Printable View
But you was able to cheat with this page? I ask because I double check before send the item?
Btw refresh page without query string how help if someone use option 2?
Btw ty for sharing that, on my other site I also used refresh when used post data send because backing was very annoying :)
Anyway I will because plus a line not really make any bad :)
So will update this once again if I also get the XML about new stats on item like spirit, penetrations and skayer/warding etc
I don't checked your code. I'm to lazy to create a new VM. And what do you mean with "double check"? In my opinion the PRG Pattern is very efficient in this case. Ah, there's one more thing related to webshop. You should verify if item exists in your webshop table, or the players can change the item ID and buy a GM Weapon.Quote:
Originally Posted by shadowvzs
Then I tell how it's work.Quote:
Originally Posted by w3bm4ster
Have a parent page (webshop), when it's loaded the it's check user web point and gold in inventory for 1st character and show it.
Have a hidden iframe inside the parent/webshop page.
When you want buy something then parent page check if you have enough point or gold, if yes then pass the roleid, item data, amount to iframe/child page in it's url, like "worker.php? Role=1024&amount=2&itemdata=231#2#64#......"
When worker.php get the data it's check:
User is in session?
Item data is valid and exist with same data in file?
If yes then recheck the roke gold or account web point, refrash variable in parent, calculate again if price isn't higher than what role/user got then send mail, if it's sent then decrease gold or point.
- - - Updated - - -
A bit different with in game gold cost:
- because need check if account is logged out
- because that decreased before mail sending part because it's verify if that gold decrease function work (maybe different pw version have different XML structure) so if decreased but mail falid the role get back his money.
In both case have message if mail sent or not sent (JavaScript alert), it's a bit make more annoying the rapid clicker job a bit.
Another thing what I added is Boolean variable what not let parent/webshop to send data to iframe until last mail not sent or sending not failed (that child/iframe change)
Question, why are you sending data via an iframe to begin with across a HTTP GET method.
Why not use a regular HTTP POST instead on the same page.
That or use proper javascript AJAX requests.
Theres something we can all agree on though,
Your PHP code works for a simple internal site so an admin can send himself some stuff and do some other things.
However, and this is reality.
The state your site is currently in, echo'ing html and javascript into a site. Doing everything through PHP.
What #w3bm4ster already mentioned, thats just 1 way to abuse your current system you made.
You really have to cleanup your code, put stuff in classes. Get rid of the iframe method and learn proper javascript to handle async post events.
Cause as it is right now, your site is in no way, shape or form "Production" environment ready.
Most big server owners will tell you the same, players will do just about anything to try and abuse anything you make. So unless its absolutely bulletproof its nothing more then a liability right now.
That said though, we all started somewhere with poorly made sites and learned from that so i'm sure that in the future you'll be able to do better work.
But I can speak for most people here when I make this comment,
1. format your project, stop putting everything in single php files
- move css to actual css files
- move your javascript to actual js files
- format your php code to actual classes so its easier to maintain and looks cleaner aswell to work with.
2. spend some time on data validation, concurrent request handling and all that so that a user can only get a item once even if he uses 10 webbrowsers at the same time to get an item.
i prefer iframe over ajax, not every site use ajax and i don't know any private server where on website have that huge traffic, maybe in game but not on web, still can't understand how can anybody abuse it with fast clicking since money is taken.Quote:
Originally Posted by GiantAxe
i used ajax and not like really, mainly here don't need async at all for buying because what point in that if user anyway buy 1 item per time?
html - Why AJAX over iFrames? - Stack Overflow
ajax doesnt mean iframe is dead, they have difference and advantage, main advantage of ajax isn't used here (unlike in search engines where ajax clearly alot better than iframe)
i am glad if you want help but i dont change to ajax only because its trendy now, because iframe is also ok with security checks/fix (correct me if i am wrong, i allways accept if someone can prove have a alot better way).
1. formating and separate css/javascript i will do, first i didnt did, simple reason because less file and item builder mainly designed for admin tool/testing stuffs.
2. if you readed what i wrote i hope you understanded you could make 10000 browser but every time you pay for item can't avoid (atleast how i see can't if serverside have money check before paying) but anyway the reload page without query string is good idea because donesn't make any bad :)
validation is there, user validation, item data validation etc (if have special syntax then can't be same string than in file), but maybe needed a replace for '/"$ characters aswell?
this is how its work when iframe called:
PHP Code://valid use check before
if ($AllowN !== true){die;}
if (isset($_GET['BuyFromShop'])){
if ((isset($_GET['Amount']))&&(isset($_GET['buyWith']))&&(isset($_GET['transWith']))&&(isset($_GET['IData']))&&(isset($_GET['roleid']))){
$idata = trim($_GET['IData']);
$idata = str_replace('|', '#', trim($_GET['IData']));
$idata = str_replace('@', '+', $idata);
//check server if running
if (strpos($idata, "#") !== false){
$iArr = explode("#", $idata);
if (count($iArr) == 19){
$handle = fopen($ShopItemD, 'r');
$valid = false; // item data is in file?
while (($line = fgets($handle)) !== false) {
if (strpos($line, $idata) !== false) {
$valid = TRUE;
break;
}
}
fclose($handle);
if ($valid !== false){
$buyWith = intval($_GET['buyWith']); //1 is coin, 2 is web point
$transWith = intval($_GET['transWith']); //1 is mail, 2 is not added yet
$Amount = intval($_GET['Amount']); //how much from item
$roleId = intval($_GET['roleid']); //target role
if (($buyWith > 0) && ($transWith > 0) && ($Amount > 0) && ($roleId > 0) && ($iArr[11] >= $Amount)){
$sockres = [MENTION=493081]fsockopen[/MENTION]($DB_Host, $ServerPort, $errno, $errstr, 10);
if (!$sockres){
echo"<script>parent.alert('Server is offline');</script>";
}else{
@FClose($sockres);
//server online
$conn = new mysqli($DB_Host, $DB_User, $DB_Password, $DB_Name);
if (($conn->connect_error)||(mysqli_connect_error())) {
echo"<script>parent.alert('Cannot connect to mysql database');</script>";
}else{
include("./packet_class.php");
if ($buyWith == 2){
//check user point & gold
$query = "SELECT VotePoint FROM users WHERE ID=?";
$statement = $conn->prepare($query);
$statement->bind_param('i', $userid);
$statement->execute();
$statement->bind_result($LWebPoint);
$statement->store_result();
$result = $statement->num_rows;
if (!$result) {
exit;
}else{
while($statement->fetch()) {
$WPoint=$LWebPoint;
}
$price = $iArr[1]*$Amount;
if ($WPoint >= $price){
$NPoint = $WPoint - $price;
if ($transWith == 1){
echo"<script>parent.MReady = false;
</script>";
$expir = $iArr[14];
if ($expir>0){$expir=$expir+time();}
if (SysSendMail($roleId, ("[SHOP]: ".$iArr[2]), ("Thank you for bought this item from web!"), $iArr[7], $Amount, $iArr[11], $iArr[15], $iArr[9], $expir, $iArr[12], $iArr[13], $iArr[8], 0) == 0){
$query = "UPDATE users SET VotePoint = $NPoint WHERE ID=?";
$stmt = $conn->prepare($query);
$stmt->bind_param('i', $userid);
$stmt->execute();
$stmt->close();
echo"
<script>
parent.UPoint = parseInt('".$NPoint."', 10);
parent.document.getElementById('User_Point').innerHTML = parent.UPoint;
parent.document.getElementById('BuyWindow').style.display='none';
parent.alert('Mail sent with your item!');
parent.MReady = true;
parent.LockItem=false; parent.SelectIcon(0);
</script>";
}else{
echo"<script>
parent.alert('Error, cannot send mail!');
parent.document.getElementById('BuyWindow').style.display='none';
parent.SelectIcon(0);
parent.MReady = true;
</script>";
}
}
}else{
echo"<script>parent.alert('Insufficient point (".($price-$WPoint)." missing)!');</script>";
}
}
}
}
$conn->close();
}
}
}else{
echo"<script>parent.alert('Item not found!');</script>";
}
}
}
}
}
found a bug in the test " http://shadowvzs.uw.hu/PW/web/index.php?sVer=80 "
1. Assassin mask and Psychic mask is backwards, Thats all i found, Nice Work