SRB Posted January 1, 2015 Share Posted January 1, 2015 Also so since im on the subject of changing data in the source code I don't see any type of checking that the user actually owns the item. Your dropdown(s) just scan their inventory at that given moment to display statically on the screen but when the submit happens there is no checking of their inventory what so ever. Is that actually required, in your opinion? As long as there is a check the point at which you use the item, there should be no issue. In essence, allowing them to add it when they currently do not own any, is only the same result as them adding it when they have 1 and they use it once. The end result is that you have a link to an item they do not have. Now, if you check it at the end point, it doesn't matter -- the link just doesn't work if they don't have one. Furthermore- this could be slightly added to, in the following way; [1] On the page where you select the item, also have a checkbox (Buy item if you have ran out [x]) [2] The check code checks if you have one. [3] If you have one, use it. [4] If not, pull the values from the database, deduct the money and give the gains it would have gave. I, for one, would prefer a system with both options left open. Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted January 1, 2015 Share Posted January 1, 2015 I wouldn't cheap out on security at all and there is no real easy way to do it either. You just need to validate what the user is doing (making sure they are performing only required actions) and then sanitizing input(debatable)/output. I say debatable because depending on where you look or who you ask people argue over this, some people say that data in its natural form should be in the database and sanitized on output. Now I don't necessarily agree with this although it does cut down on the amount of code needed :p Quote Link to comment Share on other sites More sharing options...
KyleMassacre Posted January 1, 2015 Share Posted January 1, 2015 Is that actually required, in your opinion? As long as there is a check the point at which you use the item, there should be no issue. In essence, allowing them to add it when they currently do not own any, is only the same result as them adding it when they have 1 and they use it once. The end result is that you have a link to an item they do not have. Now, if you check it at the end point, it doesn't matter -- the link just doesn't work if they don't have one. Furthermore- this could be slightly added to, in the following way; [1] On the page where you select the item, also have a checkbox (Buy item if you have ran out [x]) [2] The check code checks if you have one. [3] If you have one, use it. [4] If not, pull the values from the database, deduct the money and give the gains it would have gave. I, for one, would prefer a system with both options left open. Well without seeing how everything thing is done after the fact, who knows right? This is MCC which the itemuse iirc does do a check for the item but is this a custom thing? I wouldn't know it's just something for the OP to look into and hopefully it's all covered. I don't really understand the system he is creating so I am just assuming here Quote Link to comment Share on other sites More sharing options...
Damond Posted January 1, 2015 Author Share Posted January 1, 2015 Also so since im on the subject of changing data in the source code I don't see any type of checking that the user actually owns the item. Your dropdown(s) just scan their inventory at that given moment to display statically on the screen but when the submit happens there is no checking of their inventory what so ever. Your right in that there is not a second check on the submit side to insure that they own this item, but then again if they don't own the item in the first place it does not appear in the drop down. If they get past that point and have added an item that they do not own, when they get to the quick link it checks their inventory for that item and gives a warning that they do not have any of this item. This is assuming that they input the correct inventory id and not the item id. If they try and use an item id they will get an invalid use of file warning. $_GET['ID'] = abs((int) $_GET['ID']); //Food if(!$_GET['ID']) { print "Invalid use of file"; } else { $i=$db->query("SELECT iv.*,i.*,it.* FROM inventory iv LEFT JOIN items i ON iv.inv_itemid=i.itmid LEFT JOIN itemtypes it ON i.itmtype=it.itmtypeid WHERE iv.inv_id={$_GET['ID']} AND iv.inv_userid=$userid"); if(mysql_num_rows($i) == 0) { print "You don't have any of that item!<br>"; print "<a href='preferences.php?action=itemchange'><button>Preferences</button></a>"; print "<a href='inventory.php'><button>Inventory</button></a>"; } Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.