Jump to content
MakeWebGames

Bank Loan

SRB

By SRB
in Free Modifications

 Share

Recommended Posts

SRB Enthusiast

SRB

Posted
Posted

Taken from my post here.

And I was just bored for 15 minutes, so I wrote this:

NOTE -- this hasn't uploaded to a server or tested, but should work (Hell, I don't even have it as a saved file -- closed the editor just now)

Functionality:

-- Allows users to loan a value determined by their level and days old. (New users, won't be worth **** to them)

-- For 3 days after taking out a loan, you can't pay it back.

-- You can not take out another loan until the current one is paid.

Code:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

 

Table definitions:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

 

Any errors or problems, post here

  • Like 1
Link to comment
Share on other sites
Octarine Newbie

Octarine

Posted
Posted

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

What can I say, line 3 and already a problem.

 

As for the sprintfs' -- Irrelevant. You have failed to understand the reason for using them which while considered a useful trait a few years ago, has mostly been superceeded by cleaner code. -- sprintf('%d', <value>) has proved a useful albeit lightweight mechanism, however sprintf('%s', <value>) is very dangerous when it comes to queries and should be avoided like the plague. -- Since Guest has taken the time to know the underlying database structure - at least data-type wise, and is sensible enough to type-check correctly incoming POST data, there is really no need for sprintf in this instance - which as any good programmer will know is a very expensive function.

I would agree at separating the pulling the SQL statements into variables rather than calling mysql_query("...") or $db->query("...") first as it certainly helps if you are forced to run the code through a debugger.

 

e&oa

Link to comment
Share on other sites
yaz94 Newbie

yaz94

Posted
Posted

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

What can I say, I made a mistake, although its not a major issue as it would just require it again - I have updated my post. As for the sprintf() I personally find it easier to use sprintf query than $db-> and find it a lot easier to understand and easier to secure.

Appreciate the feedback.

Link to comment
Share on other sites
SRB Enthusiast

SRB

Posted
  • Author
Posted
Hope you don't mind Guest, updated for V2 and secured a little not tested let me know if any errors

Feel free to continue to the end of my post for the reply.

 

I just know that the response to this from Guest will be awesome.

It will? Care to rate? Go to the bottom too.

 

Since Guest has taken the time to know the underlying database structure - at least data-type wise, and is sensible enough to type-check correctly incoming POST data, there is really no need for sprintf in this instance - which as any good programmer will know is a very expensive function.

I would agree at separating the pulling the SQL statements into variables rather than calling mysql_query("...") or $db->query("...") first as it certainly helps if you are forced to run the code through a debugger.

25330185.jpg

And agreed, I would have normally put the actual SQL outside of the mysql(i)_ for debugging, but since it's mccode and none of the other pages allow it, I see no point in starting a trend.

 

As for the sprintf() I personally find it easier to use sprintf query than $db-> and find it a lot easier to understand and easier to secure.

As much as I hate the format for mccode's database class, it makes sense to use it since if you ever have to update the entire engine, it's wrapped in a class-- have fun chasing down all your sprintf's inside of mysql query, just to update your site -- at which point, you'll probably wrap it in a class to save you time next time.

And... BOOM TIME

Ok, so I am going to have to reply, since it's clear you believe your skill set is higher than mine because you have adopted the use of the useless known as sprintf.

 

So, you have secured my already secure script? That's the equivalent of painting a blue smartie blue, isn't it?

 

And converted it to V2? Erm... so it wasn't V2 before? I'm pretty certain that being around these forums since '06 and playing with all of the code, would give me the knowledge to create a V2 mod, if I happen to label it as V2, no?

 

Anyway, Octarine has already pointed out the problems with the logic pertaining to your post, but I guess I will go down line of potential cause for concern, for the ill-educated.

 

So firstly, we have:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

which for some reason, you felt the need to type cast using sprintf...

 

Tell me this, what can an int(x) row in a database hold? Oh yes, that would be an integer, right?

 

Now, who has control of that number, since it's auto increment? Yes, the system...

 

And what do we, as programmers, need to check? That would be anything users can edit, right?

 

See where I just went with that?

 

Next would be:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

See above points.

 

But wait, you felt the need to sprintf the above to make it "secure", but left this one... I guess you did know it didn't need securing after all :o

 

And considering the only 2 changes that I can actually see in your post are adding __DIR__ to the global include (which, by the way, is not needed since your globals.php will be in the directory you're in) and a single sprintf, maybe I should stop, but you know what, while we are here, I may as well continue some.

 

Next up is

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

Given that you questioned the $ir['userid, I am unsure why you didn't try and see a problem with this. Maybe even pointing out that both of the functions (is_int and ctype_digit) **should** be enough alone, but alas, PHP has a tendency to be an ass and can occasionally read a $_POST or $_GET variable as a string, even though it is numeric.

 

By using both, you manage to catch it, whether PHP throws it as numeric or a string.

 

Of course, I could use:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

But of course, I also know that isset sucks.

 

Try this code

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Can you guess the result? I'll tell you:

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

Null is a valid result in programming, so isset has just failed me -- oops!

 

You know what, I can't even be bothered to continue.

 

I could explain why I use $_SERVER['REQUEST_METHOD'] to check for incoming, posted, data or even why the usernames are always wrapped in htmlentities, with ENT_QUOTES and using "UTF-8" (even though most wouldn't even know that for UTF8 to be effective at this level, needs meta charset and database setting to the same, or it's pointless), but even that seems a little too in depth when the world seems to believe that sprintf is the savior to all programming issues.

 

It's so good, that I feel no need to use it, since I actually know everything my code is doing and I force it to do what I want.

 

*Yawn* and moving on -- no issues still on an untested mod? I think I rock. Wheres my useless rep, bishes?

  • Like 4
Link to comment
Share on other sites
SilvaTungDevil Newbie

SilvaTungDevil

Posted
Posted
Feel free to continue to the end of my post for the reply.

 

*Yawn* and moving on -- no issues still on an untested mod? I think I rock. Wheres my useless rep, bishes?

 

Knew it was coming & the first time I logged in for months was just so i didnt lose the thread - useless rep incoming.

Link to comment
Share on other sites
  • 2 weeks later...
  • 4 months later...
KyleMassacre Collaborator

KyleMassacre

Posted
Posted

SQL portion

  1. Open up phpmyadmin
  2. click the sql tab
  3. Paste the part that Guest posted called table definitions
  4. Click Submit (or whatever it is)

Code

  1. Open your file manager
  2. create a new file
  3. name it whatever you wish
  4. paste all the code from Guests post
  5. click save
  6. add a link to explore or your main menu

and boom your done

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...