wilkesy Posted August 14, 2008 Share Posted August 14, 2008 I am using mccodes v2 and it has only been open a 3 days or so and sombody has 2billion alredy i was wondering if theres a cheat or sumthing and it needs deleting but he claims he just found it out and i was wondering if he was cheating any 1 else know anything about this ? Wilkesy www.general-life.com Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted August 14, 2008 Share Posted August 14, 2008 Re: Cheats SQL Injection into the cmarket.php most likely Unless you know how to secure your game, I'd suggest removing your forums too. Add this into your header for a quick fix. $_GET['ID'] = abs(@intval($_GET['ID'])); $_GET['viewtopic'] = abs(@intval($_GET['viewtopic'])); $_GET['viewforum'] = abs(@intval($_GET['viewforum'])); Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted August 14, 2008 Share Posted August 14, 2008 Re: Cheats A secure cmarket.php for you too ;) Crystal Market - cmarket.php <?php include("globals.php"); echo ("<h3>Crystal Market</h3>"); //----------- $_GET['ID'] = abs(@intval($_GET['ID'])); //----------- $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : ""; //----------- switch($_GET['action']) { case "buy": crystal_buy(); break; case "remove": crystal_remove(); break; case "add": crystal_add(); break; default: cmarket_index(); break; } function cmarket_index() { global $db,$ir,$c,$userid,$h; print "[url='cmarket.php?action=add']> Add A Listing[/url] Viewing all listings... <table width='95%' cellspacing='2' cellpadding='2' class='table' border='1'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>"; $SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID = ( "SELECT cm.*, u.userid, u.username " . "FROM crystalmarket AS cm " . "LEFT JOIN users AS u ON (u.userid = cm.cmADDER) " . "ORDER BY cmPRICE/cmQTY ASC" ); $q = $db->query($SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID); while($r=$db->fetch_row($q)) { $link = ($r['cmADDER'] == $userid) ? sprintf("[url='cmarket.php?action=remove&ID=%u']Remove[/url]", $r['cmID']) : sprintf("[url='cmarket.php?action=buy&ID=%u']Buy[/url]", $r['cmID']); $each = abs(@intval($r['cmPRICE'])) / abs(@intval($r['cmQTY'])); echo ("<tr>"); echo sprintf("<td style='text-align:center;'>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", intval($r['userid']), htmlentities($r['username']), number_format($r['userid'])); echo sprintf("<td style='text-align:right;'>%s</td>", number_format($r['cmQTY'])); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($each)); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($r['cmPRICE'])); echo sprintf("<td style='text-align:center;'>[%s]</td>", $link); echo ("</tr>"); } echo ("</table>"); } function crystal_remove() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket WHERE cmID={$_GET['ID']} AND cmADDER=$userid"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or you are not the owner. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); $UpdateUsers = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], $userid); $DeleteFromCM = sprintf("DELETE FROM crystals WHERE (cmID = %u)", $_GET['ID']); $db->query($UpdateUsers); $db->query($DeleteFromCM); print "Crystals removed from market! [url='cmarket.php']> Back[/url]"; } function crystal_buy() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or they have already been bought. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); if($r['cmPRICE'] > $ir['money']) { die("Error, you do not have the funds to buy these crystals. [url='cmarket.php']> Back[/url]"); } $GiveCrystals = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], intval($userid)); $DeleteCMEntry = sprintf("DELETE FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $TakeMoney = sprintf("UPDATE users SET money = money - %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($userid)); $GiveMoney = sprintf("UPDATE users SET money = money + %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($r['cmADDER'])); $db->query($GiveCrystals); $db->query($DeleteCMEntry); $db->query($TakeMoney); $db->query($GiveMoney); $CrystalsBoughtEvent = sprintf("[url='viewuser.php?u=%u']%s[/url] [%s] bought your %s crystals from the market. You received %s as payment in full", intval($userid), htmlentites($ir['username']), intval(number_format($userid)), number_format($r['cmQTY']), number_format($r['cmPRICE'])); event_add($r['cmADDER'], $CrystalsBoughtEvent); echo sprintf("You bought the %s crystals from the market for \$%s.", intval($r['cmQTY']), number_format($r['cmPRICE'])); } function crystal_add() { global $db,$ir,$c,$userid,$h; $_POST['amnt'] = abs(@intval($_POST['amnt'])); $_POST['price'] = abs(@intval($_POST['price'])); if($_POST['amnt']) { if($_POST['amnt'] > $ir['crystals']) { die ("You are trying to add more crystals to the market than you have."); } $tp = $_POST['amnt'] * $_POST['price']; $CreateListing = sprintf("INSERT INTO crystalmarket VALUES ('', %u, %u, %u)", $_POST['amnt'], intval($userid), $tp); $DockCrystals = sprintf("UPDATE users SET crystals = crystals - %u WHERE (userid = %u)", $_POST['amnt'], intval($userid)); $db->query($CreateListing); $db->query($DockCrystals); print "Crystals added to market! [url='cmarket.php']> Back[/url]"; } else { echo ("[b]Adding a listing...[/b] "); $s = ($ir['crystals'] == 1) ? "" : "s"; echo sprintf("You have [b]%s[/b] crystal%s that you can add to the market.", number_format($ir['crystals']), $s); echo ("<form action='cmarket.php?action=add' method='post'>"); echo ("<table width=50% border=2>"); echo ("<tr>"); echo ("<td>Crystals:</td>"); echo sprintf("<td><input type='text' name='amnt' value='%u' /></td>", intval($ir['crystals'])); echo ("</tr>"); echo ("<tr>"); echo ("<td>Price Each:</td>"); echo ("<td><input type='text' name='price' /></td>"); echo ("</tr>"); echo ("<tr>"); echo ("<td colspan=2 align=center><input type='submit' value='Add To Market' /></td>"); echo ("</tr>"); echo ("</table>"); echo ("</form>"); } } $h->endpage(); ?> Edit: Removed an include() where it's not needed Quote Link to comment Share on other sites More sharing options...
Joel Posted August 14, 2008 Share Posted August 14, 2008 Re: Cheats Which game you talking about, because general-life is secure on most holes Quote Link to comment Share on other sites More sharing options...
wilkesy Posted August 17, 2008 Author Share Posted August 17, 2008 Re: Cheats Yea General-life sombody bourght the 2 billion house Quote Link to comment Share on other sites More sharing options...
whitescout Posted September 1, 2008 Share Posted September 1, 2008 Re: Cheats It's the poker. A player can go into negative buying chips, and then keep doing so ubtil he/she gets positive. Quote Link to comment Share on other sites More sharing options...
Magictallguy Posted September 1, 2008 Share Posted September 1, 2008 Re: Cheats May post a secure forums soon :) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.