Jump to content
MakeWebGames

[mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much.


Recommended Posts

Posted

Version 2, but shouldn't be hard to convert.

Note: Do a back-up first!! If you're a mySQL n00bie and mess up on this, you're game can be royally screwed up!!

 

If a player ends up with too much money or crystals, from say a mySQL injection, as soon as any one loads any page, he ends up with zero of it until an admin checks it out and edits his profile in the Admin Panel. Until then he will have zero money or crystals. Which ever the player goes over on he loses and can't get any more of to use, until checked out by admin, and if it's not a cheat, admin increases the cap in header.php, and deletes it from his account, using the edit user page, or moves it back to money/crystals *after* updating the cap.

The best part about this is, it also keeps players from being able to attack the player for that money or crystals, making it much easier to manage when some one does for example a mySQL injection.

mySQL...

ALTER TABLE `users` ADD `moneyabuse` bigint(25) NOT NULL default 0;

ALTER TABLE `users` ADD `crystalabuse` bigint(25) NOT NULL default 0;

In

attackwon.php

attackwin.php (What ever name your file is if players can take crystals.)

attacktake.php

attacklost.php

attackbeat.php

and any other files that let players take money or crystals from players, right below

include "globals.php";

add

$db->query("UPDATE users SET laston=unix_timestamp(),lastip='$IP' WHERE userid=$userid");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE money > 9000000000000000000");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE moneyabuse > 9000000000000000000 AND money < 9000000000000000000");

$db->query("UPDATE users SET money=0 WHERE moneyabuse > 9000000000000000000");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystals > 9234567891011121314");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystalabuse > 9234567891011121314 AND crystals < 9234567891011121314");

$db->query("UPDATE users SET crystals=0 WHERE crystalabuse > 9234567891011121314");

Depending on the economy, replace the numbers to numbers that no one can get to with out cheating, but that's not too high to catch cheaters. For example, if the richest player has 100 billion in the bank, 1-10 trillion would probably be a good cap, or 500 billion if the economy grows slowly, until the economy get's close to having players get to 1-10 trillion, or 500 billion with out cheating. (By default the numbers are way too high, so n00bies don't destroy their game by not changing the numbers, and instead just make the mod useless!)

For example, in the default code, if a player ends up with over $9000000000000000000 or 9234567891011121314 crystals, the players money or crystals, which ever goes over, gets moved to moneyabuse/crystalabuse (Making it unusable.) until you look in to it, increase the numbers in header.php if it's not cheating, *and* then move the money/crystals from moneyabuse/crystalabuse back to money/crystals using the edit user page, or fed them if it is cheating.

No cron job required. Any time some one loads a page, it checks the users, making it so no one can get money or crystals before the cron would next run. (If you might have a server load/lag issue, you can put it in one of your cron files.)

 

In staff_users.php

Replace

House: ".house2_dropdown($c, "maxwill", $itemi['maxwill'])."

 

with

House: ".house2_dropdown($c, "maxwill", $itemi['maxwill'])."

Money Abuse: \$<input type='text' name='moneyabuse' value='{$itemi['moneyabuse']}' />

Crystal Abuse: <input type='text' name='crystalabuse' value='{$itemi['crystalabuse']}' />

 

Replace

$_POST['forumban']=(int) $_POST['forumban'];

with

$_POST['forumban']=(int) $_POST['forumban'];

$_POST['moneyabuse']=(float) $_POST['moneyabuse'];

$_POST['crystalabuse']=(float) $_POST['crystalabuse'];

Replace

$db->query("UPDATE users SET username='{$_POST['username']}', level={$_POST['level']}, money={$_POST['money']}, crystals={$_POST['crystals']}, energy=$energy, brave=$nerve, maxbrave=$nerve, maxenergy=$energy, hp=$hp, maxhp=$hp, hospital={$_POST['hospital']}, jail={$_POST['jail']}, duties='{$_POST['duties']}', staffnotes='{$_POST['staffnotes']}', mailban={$_POST['mailban']}, mb_reason='{$_POST['mb_reason']}', forumban={$_POST['forumban']}, fb_reason='{$_POST['fb_reason']}', hospreason='{$_POST['hospreason']}', jail_reason='{$_POST['jail_reason']}', login_name='{$_POST['login_name']}', will=$will, maxwill=$maxwill WHERE userid={$_POST['userid']}");

with

$db->query("UPDATE users SET username='{$_POST['username']}', level={$_POST['level']}, money={$_POST['money']}, crystals={$_POST['crystals']}, energy=$energy, brave=$nerve, maxbrave=$nerve, maxenergy=$energy, hp=$hp, maxhp=$hp, hospital={$_POST['hospital']}, jail={$_POST['jail']}, duties='{$_POST['duties']}', staffnotes='{$_POST['staffnotes']}', mailban={$_POST['mailban']}, mb_reason='{$_POST['mb_reason']}', forumban={$_POST['forumban']}, fb_reason='{$_POST['fb_reason']}', hospreason='{$_POST['hospreason']}', jail_reason='{$_POST['jail_reason']}', login_name='{$_POST['login_name']}', will=$will, maxwill=$maxwill, moneyabuse={$_POST['moneyabuse']}, crystalabuse={$_POST['crystalabuse']} WHERE userid={$_POST['userid']}");

 

In staff_logs.php add

case 'moneysuspectlogs': view_moneysuspect_logs(); break;

case 'crystalsuspectlogs': view_crystalsuspect_logs(); break;

 

then at the end of the file, right before

$h->endpage();

?>

add

function view_moneysuspect_logs()

{

global $ir,$c,$h,$userid;

print "<h3>Money Suspect Logs</h3>

<table width=75% border=1> <tr> <th>Money</th><th>Player</th></tr>";

$q=mysql_query("SELECT * FROM users ORDER BY moneyabuse DESC",$c);

while($r=mysql_fetch_array($q))

{

print"<tr><td>\${$r['moneyabuse']}</td><td>{$r['username']}</td>

</tr>";

}

}

function view_crystalsuspect_logs()

{

global $ir,$c,$h,$userid;

print "<h3>Money Suspect Logs</h3>

<table width=75% border=1> <tr> <th>Crystals</th><th>Player</th></tr>";

$q=mysql_query("SELECT * FROM users ORDER BY crystalabuse DESC",$c);

while($r=mysql_fetch_array($q))

{

print"<tr><td>{$r['crystalabuse']}</td><td>{$r['username']}</td>

</tr>";

}

}

 

In smenu.php add the links at the logs section.

> Money Suspect Logs

> Crystal Suspect Logs

";

If you get....

Parse error: syntax error, unexpected '&' in /public_html/smenu.php on line 58

Make sure only the last link has the "; at the end.

Guest Anonymous
Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much

I'm not even going to go into just how dangerous this is...

Detecting problems this is fine, but it would be a far better idea to prevent them from happening to start with.

 

$db->query("UPDATE users SET username='{$_POST['username']}', level={$_POST['level']}, money={$_POST['money']}, crystals={$_POST['crystals']}, energy=$energy, brave=$nerve, maxbrave=$nerve, maxenergy=$energy, hp=$hp, maxhp=$hp, hospital={$_POST['hospital']}, jail={$_POST['jail']}, duties='{$_POST['duties']}', staffnotes='{$_POST['staffnotes']}', mailban={$_POST['mailban']}, mb_reason='{$_POST['mb_reason']}', forumban={$_POST['forumban']}, fb_reason='{$_POST['fb_reason']}', hospreason='{$_POST['hospreason']}', jail_reason='{$_POST['jail_reason']}', login_name='{$_POST['login_name']}', will=$will, maxwill=$maxwill, moneyabuse={$_POST['moneyabuse']}, crystalabuse={$_POST['crystalabuse']} WHERE userid={$_POST['userid']}");

YUCH - difficult to read, easy to make errors, prone to SQL injection to name but a few:

 

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

 

Still ugly, but IMHO *much* safer (bu using $db->escape( ) wrappers, and easier to maintain.

(BTW poor alignment of quotation marks is the forum ... not me)

Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much

 

prone to SQL injection to name but a few

Don't blame me for that, that's how mccodes set it up. All I did was add the moneyabuse and crystalabuse to it.

  • 2 weeks later...
  • 1 month later...
Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much

injections have many uses. not just money/crystal abuse...

You're unable to view this code.

Viewing code within this forum requires registration, you can register here for free.

would be the one you would wanna protect from

but basically you can stop all injections by making it so they can't add - into anything...

or if they post/get - then it errors...

Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much

Mods been updated. If you already got it installed, just take

$db->query("UPDATE users SET laston=unix_timestamp(),lastip='$IP' WHERE userid=$userid");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE money > 9000000000000000000");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE moneyabuse > 9000000000000000000 AND money < 9000000000000000000");

$db->query("UPDATE users SET money=0 WHERE moneyabuse > 9000000000000000000");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystals > 9234567891011121314");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystalabuse > 9234567891011121314 AND crystals < 9234567891011121314");

$db->query("UPDATE users SET crystals=0 WHERE crystalabuse > 9234567891011121314");

out of header.php and in

attackwon.php

attackwin.php (What ever name your file is if players can take crystals.)

attacktake.php

attacklost.php

attackbeat.php

and any other files that let players take money or crystals from players, right below

include "globals.php";

add the code.

This is way more server friendly!!! It'll now only check every single player right BEFORE some one tries to take something from the player after battle, instead of every single time some one loads a page, most of them being where players arn't taking money or crystals, but are doing stuff like crime and training, where this isn't needed.

  • 2 months later...
Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much.

 

Must say I do prefer Nyna's way - any day xD

wouldn't we all lol

Posted

Re: [mccodes] Anti-cheat/injection mod - Lose money/crystals if you get too much.

$db->query("UPDATE users SET laston=unix_timestamp(),lastip='$IP' WHERE userid=$userid");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE money > 9000000000000000000");

$db->query("UPDATE users SET moneyabuse=money+moneyabuse WHERE moneyabuse > 9000000000000000000 AND money < 9000000000000000000");

$db->query("UPDATE users SET money=0 WHERE moneyabuse > 9000000000000000000");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystals > 9234567891011121314");

$db->query("UPDATE users SET crystalabuse=crystals+crystalabuse WHERE crystalabuse > 9234567891011121314 AND crystals < 9234567891011121314");

$db->query("UPDATE users SET crystals=0 WHERE crystalabuse > 9234567891011121314");

 

Why wouldnt you have a single query at the begining to check to see if money or crystals are larger then "x" if so page die and log to abuse table.

if not then continue with script normally.

Would cut the querys in more then half as well save time as well.

Also place the checks for is int etc. is numeric etc.. secure your code further.

Hate to see it compromised by hex code

TJ

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...