Mr-Scripts Posted December 8, 2012 Share Posted December 8, 2012 A player has come to me and said there are error and bugs in the following files he/she has not said where......so i need a eagle eyed person to help me identify the problem Bank Sending Money http://pastebin.com/aUAxGnwj Normal Bank ( withdraw / deposit ) http://pastebin.com/Aej2YnHQ Bullet Factory http://pastebin.com/8LqXKFMA Black Market / Bullets http://pastebin.com/pGmYDSCk Black Market / Credits http://pastebin.com/EsuLGUKV Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 8, 2012 Share Posted December 8, 2012 The easiest thing to do is ask the person what they were doing when the bug/error occurred with any error messages that may have popped up. Also get rid of ereg and replace with preg_match. I only noticed it in the first few files posted but i only scanned through them but if they are linked some how it may kick a couple errors if you are using anything < than 5.3.0 Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 8, 2012 Author Share Posted December 8, 2012 im using the following Apache version 2.2.22 PHP version 5.3.15 MySQL version 5.5.27-cll Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 8, 2012 Share Posted December 8, 2012 Judging by your php version you need to get rid of ereg Quote Link to comment Share on other sites More sharing options...
Someone Posted December 19, 2012 Share Posted December 19, 2012 check your server log files, can be found in cpanel if you have that. Also, I hope you secure the $_POST data somewhere, other than just strip the tags $giveto = strip_tags($_POST['giveto']); $giveamount = strip_tags($_POST['giveamount']); $query2=mysql_query("SELECT * FROM users WHERE username='$giveto' LIMIT 1"); Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 19, 2012 Author Share Posted December 19, 2012 check your server log files, can be found in cpanel if you have that. Also, I hope you secure the $_POST data somewhere, other than just strip the tags $giveto = strip_tags($_POST['giveto']); $giveamount = strip_tags($_POST['giveamount']); $query2=mysql_query("SELECT * FROM users WHERE username='$giveto' LIMIT 1"); are you refering to send money if so i dont think i do im new to this so what you see in the file is what i have Quote Link to comment Share on other sites More sharing options...
Someone Posted December 20, 2012 Share Posted December 20, 2012 Yes that was in send money. Unless the $_POST data is validated in another place, like in a functions.php your script is vulnerable to mysql injections. Open includes/functions.php and search for $_POST hopefully there is something that checks each entry in the array. Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 20, 2012 Author Share Posted December 20, 2012 (edited) if($_POST['Send_button']){ $send_amount=intval(strip_tags($_POST['send_amount'])); $to_person = strip_tags($_POST['to_person']); if (!$to_person){ echo "Please enter a username."; }elseif ($to_person){ $num_true=mysql_num_rows(mysql_query("SELECT * FROM users WHERE username='$to_person'")); if ($num_true == 0){ echo "No such user."; }elseif ($num_true != 0){ if ($send_amount > "0"){ if ($send_amount == 0 || !$send_amount || ereg('[^0-9]',$send_amount)){ print "You cant send that amount."; }elseif ($send_amount != 0 || $send_amount || !ereg('[^0-9]',$send_amount)){ { if ($send_amount > $fetch->bank){ echo "You do not have that much money in your bank."; }elseif ($send_amount <= $fetch->bank){ $newer = mysql_query("SELECT * FROM users WHERE username='$to_person'"); $abcdef=mysql_fetch_object($newer); Edited December 20, 2012 by Mr-Scripts Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 20, 2012 Author Share Posted December 20, 2012 * ill obviously change ereg to preg_match but i dont have anything in my functions Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 20, 2012 Share Posted December 20, 2012 Yes that was in send money. Unless the $_POST data is validated in another place, like in a functions.php your script is vulnerable to mysql injections. Open includes/functions.php and search for $_POST hopefully there is something that checks each entry in the array. You probably shouldnt rely on includes to validate your data, do it manually for everything. Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 20, 2012 Author Share Posted December 20, 2012 suggestion please Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 20, 2012 Share Posted December 20, 2012 Without knowing what is going on exactly its hard to tell. Has anymore users come to you and say they bugs errors? If not and you investigated everything you can do In the script then I would say its fine they probably dont know what they are talking about. Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 20, 2012 Author Share Posted December 20, 2012 Without knowing what is going on exactly its hard to tell. Has anymore users come to you and say they bugs errors? If not and you investigated everything you can do In the script then I would say its fine they probably dont know what they are talking about. Thank you kyle ill have a look like i said in a previous topic im still learning so any tips or way you can secure the sendmoney.php file or where i can read up about i use php.net already Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted December 20, 2012 Share Posted December 20, 2012 check your server log files, can be found in cpanel if you have that. Also, I hope you secure the $_POST data somewhere, other than just strip the tags $giveto = strip_tags($_POST['giveto']); $giveamount = strip_tags($_POST['giveamount']); $query2=mysql_query("SELECT * FROM users WHERE username='$giveto' LIMIT 1"); thats pretty much the go to place but you shouldnt always use striptags for ints. There are better options like abs() is_int() intval() Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 20, 2012 Author Share Posted December 20, 2012 thats pretty much the go to place but you shouldnt always use striptags for ints. There are better options like abs() is_int() intval() in your opinion whats the best to use for the above code ( plus how or where can i learn to secure it ) Quote Link to comment Share on other sites More sharing options...
Uridium Posted December 20, 2012 Share Posted December 20, 2012 mr scripts send me your game URL so i can have a nose around... Quote Link to comment Share on other sites More sharing options...
Mr-Scripts Posted December 24, 2012 Author Share Posted December 24, 2012 mr scripts send me your game URL so i can have a nose around... will do but its extremly bugged and not that well secured to be honest Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.