Membre
|
Salut voila ses le meme bug que l`autre faille j`avais mais la ses en mode massif mais meme avec ls truk de l`ancien rien veux bloquer !!!!!!!!!!!!!
Quand je croit avoir resolu bah la il bloquer tout !! dans le msg Mmh oui et quoi encore sale tricheur ?
aider moi svp !
<?php
include("lib.php");
define("PAGENAME", "Acheter");
$player = check_user($secret_key, $db);
$img = "<img src=images/bar_logo.PNG border=0 align=absmiddle><br /><br />";
include("templates/private_header.php");
?>
<div class="contenu">
<div class="contenu_bloc">
<h1>Xp massif</h1>
<?
if (isset($_POST['byu']) and $_POST['byu1']>0 and $_POST['byu2']>0 and $_POST['byu3']>0 and $_POST['byu4']>0)
{
$data = $_POST['byu'];
$sql = "SELECT * from `players` where `username`='" . $data . "'";
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);
if (!$_POST['byu'] and $_POST['byu1']<0 and $_POST['byu2']<0 and $_POST['byu3']<0 and $_POST['byu4']<0) { //If username isn't filled in...
$msg = "Mmh oui et quoi encore ?<br />\n"; //Add to error message
echo $msg;
die();
}
if (!preg_match("/^[0-9]+$/", $_POST['byu1']))
{ //If username contains illegal characters...
$msg = "Essaye pas de me mettre la douille...\n"; //Add to error message
echo $msg;
die();
}
if (!preg_match("/^[0-9]+$/", $_POST['byu2']))
{ //If username contains illegal characters...
$msg = "Essaye pas de me mettre la douille...\n"; //Add to error message
echo $msg;
die();
}
if (!preg_match("/^[0-9]+$/", $_POST['byu3']))
{ //If username contains illegal characters...
$msg = "Essaye pas de me mettre la douille...\n"; //Add to error message
echo $msg;
die();
}
if (!preg_match("/^[0-9]+$/", $_POST['byu4']))
{ //If username contains illegal characters...
$msg = "Essaye pas de me mettre la douille...\n"; //Add to error message
echo $msg;
die();
}
if ($row['email'] != $player->email) { //If username isn't filled in...
$msg = "PAS TON EMAIL !!<br />\n"; //Add to error message
echo $msg;
die();
}
if (!$_POST['byu1']+$_POST['byu2']+$_POST['byu3']+$_POST['byu4'] > $row['stat_points'] || $_POST['byu1'] > 0 || $_POST['byu2'] > 0 || $_POST['byu3'] > 0 || $_POST['byu4'] > 0) { //If username isn't filled in...
$msg = "Mmh oui et quoi encore sale tricheur ?<br />\n"; //Add to error message
echo $msg;
die();
}
$cost = ($_POST['byu1'] + $_POST['byu2'] + $_POST['byu3'] + $_POST['byu4']);
$query = $db->execute("update `players` set `strength`=?, `force`=?, `vitality`=?, `def`=?, `stat_points`=? where `id`=?", array($row['strength'] + $_POST['byu1'], $row['force'] + $_POST['byu2'], $row['vitality'] + $_POST['byu3'], $row['def'] + $_POST['byu4'], $row['stat_points'] - $cost, $row['id']));
echo "<font color=white>Xp répartie!</font><br /><br />";
}
?>
<i>Tu as <b><?=$row['stat_points']?></b> points de compétence à dépenser.</i><br />
<form method="post" action="xpmassif.php">
Joueur:<input type="text" name="byu" maxlength="15" class="input_int" value="<?=$_POST['byu'];?>" /><br />
Force:<input type="text" name="byu1" class="input_int" value="<?=$_POST['byu1'];?>" /><br />
Agileter:<input type="text" name="byu2" class="input_int" value="<?=$_POST['byu2'];?>" /><br />
Esquive:<input type="text" name="byu3" class="input_int" value="<?=$_POST['byu3'];?>" /><br />
Resistance:<input type="text" name="byu4" class="input_int" value="<?=$_POST['byu4'];?>" />
<input type="submit" name="action" value="XP"/>
</form>
<?php
include("templates/private_footer.php");
?>
https://guerredesgangs.net & http://www.bazinio.ca & http://www.thestreet2.ca
|
Admin
|
Bonjour,
peut être en remplaçant:
$data = $_POST['byu'];
par
$data = mysql_real_escape_string($_POST['byu']);
Cordialement
|
