0

Hello i did use the search before posting this.

Im new to php/mysql been doing soooo much reading. have been able to make a game that a few friends are playing. its like a pvp game.

Anyway one of the people playing found a way to glitch buying and selling units by putting a . in front of the value. i do have a protect feature for stripping illegal characters 

function protect($string) {
    return mysql_real_escape_string(strip_tags(addslashes($string)));
}

this works for other characters but not with . im not asking for someone to do it for me just wanted to be pointed in the right direction.

but just encase someone asks here is the code im using 

if(isset($_POST['buy'])){
        $sword = protect($_POST['sword']);
        $shield = protect($_POST['shield']);
        $gold_needed = (10 * $sword) + (10 * $shield);

        if($sword < 0 || $shield < 0){
            output("You must buy a positive number of weapons!");
        }elseif($stats['gold'] < $gold_needed){
            output("You do not have enough gold!");
        }else{
            $weapon['sword'] += $sword;
            $weapon['shield'] += $shield;

            $update_weapons = mysql_query("UPDATE `weapon` SET 
                                            `sword`='".$weapon['sword']."',
                                            `shield`='".$weapon['shield']."'
                                            WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
            $stats['gold'] -= $gold_needed;
            $update_gold = mysql_query("UPDATE `stats` SET `gold`='".$stats['gold']."' 
                                        WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
            include("update_stats.php");
            output("You have bought weapons!");
        }

If anyone could give me a hand i would greatly appreciate it

i did find something "string functions, substr replace and str replace"

but can i use two functions in 1 query? sorry im new

EDIT***

Here is the query posted in update_stats

$update_stats = mysql_query("UPDATE `stats` SET 
                            `income`='".$income."',`farming`='".$farming."',
                            `attack`='".$attack."',`defense`='".$defense."'
                            WHERE `id`='".$_SESSION['uid']."'") or die(mysql_error());
Warzone aK
  • 23
  • 2
  • 3
    Can you explain how the `.` affects the query (e.g. what is the query that results in the issue, and what does it update to)? That as far as I know has no special meaning in mysql. Also I'd think `addslashes` + `mysql_real_escape_string` would give you some strange queries. You should really consider updating the PDO or mysqli and using parameterized queries. – chris85 Nov 10 '17 at 19:01
  • Just don't use this code, you're wasting your time. – Funk Forty Niner Nov 10 '17 at 19:03

1 Answers1

-1

one of the people playing found a way to glitch buying and selling units by putting a . in front of the value

Well, you've not disclosed EXACTLY what the vulnerability is, but I'll hazard a guess that by input of a decimal value they run around your pricing/math? So, a number of possibilities, I should think? 

if (substr($string, 0, 1) == ".") {
    //return false, warn, etc.
}

That could go in your "protect" function.

Likewise, you could use intval() or even is_numeric() ... here I just add it to the assignment:

$sword = protect(intval($_POST['sword']));

You could also play with a regular expression. I'm assuming $value to be numeric? How many digits max? I've used 5:

if (preg_match("%\.\d{1,5}%", $sword)) { //this guy's playing w/us
   die("Go away, bad hax0rz! :-P");
}
Kevin_Kinsey
  • 2,285
  • 1
  • 22
  • 23
  • sorry like i said im new the vulnerability is if someone was to buy a weapon or a unit and put .44444 as an example it would train the units and not remove any resources. http://prntscr.com/h8tiii Also yea i now understand that mysqli is the way to go but i just started learning and mysql is what i learned lol sorry – Warzone aK Nov 10 '17 at 19:15
  • Take a look at my examples, they should help. – Kevin_Kinsey Nov 10 '17 at 19:16