BeastTheKidd Posted January 6, 2012 Share Posted January 6, 2012 (edited) Basically, i've recreated the crystal market. I want someone to test it out and make sure that it works well, and to report any errors/security issues that pop up. This will eventually include the item market as well, to group the 2 together in one file, but I want to make sure that this half works good first. <?php require('globals.php'); $currency_sym = '$'; //Sets your currency symbol; $sec_currency_name = 'Point'; //Sets your second currency name for output; $item_name = 'Item'; //Sets your name for for item market, so you could use Supply, etc. //$price_cap = '200000'; Sets the price capacity; $_GET['id'] = abs(@intval($_GET['id'])); switch($_GET['page']) { case 'smarket': smarket(); break; case 'imarket': imarket(); break; default: echo 'Invalid Page'; $h->endpage(); exit; break; } function smarket(){ global $db,$ir,$currency_sym,$sec_currency_name,$price_cap,$h; echo '<h3><strong><u>'.$sec_currency_name.' Market</u></strong></h3> <a href="market.php?page=smarket&cmd=add"><strong><u> Add Listing</u></strong></a>'; $db->query('DELETE FROM `crystalmarket` WHERE `cmQTY`=0'); //Clear market of entries with 0 or less quantities; switch($_GET['cmd']) { case 'view': $view = 'SELECT c.`cmID`,c.`cmQTY`,c.`cmADDER`,c.`cmPRICE`,u.`user id`,u.`username` '. 'FROM `users` u '. 'LEFT JOIN `crystalmarket` c '. 'ON c.`cmADDER`=u.`userid` '. 'WHERE u.`userid`=c.`cmADDER` '. 'ORDER BY c.`cmQTY` DESC'; $q = $db->query($view); echo '<table class="table" width="70%"> <tr><th>User</th> <th>QTY</th> <th>Price each</th> <th>Price total</th> <th>Commands</th></tr>'; while($data = $db->fetch_row($q)) { echo '<tr><td>'.htmlentities($data['username']).'['.$data['userid'].']</td> <td>'.number_format($data['cmQTY'],0).'</td> <td>'.$currency_sym.number_format($data['cmPRICE'],0).'</td> <td>'.$currency_sym.number_format($data['cmPRICE']*$data['cmQTY'],0).'</td> <td>'; if($data['cmADDER'] != $_SESSION['userid']) echo '[<a href="#">Purchase</a>]'; else echo '[<a href="market.php?page=smarket&cmd=remove&id='.$data["cmID"].'">Remove</a>]'; echo '</td></tr>'; } echo '</table>'; break; case 'purchase': $purchase = 'SELECT `cmID`,`cmADDER`,`cmQTY`,`cmPRICE` '. 'FROM `crystalmarket` '. 'WHERE `cmID`='.$_GET['id']; $q = $db->query($purchase); $data = $db->fetch_row($q); if(!$db->num_rows($q)) { echo 'Error: We could not find the requested listing.'; $h->endpage(); exit; } echo '<h3><strong>Purchase Listing</strong></h3>'; if(!$_POST['submit']) { echo '<form action="market.php?page=smarket&cmd=purchase&id='. $_GET["id"].'" method="POST"> <table class="table" cellpadding="0"> <tr><th>Qty:</th><td align="center"> <input style="width:50px;" type="text" name="p_qty" value="'.$data["cmQTY"].'" /></td></tr> <tr><td></td><td><input type="submit" name="submit" value="Purchase" /></td></tr> </form>'; } else { $_POST['p_qty'] = abs(@intval($_POST['p_qty'])); $price = floor($data['cmPRICE']*$_POST['p_qty']); if(!$_POST['p_qty']) { echo 'Error; You have either tried to purchase nothing, or there is nothing available to purchase.'; $h->endpage(); exit; } if($_POST['p_qty'] > $data['cmQTY']) { echo 'Error: You have requested more '.$sec_currency_name.'s than are available in this listing.'; $h->endpage(); exit; } if($_SESSION['userid'] == $data['cmADDER']) { echo 'Error: You cannot purchase your own listing. You can <a href="market.php?page=smarket&cmd=remove&id='.$data["cmID"].'">remove</a> it however.'; $h->endpage(); exit; } else if($price > $ir['money']) { echo 'Error: You do not have the sufficient funds to complete this purchase.'; $h->endpage(); exit; } else { $text = 'Someone has purchased your '.number_format($_POST['p_qty']).' point(s) for '.number_format($price,0).'.'; $db->query('UPDATE `users` SET `money`=`money`-'.$price.' WHERE `userid`='.$_SESSION['userid']); $db->query('UPDATE `users` SET `crystals`=`crystals`+'.$_POST["p_qty"].' WHERE `userid`='.$_SESSION["userid"]); $db->query('UPDATE `users` SET `money`=`money`+'.$price.' WHERE `userid`='.$data["cmADDER"]); $db->query('INSERT INTO `events` VALUES (NULL,'.$data["cmADDER"].','.time().',0,"'.$text.'")'); $db->query('UPDATE `crystalmarket` SET `cmQTY`=`cmQTY`-'.$_POST['p_qty'].' WHERE `cmID`='.$data["cmID"]); echo 'You have successfully purchased your '.number_format($_POST["p_qty"]).' '.$sec_currency_name.'(s)'; $h->endpage(); exit; } } break; case 'add': echo '<h3><strong>Add Listing</strong></h3>'; if(!$_POST['submit']) { echo '<form action="market.php?page=smarket&cmd=add" method="POST"> Qty: <input type="text" name="a_qty" value="'.$ir["crystals"].'" /> Price each: <input type="text" name="a_price" value="1000" /> <input type="submit" name="submit" value="Add Listing" /> </form>'; } else { $_POST['a_qty'] = abs(@intval($_POST['a_qty'])); $_POST['a_price'] = abs(@intval($_POST['a_price'])); $q = $db->query('SELECT `cmID`,`cmADDER` FROM `crystalmarket` WHERE `cmADDER`='.$_SESSION['userid']); if($_POST['a_qty'] > $ir['crystals']) { echo 'Error: You do not have enough '.$sec_currency_name.'s to complete this action.'; $h->endpage(); exit; } else if(!$_POST['a_qty'] || !$_POST['a_price']) { echo 'Error: You must enter a quantity/price.'; $h->endpage(); exit; } else if($db->num_rows($q)) { echo 'Error: You already have a listing. Please remove it before adding another one.'; $h->endpage(); exit; } // else if($ir['a_price'] > $price_cap) // { // echo 'Error: Your selling price each exceeds the current price capacity.'; // $h->endpage(); // exit; // } else { $db->query('INSERT INTO `crystalmarket` VALUES (NULL,'.$_POST["a_qty"].','.$_SESSION["userid"].','.$_POST["a_price"].')'); $db->query('UPDATE `users` SET `crystals`=`crystals`-'.$_POST["a_qty"].' WHERE `userid`='.$_SESSION['userid']); echo $sec_currency_name.'s sucessfully added to the market'; } } break; case 'remove': echo '<h3><strong>Remove Listing</strong></h3>'; $remove = 'SELECT `cmID`,`cmADDER`,`cmQTY` '. 'FROM `crystalmarket` '. 'WHERE `cmID`='.$_GET['id'].' AND `cmADDER`='.$_SESSION['userid']; $q = $db->query($remove); $r = $db->fetch_row($q); if(!$db->num_rows($q)) { echo 'Error: We could not find your entry. Either it does not exist, or you do not have permission to remove it.'; $h->endpage(); exit; } else { $db->query('UPDATE `users` SET `crystals`=`crystals`+'.$r["cmQTY"].' WHERE `userid`='.$_SESSION['userid']); $db->query('DELETE FROM `crystalmarket` WHERE `cmID`='.$_GET['id']); echo 'Your entry has successfully been removed.'; } break; default: echo 'Invalid Command'; $h->endpage(); exit; break; } } function imarket(){ } $h->endpage(); ?> Edited January 6, 2012 by Dominion Attempted to fixed space error. Quote Link to comment Share on other sites More sharing options...
BeastTheKidd Posted January 6, 2012 Author Share Posted January 6, 2012 (edited) Disregard the price cap error in the global, just put it together.. The box on here did that, its not in the original code.. just check the code for any spaces in the variables.. ridiculous that you have to this but its not my fault.. :) Edited January 6, 2012 by BeastTheKidd Quote Link to comment Share on other sites More sharing options...
Ishraq Posted January 6, 2012 Share Posted January 6, 2012 Instead of that currency thingy. Why not use money_formatter? Quote Link to comment Share on other sites More sharing options...
BeastTheKidd Posted January 6, 2012 Author Share Posted January 6, 2012 Instead of that currency thingy. Why not use money_formatter? I suppose. Did you try out the script? Quote Link to comment Share on other sites More sharing options...
sniko Posted January 6, 2012 Share Posted January 6, 2012 Disregard the price cap error in the global, just put it together.. The box on here did that, its not in the original code.. just check the code for any spaces in the variables.. ridiculous that you have to this but its not my fault.. :) If the forum software is messing with the script, upload to pastebin. Quote Link to comment Share on other sites More sharing options...
Dominion Posted January 6, 2012 Share Posted January 6, 2012 Disregard the price cap error in the global, just put it together.. The box on here did that, its not in the original code.. just check the code for any spaces in the variables.. ridiculous that you have to this but its not my fault.. :) Sorry about this. O_o Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.