Akumetsu Posted January 4, 2011 Share Posted January 4, 2011 Hey all, first of all I'd just like to say that I'm entirely new to php, but am learning little by little (mainly through the free modifications and php manual). This is my first attempt to secure it so please leave any opinions/comments. Overall is it secure? If not mind pointing me in the right direction? <?php include(DIRNAME(__FILE__) . '/globals.php'); $_GET['ID'] = isset($_GET['ID']) && ctype_digit($_GET['ID']) ? abs(@intval($_GET['ID'])) : false; $_GET['action'] = isset($_GET['action']) && ctype_alpha($_GET['action']) ? trim($_GET['action']) : 'index'; echo '<h3>Crystal Market</h3>'; switch($_GET['action']) { case 'buy': crystal_buy(); break; case 'remove': crystal_remove(); break; case 'add': crystal_add(); break; default: index(); break; } if (!in_array($_GET['action'], array('buy','remove','add','index'))) { echo ' [b]Invalid Action.[/b]'; exit($h->endpage()); } function index() { global $db,$ir,$c,$userid,$h; echo ' [url="cmarket.php?action=add"][ Add A Listing ][/url] Viewing all listings... <table width="75%" cellspacing="1" class="table"> <tr style="background:gray"> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>'; $q=$db->query("SELECT cm.*, u.* FROM crystalmarket cm LEFT JOIN users u ON u.userid=cm.cmADDER ORDER BY cmPRICE/cmQTY ASC"); while($r=$db->fetch_row($q)) { if($r['cmADDER'] == $userid) { $link = "[url='cmarket.php?action=remove&ID=".abs(@intval($r[']Remove[/url]"; } else { $link = "[url='cmarket.php?action=buy&ID=".abs(@intval($r[']Buy[/url]"; } $each= (int) $r['cmPRICE'] / $r['cmQTY']; echo ' <tr style="text-align:center"> <td>[url="viewuser.php?u='.abs(@intval($r['userid'])).'"]'.htmlentities($r['username'],ENT_QUOTES).'[/url] ['.abs(@intval($r['userid'])).']</td> <td>'.$r['cmQTY'].'</td> <td>$'.number_format($each).'</td> <td>$'.number_format($r['cmPRICE']).'</td> <td>[ '.$link.' ]</td> </tr>'; } echo '</table>'; } function crystal_remove() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket WHERE cmID=".abs(@intval($_GET['ID']))." AND cmADDER=$userid"); if(!$db->num_rows($q)) { echo ' Error, either these crystals do not exist, or you are not the owner. [url="cmarket.php"][ Back ][/url]'; exit($h->endpage()); } $r=$db->fetch_row($q); $db->query("UPDATE users SET crystals=crystals+".abs(@intval($r['cmQTY']))." where userid=$userid"); $db->query("DELETE FROM crystalmarket WHERE cmID=".abs(@intval($_GET['ID'])).""); echo 'Crystals removed from market! [url="cmarket.php"][ Back ][/url]'; } function crystal_buy() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID=".abs(@intval($_GET['ID'])).""); if(!$db->num_rows($q)) { echo ' Error, either these crystals do not exist, or they have already been bought. [url="cmarket.php"][ Back ][/url]'; exit($h->endpage()); } $r=$db->fetch_row($q); if($r['cmPRICE'] > $ir['money']) { echo ' Error, you do not have the funds to buy these crystals. [url="cmarket.php"][ Back ][/url]'; exit($h->endpage()); } $db->query("UPDATE users SET crystals=crystals+".abs(@intval($r['cmQTY']))." where userid=$userid"); $db->query("DELETE FROM crystalmarket WHERE cmID=".abs(@intval($_GET['ID'])).""); $db->query("UPDATE users SET money=money-".abs(@intval($r['cmPRICE']))." where userid=$userid"); $db->query("UPDATE users SET money=money+".abs(@intval($r['cmPRICE']))." where userid=".abs(@intval($r['cmADDER'])).""); event_add($r['cmADDER'],"[url='viewuser.php?u=".abs(@intval($userid))."']".htmlentities($ir['username'],ENT_QUOTES)."[/url] bought your {$r['cmQTY']} crystals from the market for \$".number_format($r['cmPRICE']).".",$c); echo 'You bought the '.$r['cmQTY'].' crystals from the market for $'.number_format($r['cmPRICE']).'. [url="cmarket.php"][ Back ][/url]'; exit($h->endpage()); } function crystal_add() { global $db,$ir,$c,$userid,$h; $_POST['amnt'] = isset($_POST['amnt']) && ctype_digit($_POST['amnt']) ? abs(@intval($_POST['amnt'])) : false; $_POST['price'] = isset($_POST['price']) && ctype_digit($_POST['price']) ? abs(@intval($_POST['price'])) : false; if($_POST['amnt']) { if($_POST['amnt'] > $ir['crystals']) { die ("You are trying to add more crystals to the market than you have."); } $tp=$_POST['amnt']*$_POST['price']; $db->query("INSERT INTO crystalmarket VALUES('',".abs(@intval($_POST['amnt'])).",".abs(@intval($userid)).",".abs(@intval($tp)).")"); $db->query("UPDATE users SET crystals=crystals-".abs(@intval($_POST['amnt']))." WHERE userid=".abs(@intval($userid)).""); echo 'Crystals added to market! [url="cmarket.php"][ Back ][/url]'; } else { echo ' [b]Adding a listing...[/b] You have [b]'.$ir['crystals'].'[/b] crystal(s) that you can add to the market. <form action="cmarket.php?action=add" method="post"> <table width="50%" border="2"> <tr> <td>Crystals:</td> <td><input type="text" name="amnt" value='.$ir['crystals'].' /></td> </tr> <tr> <td>Price Each:</td> <td><input type="text" name="price" value="200" /></td> </tr> <tr> <td colspan="2" align="center"><input type="submit" value="Add To Market" /> </tr> </table> </form>'; } } $h->endpage(); ?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.