wilkesy Posted August 14, 2008 Posted August 14, 2008 I am using mccodes v2 and it has only been open a 3 days or so and sombody has 2billion alredy i was wondering if theres a cheat or sumthing and it needs deleting but he claims he just found it out and i was wondering if he was cheating any 1 else know anything about this ? Wilkesy www.general-life.com Quote
Magictallguy Posted August 14, 2008 Posted August 14, 2008 Re: Cheats SQL Injection into the cmarket.php most likely Unless you know how to secure your game, I'd suggest removing your forums too. Add this into your header for a quick fix. $_GET['ID'] = abs(@intval($_GET['ID'])); $_GET['viewtopic'] = abs(@intval($_GET['viewtopic'])); $_GET['viewforum'] = abs(@intval($_GET['viewforum'])); Quote
Magictallguy Posted August 14, 2008 Posted August 14, 2008 Re: Cheats A secure cmarket.php for you too ;) Crystal Market - cmarket.php <?php include("globals.php"); echo ("<h3>Crystal Market</h3>"); //----------- $_GET['ID'] = abs(@intval($_GET['ID'])); //----------- $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : ""; //----------- switch($_GET['action']) { case "buy": crystal_buy(); break; case "remove": crystal_remove(); break; case "add": crystal_add(); break; default: cmarket_index(); break; } function cmarket_index() { global $db,$ir,$c,$userid,$h; print "[url='cmarket.php?action=add']> Add A Listing[/url] Viewing all listings... <table width='95%' cellspacing='2' cellpadding='2' class='table' border='1'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>"; $SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID = ( "SELECT cm.*, u.userid, u.username " . "FROM crystalmarket AS cm " . "LEFT JOIN users AS u ON (u.userid = cm.cmADDER) " . "ORDER BY cmPRICE/cmQTY ASC" ); $q = $db->query($SELECT_ALL_NEEDED_INFO_INSTEAD_OF_JUST_EVERYTHING_AS_THAT_IS_VERY_STUPID); while($r=$db->fetch_row($q)) { $link = ($r['cmADDER'] == $userid) ? sprintf("[url='cmarket.php?action=remove&ID=%u']Remove[/url]", $r['cmID']) : sprintf("[url='cmarket.php?action=buy&ID=%u']Buy[/url]", $r['cmID']); $each = abs(@intval($r['cmPRICE'])) / abs(@intval($r['cmQTY'])); echo ("<tr>"); echo sprintf("<td style='text-align:center;'>[url='viewuser.php?u=%u']%s[/url] [%s]</td>", intval($r['userid']), htmlentities($r['username']), number_format($r['userid'])); echo sprintf("<td style='text-align:right;'>%s</td>", number_format($r['cmQTY'])); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($each)); echo sprintf("<td style='text-align:right;'>\$%s</td>", number_format($r['cmPRICE'])); echo sprintf("<td style='text-align:center;'>[%s]</td>", $link); echo ("</tr>"); } echo ("</table>"); } function crystal_remove() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket WHERE cmID={$_GET['ID']} AND cmADDER=$userid"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or you are not the owner. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); $UpdateUsers = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], $userid); $DeleteFromCM = sprintf("DELETE FROM crystals WHERE (cmID = %u)", $_GET['ID']); $db->query($UpdateUsers); $db->query($DeleteFromCM); print "Crystals removed from market! [url='cmarket.php']> Back[/url]"; } function crystal_buy() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID={$_GET['ID']}"); if(!$db->num_rows($q)) { die("Error, either these crystals do not exist, or they have already been bought. [url='cmarket.php']> Back[/url]"); } $r=$db->fetch_row($q); if($r['cmPRICE'] > $ir['money']) { die("Error, you do not have the funds to buy these crystals. [url='cmarket.php']> Back[/url]"); } $GiveCrystals = sprintf("UPDATE users SET crystals = crystals + %u WHERE (userid = %u)", $r['cmQTY'], intval($userid)); $DeleteCMEntry = sprintf("DELETE FROM crystalmarket WHERE (cmID = %u)", $_GET['ID']); $TakeMoney = sprintf("UPDATE users SET money = money - %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($userid)); $GiveMoney = sprintf("UPDATE users SET money = money + %u WHERE (userid = %u)", intval($r['cmPRICE']), intval($r['cmADDER'])); $db->query($GiveCrystals); $db->query($DeleteCMEntry); $db->query($TakeMoney); $db->query($GiveMoney); $CrystalsBoughtEvent = sprintf("[url='viewuser.php?u=%u']%s[/url] [%s] bought your %s crystals from the market. You received %s as payment in full", intval($userid), htmlentites($ir['username']), intval(number_format($userid)), number_format($r['cmQTY']), number_format($r['cmPRICE'])); event_add($r['cmADDER'], $CrystalsBoughtEvent); echo sprintf("You bought the %s crystals from the market for \$%s.", intval($r['cmQTY']), number_format($r['cmPRICE'])); } function crystal_add() { global $db,$ir,$c,$userid,$h; $_POST['amnt'] = abs(@intval($_POST['amnt'])); $_POST['price'] = abs(@intval($_POST['price'])); if($_POST['amnt']) { if($_POST['amnt'] > $ir['crystals']) { die ("You are trying to add more crystals to the market than you have."); } $tp = $_POST['amnt'] * $_POST['price']; $CreateListing = sprintf("INSERT INTO crystalmarket VALUES ('', %u, %u, %u)", $_POST['amnt'], intval($userid), $tp); $DockCrystals = sprintf("UPDATE users SET crystals = crystals - %u WHERE (userid = %u)", $_POST['amnt'], intval($userid)); $db->query($CreateListing); $db->query($DockCrystals); print "Crystals added to market! [url='cmarket.php']> Back[/url]"; } else { echo ("[b]Adding a listing...[/b] "); $s = ($ir['crystals'] == 1) ? "" : "s"; echo sprintf("You have [b]%s[/b] crystal%s that you can add to the market.", number_format($ir['crystals']), $s); echo ("<form action='cmarket.php?action=add' method='post'>"); echo ("<table width=50% border=2>"); echo ("<tr>"); echo ("<td>Crystals:</td>"); echo sprintf("<td><input type='text' name='amnt' value='%u' /></td>", intval($ir['crystals'])); echo ("</tr>"); echo ("<tr>"); echo ("<td>Price Each:</td>"); echo ("<td><input type='text' name='price' /></td>"); echo ("</tr>"); echo ("<tr>"); echo ("<td colspan=2 align=center><input type='submit' value='Add To Market' /></td>"); echo ("</tr>"); echo ("</table>"); echo ("</form>"); } } $h->endpage(); ?> Edit: Removed an include() where it's not needed Quote
Joel Posted August 14, 2008 Posted August 14, 2008 Re: Cheats Which game you talking about, because general-life is secure on most holes Quote
wilkesy Posted August 17, 2008 Author Posted August 17, 2008 Re: Cheats Yea General-life sombody bourght the 2 billion house Quote
whitescout Posted September 1, 2008 Posted September 1, 2008 Re: Cheats It's the poker. A player can go into negative buying chips, and then keep doing so ubtil he/she gets positive. Quote
Magictallguy Posted September 1, 2008 Posted September 1, 2008 Re: Cheats May post a secure forums soon :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.