Hendrickson Posted April 22, 2012 Posted April 22, 2012 I've found a bug in the script, well at least mine. Where a player looses a fight and then respect points for their gang. Well if the user were to refresh the page they can give away more respect points to the winning gang. So its a way for Gangs to get cheap respect points. I'm lost at how to stop stop this. Using sessions to stop a page refresh is not the answer. Not sure if using the below would work. $_GET['userid']=abs((int) $_GET['userid']); if(($_SESSION['userid'] == $r['userid']) || $r['userid']<100) { die ("Don't refresh the page please"); } Here is my attacklost.php below: <?php $atkpage=1; include "globals.php"; $_GET['ID']==abs((int) $_GET['ID']); $_SESSION['attacking']=0; $_SESSION['attacklost']=0; $od=$db->query("SELECT * FROM users WHERE userid={$_GET['ID']}"); if($db->num_rows($od)) { $r=$db->fetch_row($od); print "You lost to {$r['username']}"; $expgain=abs(($ir['level']-$r['level'])^3); $expgainp=$expgain/$ir['exp_needed']*50; print " and lost $expgainp% EXP!"; $db->query("UPDATE users SET exp=exp-$expgain, attacking=0 WHERE userid=$userid"); $db->query("UPDATE users SET exp=0 WHERE exp<0"); $msg="{$ir['username']} Attacked you and lost!"; sms_send($msg,$_GET['ID']); event_add($r['userid'],"<a href='viewuser.php?u=$userid'>{$ir['username']}</a> attacked you and lost.",$c); $atklog=mysql_escape_string($_SESSION['attacklog']); $db->query("INSERT INTO attacklogs VALUES('',$userid,{$_GET['ID']},'lost',unix_timestamp(),0,'$atklog');"); $warq=$db->query("SELECT * FROM gangwars WHERE (warDECLARER={$ir['gang']} AND warDECLARED={$r['gang']}) OR (warDECLARED={$ir['gang']} AND warDECLARER={$r['gang']})"); if ($db->num_rows($warq) > 0) { $war=$db->fetch_row($warq); $db->query("UPDATE gangs SET gangRESPECT=gangRESPECT+1 WHERE gangID={$r['gang']}"); $db->query("UPDATE gangs SET gangRESPECT=gangRESPECT-1 WHERE gangID={$ir['gang']}"); print "<br />You lost 1 respect for your gang!"; } print"<a data-role='button' href='explore.php'>Back to Town</a>"; } else { print "You lost to Mr. Non-existant! =O"; } $h->endpage(); ?> Quote
Ishraq Posted April 22, 2012 Posted April 22, 2012 You should download the latest mccodes. The one you have is old. It's missing an If statements that said cheaters don't get anywhere. Go to http://www.mccodes.com and login into your account and download the latest patch. (Mccodes V2.0.5b) Quote
Hendrickson Posted April 22, 2012 Author Posted April 22, 2012 (edited) Thanks, I didn't see there where updates this month! Edit: Download the new update from my account, Doesn't seem to find the issue? attacklost.php doesn't mention the cheaters don't get anywhere in an if statement? $war = $db->fetch_row($warq); $db->query( "UPDATE `gangs` SET `gangRESPECT` = `gangRESPECT` + 1 WHERE `gangID` = {$r['gang']}"); $db->query( "UPDATE `gangs` SET `gangRESPECT` = `gangRESPECT` - 1 WHERE `gangID` = {$ir['gang']}"); echo "<br />You lost 1 respect for your gang!"; } $db->free_result($warq); } Edited April 22, 2012 by Hendrickson Quote
Hendrickson Posted April 22, 2012 Author Posted April 22, 2012 Thanks, tried it but no luck., Seems a hard bug to stop being exploit :( Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.