lucky Dip.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=turnsfill2'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Gain <?php $set['ct_iqpercrys'] ?> IQ per Point Spent.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=IQ'](click here)[/url]</td>
</tr>
<tr>
   	<td class="spendOn">Sell Points. <?php $set['ct_moneypercrys'] ?> per point.</td>
   	<td class="spendOn_accept">[url='spendpoints.php?spend=money'](click here)[/url]</td>
</tr>
</table>

<?php
}
else
{
//First I create an array of all the possible valid options $_GET['spend'] can be
//This way, if it's not in this array, it will not be accepted, and you will be protected
//from anyone trying to exploit your game using the $_GET array/superglobal.
//Now that I have an array of the possible valid options, I can check against it
//using in_array(), to see if the supplied $_GET value is one in there, therefore being valid
//and secure.
$possibleOptions = array('refill0', 'refill1', 'refill2', 'refill3', 'hospitalheal', 'getoutjail', 'turnsfill', 'turnsfill1', 'IQ', 'IQ2', 'money', 'money2');
if(!in_array($_GET['spend'], $possibleOptions));
{
   	echo '<h3>Invalid Option</h3>';
   	echo '[url="spendpoints.php"]Go Back[/url]';
   	return;
   	//Using return simply to stop script execution
}
if($_GET['spend'] == 'refill0')
{
   	if($ir['crystals'] < 1)
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['hp'] == $ir['maxhp'])
   	{
       	echo '<h3>You already have Full Health.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else
   	{
       	//If we got through to this part, everything is good and we can build our query
       	$maxHP = sprintf("UPDATE `users` SET `hp` = `maxhp`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 1, $userid);
       	//Execute the query
       	$do_maxHP = mysql_query($maxHP);
       	//Check to see if the query failed.... if it did display the mysql error.
       	if($do_maxHP === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid 1 Point to refill your Health Bar.</h3>';
       	echo '<a href="spendpoints.php">Back to Points Store<a/>';
       	echo '<a href="explore.php">Back to City<a/>';
   	}
}
else if($_GET['spend'] == 'getoutjail')
{
   	if($ir['crystals'] < 9)
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['jail'] == 0)
   	{
       	echo '<h3>You are not in jail.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else
   	{
       	$getOutOfJail = sprintf("UPDATE `users` SET `jail` = `jail` - `jail`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 10, $userid);
       	$do_getOutOfJail = mysql_query($getOutOfJail);
       	if($do_getOutOfJail === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid 10 Points Get out of Jail.</h3>';
       	echo '[url="explore.php"]Back to City[/url]';
   	}
}
else if($_GET['spend'] == 'refill1')
{
   	if($ir['crystals'] < $set['ct_refillprice'])
   	{
       	echo '<h3>You don\'t have enough Points!';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['energy'] == $ir['maxenergy'])
   	{
       	echo '<h3>You already have full energy.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else
   	{
       	$maxEnergy = sprintf("UPDATE `users` SET `energy` = `maxenergy`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $set['ct_refillprice'], $userid);
       	$do_maxEnergy = mysql_query($maxEnergy);
       	if($do_maxEnergy === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid ', $set['ct_refillprice'], ' Points to refill your energy bar.</h3>';
       	echo '[url="gym.php"]Go to Gym[/url]';
   	}
}
else if($_GET['spend'] == 'refill2')
{
   	if($ir['crystals'] < $set['ct_refillprice'])
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['brave'] == $ir['maxbrave'])
   	{
       	echo '<h3>You already have full Nerve.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
   	}
   	else
   	{
       	$maxBrave = sprintf("UPDATE `users` SET `brave` = `maxbrave`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $set['ct_refillprice'], $userid);
       	$do_maxBrave = mysql_query($maxBrave);
       	if($do_maxBrave === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid ', $set['ct_refillprice'], ' Points to refill your Nerve Bar.</h3>';
   	}
}
else if($_GET['spend'] == 'hospitalheal')
{
   	if($ir['crystals'] < 9)
   	{
       	echo 'You don\'t have enough Points!</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['hospital'] < 1)
   	{
       	echo '<h3>You are not in the Hospital !</h3>';
       	echo '[url="spendpoints.php"]Go Back[/url]';
       	return;
   	}
   	else
   	{
       	$getOutOfHospital = sprintf("UPDATE `users` SET `hospital` = 0, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 10, $userid);
       	$do_getOutOfHospital = mysql_query($getOutOfHospital);
       	if($do_getOutOfHospital === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid 10 Points to get out of the hospital.</h3>';
       	echo '[url="explore.php"]Back to City[/url]';
   	}
}
else if($_GET['spend'] == 'turnsfill')
{
   	if($ir['crystals'] < 74)
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '[url="spendpoints.php"]Go Back[/url]';
       	return;
   	}
   	else if($ir['turns'] > 1)
   	{
       	echo '<h3>You still have some searches left !</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else
   	{
       	$moreTurns = sprintf("UPDATE `users` SET `turns` = `turns` + %d, `crystals` = `crystals` - %d WHERE (`userid` = %u)", 100, 50, $userid);
       	$do_moreTurns = mysql_query($moreTurns);
       	if($do_moreTurns === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid to 50 Points to reset your Downtown Search.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
   	}
}
//Ok, by now you might be wondering why I keep using echo over and over for each line
//I know I know I can just keep it open, and not having to keep re-using it.
//But, with this way, it helps the parser out, and go line by line, to pinpoint syntax
//errors to the exact line. Plus..... I like the way it looks :D
else if($_GET['spend'] == 'refill3')
{
   	if($ir['crystals'] < 65)
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else if($ir['will'] == $ir['maxwill'])
   	{
       	echo '<h3>Your Awake is already Maxed out.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
       	return;
   	}
   	else
   	{
       	$maxWill = sprintf("UPDATE `users` SET `will` = `maxwill`, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 75, $userid);
       	$do_maxWill = mysql_query($maxWill);
       	if($do_maxWill === FALSE) { echo mysql_error(); }
       	echo 'You have paid 75 Points to refill your Will Bar.</h3>';
       	echo '<a href="spendpoints.php">Go Back<a/>';
   	}
}
//Phew....that was tiring...
else if($_GET['spend'] == 'IQ')
{
   	echo '

Type in the amount of Points you want to swap for IQ.</p>';
   	echo '

You have ', $ir['crystals'], ' Points.</p>';
   	echo '<h5>One crystal = ', $set['ct_iqpercrys'], ' IQ.</h5>';
   	echo '<form action="spendpoints.php?spend=IQ2" method="POST">';
       	echo '<label for="crystals">Crystals</label>';
       	echo '<input type="text" id="crystals" name="crystals" />';
       	echo '

<input type="submit" value="Swap" /></p>';
   	echo '</form>';
}
else if($_GET['spend'] == 'IQ2')
{
   	//Now to secure the $_POST value being sent by the form
   	//we have to think what we expect, and only allow what we
   	//want to allow
   	//If we only want to allow numbers, only allow numbers
   	//If you only want to allow alphabetic characters, only allow alphabetic characters
   	//etc etc...
   	//In this case, we only want to allow numbers, so I'll use is_number()
   	if(!is_number($_POST['crystals']))
   	{
       	echo '<h3>You must enter a valid *number*</h3>';
       	echo '[url="spendpoints.php?spend=IQ"]Back[/url]';
       	return;
       	//If it's not a number, we stop execution of the script, and let them go back.
   	}
   	if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals'])
   	{
       	echo '

Error, you either do not have enough Points or did not fill out the form.</p>';
       	echo '[url="spendpoints.php?spend=IQ"]Back[/url]';
       	return;
   	}
   	else
   	{
       	$iqgain = $_POST['crystals'] * $set['ct_iqpercrys'];
       	$takeCrystals = sprintf("UPDATE `users` SET `crystals` = `crystals` - %d WHERE(`userid` = %u)", $_POST['crystals'], $userid);
       	$do_takeCrystals = mysql_query($takeCrystals);
       	if($do_takeCrystals === FALSE) { echo mysql_error(); }
       	$moreIQ = sprintf("UPDATE `userstats` SET `IQ` = `IQ` + %d WHERE(`userid` = %u)", $iqgain, $userid);
       	$do_moreIQ = mysql_query($moreIQ);
       	if($do_moreIQ === FALSE) { echo mysql_error(); }
       	echo '<h3>You traded ', $_POST['crystals'], ' Points for ',  $iqgain, ' IQ.</h3>';
   	}
}
else if($_GET['spend'] == 'money')
{
   	echo '

Type in the amount of Points you want to swap for money.</p>';
   	echo '

You have, ', $ir['crystals'], ' Points.</p>';
   	echo '<h5>One crystal = \$', number_format($set['ct_moneypercrys']), '.</h5>';
   	echo '<form action="spendpoints.php?spend=money2" method="POST">';
       	echo '<label for="crystals">Crystals</label>';
       	echo '<input type="text" id="crystals" name="crystals" />';
       	echo '

<input type="submit" value="Swap" />';
   	echo '</form>';
}
else if($_GET['spend'] == 'money2')
{
   	if(!is_number($_POST['crystals']))
   	{
       	echo '<h3>You must enter a valid *number*</h3>';
       	echo '[url="spendpoints.php?spend=money"]Back[/url]';
       	return;
   	}
   	if($_POST['crystals'] <= 0 || $_POST['crystals'] > $ir['crystals'])
   	{
       	echo '

Error, you either do not have enough Points or did not fill out the form.</p>';
       	echo '[url="spendpoints.php?spend=money"]Back[/url]';
       	return;
   	}
   	else
   	{
       	$moneygain = $_POST['crystals'] * $set['ct_moneypercrys'];
       	$moreMoney = sprintf("UPDATE `users` SET `money` = `money` + %d, `crystals` = `crystals` - %d WHERE(`userid` = %u)", $moneygain, $_POST['crystals'], $userid);
       	$do_moreMoney = mysql_query($moreMoney);
       	if($do_moreMoney === FALSE) { echo mysql_error(); }
       	echo '<h3>You traded ', $_POST['crystals'], ' Points for \$', number_format($moneygain), '.</h3>';
   	}
}
else if($_GET['spend'] == 'turnsfill2')
{
   	if($ir['crystals'] < 24)
   	{
       	echo '<h3>You don\'t have enough Points!</h3>';
       	echo '[url="spendpoints.php"]Go Back[/url]';
       	return;
   	}
   	else if($ir['luckydip_turns'] == 0)
   	{
       	$luckyDips = sprintf("UPDATE `users` SET `luckydip_turns` = `luckydip_turns` + %d, `crystals` = `crystals` - %d WHERE(`userid` = %u)", 1, 25, $userid);
       	$do_luckyDips = mysql_query($luckyDips);
       	if($do_luckyDips === FALSE) { echo mysql_error(); }
       	echo '<h3>You have paid 25 Points to reset your Lucky Dip.</h3>';
       	echo '[url="luckydip.php"]Go to Lucky Dip[/url]';

   	}
   	else
   	{
       	echo '<h3>You still have chances left !<h3>';
       	echo '[url="luckydip.php"]Go to Lucky Dip[/url]';
   	}
}
}

$h->endpage();

//Hope you've learned something! :)


?>
Curt Newbie

Curt

Posted
  • Author
Posted

BlueDevil23 you are awsome :)

Thank you very much for taking the time to help me out. lol...the reason i simply used a table because I haven't learned enough about arrays yet to use them but i understand exactly what its good for.

I will be studying this script for a while...and any minor errors if there is any im sure I can fix :)

Oh yea JDS137, the tut is like two topics down..

http://makewebgames.io//index.php?page=Thread&threadID=28945

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...