MNG Posted June 18, 2013 Posted June 18, 2013 I have been having this tiny problem I dislike fake referrals so I manually accept them. But when I accept nothing is granted to the person who referred them. <?php include 'spheader.php'; if ($user_class->admin != 1) { echo Message("You are not authorized to be here."); include 'footer.php'; die(); } if ($_GET['givecredit'] != ""){ $result = mysql_query("UPDATE `referrals` SET `credited`='1' WHERE `id`='".$_GET['givecredit']."'"); $result = mysql_query("SELECT * FROM `referrals` WHERE `id` = '".$_GET['givecredit']."'"); $line = mysql_fetch_array($result); $cp_user = new User($line['referrer']); $newpoints = $cp_user->points + 1; $newrefers = $cp_user->refers + 1; $result = mysql_query("UPDATE `grpgusers` SET `points` = '".$newpoints."', `refers` = '".$newrefers."' WHERE `id`='".$cp_user->id."'"); send_event($cp_user->id, "You have been credited 1 referral points for referring ".$line['referred'].". Keep up the good work!"); Staff_Log($user_class->id, "Aproved A Refferal!<br />Referrer: <a href=profiles.php?id=".$cp_user->id.">".Get_Username($cp_user->id)."</a><br />New User Referred: <a href=profiles.php?id=".Get_ID($line['referred']).">".$line['referred']."</a> !"); echo Message("You have accepted the referral."); } if ($_GET['denycredit'] != ""){ $result = mysql_query("DELETE FROM `referrals` WHERE `id`='".$_GET['denycredit']."'"); send_event($line['referrer'], "Unfortunately you have recieved no points for referring ".$line['referred'].". This could be a result of many different things, such as you abusing the referral system, or the player you referred only signing up, but never actually playing."); Staff_Log($user_class->id, "Denied A Refferal!<br />Referrer: <a href=profiles.php?id=".$line['referrer'].">".Get_Username($line['referrer'])."</a><br />New User Referred: <a href=profiles.php?id=".Get_ID($line['referred']).">".$line['referred']."</a> !"); echo Message("You have denied the referral."); } ?> <tr><td class="contenthead">Manage Referrals</td></tr> <tr><td class="contentcontent"> <? $result = mysql_query("SELECT * FROM `referrals` WHERE `credited`='0'"); $any_exist = mysql_num_rows($result); if($any_exist == 0){ echo ("There Are No Referals At The Moment!"); include 'footer.php'; die(); } while($line = mysql_fetch_array($result, MYSQL_ASSOC)) { echo "<div>".$line['id'].".) ".$line['referred']." was referred by Player ID:". $line['referrer']." (".date(F." ".d.", ".Y." ".g.":".i.":".sa,$line['when']).") <a href='control.php?page=referrals&givecredit=".$line['id']."'>Credit</a> | <a href='control.php?page=referrals&denycredit=".$line['id']."'>Deny</a></div>"; } include 'footer.php'; ?> Quote
rockwood Posted June 19, 2013 Posted June 19, 2013 $_GET['givecredit'] = abs( ( int)$_GET['givecredit']); mysql_query(sprintf("UPDATE `grpgusers` SET `points` =%d , `refers` = %d WHERE `id`= %d",$newpoints,$newrefers,$cp_user->id)); mysql_query(sprintf("DELETE FROM `referrals` WHERE `id`=%d",$_GET['denycredit'])); note :- " use function sprintf in queries " Quote
KyleMassacre Posted June 19, 2013 Posted June 19, 2013 How far through the script is it executing? I'm not too familiar with grpg but what is the $cp_user? to me it looks like you can get rid of that unless it serves another purpose. Try using like print_r, var_dump or whatever and see what's happening there Quote
jcvenom Posted June 19, 2013 Posted June 19, 2013 do you have the sql i need to have a look at it i think i have a solution because im not familiar with this script Quote
bluegman991 Posted June 19, 2013 Posted June 19, 2013 $_GET['givecredit'] = abs( ( int)$_GET['givecredit']); mysql_query(sprintf("UPDATE `grpgusers` SET `points` =%d , `refers` = %d WHERE `id`= %d",$newpoints,$newrefers,$cp_user->id)); mysql_query(sprintf("DELETE FROM `referrals` WHERE `id`=%d",$_GET['denycredit'])); note :- " use function sprintf in queries " No. If your using the old mysql extension, use mres (mysql_real_escape_string) at minimum! If your using mysqli... Use binded parameters (at minimum). Sprintf is kind of a waste of resources since it can't do what mysql can, or have the knowledge of escaping that mysql has. When dealing with numbers it would also be expensive to just cast to int or float. Or check it against "is_(numeric,int,float)". Sprintf was not made for security (although it is the easy way out), it was made for formatting strings. Quote
MNG Posted June 19, 2013 Author Posted June 19, 2013 Thanks guys I sort of fixed this yesterday :P. Quote
KyleMassacre Posted June 19, 2013 Posted June 19, 2013 well thanks for the heads up lol. Since apparently this issue is solved so ill close it and if you need it opened again for any reason then it shall be reopened Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.