Thread: New Generation torrent
View Single Post
  #2  
Old 26th June 2013, 13:16
joeroberts's Avatar
joeroberts joeroberts is offline
BT.Manager Owner
  
Join Date: Jan 2008
United States
Posts: 2,113
Default
attention

Attention

this Code needs a little securing




Your Way open for a sql injection on this so bad
PHP Code:
if ($_GET["act"] == "Arcade") {

    switch ($_POST['gname'])
    {
        case "asteroids":
            $game 1;
            $level 1;
            $score $_POST['score'];
            break;

        case "breakout":
            $game 2;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "hexxagon":
            $game 3;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "invaders":
            $game 4;
            $level 1;
            $score $_POST['score'];
            break;

        case "moonlander":
            $game 5;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "pacman":
            $game 6;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "psol":
            $game 7;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "simon":
            $game 8;
            $level 1;
            $score $_POST['gscore'];
            break;

        case "snake":
            $game 9;
            if($_POST['levelName'] == "LEVEL: SLUG"$level 1;
                elseif($_POST['levelName'] == "LEVEL: WORM"$level 2;
                    elseif($_POST['levelName'] == "LEVEL: PYTHON"$level 3;
            $score $_POST['score'];
            break;

        case "tetris":
            $game 10;
            $level $_POST['level'];
            $score $_POST['gscore'];
            break;
    }

    db::run("SELECT count(*), min(score) FROM flashscores WHERE game = $game");
    $arr db::firstrow(MYSQL_NUM);
    if ($arr[0] < 15 or $arr[1] < $score) {
        db::run("INSERT INTO flashscores (game , user , level , score, date) VALUES ('".$game."', '".$CURUSER['id']."', '".$level."', '".$score."', NOW())");
        if ($arr[0] >= 15
            db::run("DELETE FROM flashscores WHERE game = $game AND score = $arr[1]");
        header("Location: games.php?gametype=7&act=win&gameid=$game");
    } else
        header("Location: games.php?gametype=7&act=notwin&gameid=$game");

    die;
}

//Szavazas megkapása

if (is_valid_id($_GET["pollid"])) {
    $choice $_GET["choice"];
    $pollid $_GET["pollid"];
    
    header("Content-Type: text/html; charset=iso-8859-2");

    if (($choice 100) || !is_numeric($choice) || !(round($choice) == $choice))
        die("Rossz szavazat!");

    if (!db::count("polls WHERE id = $pollid"))
        die("Rossz szavazás ID.");

    if (db::count("pollanswers WHERE pollid = $pollid and userid = ".$CURUSER['id']))
        die("Már szavaztál ebben a szavazásban.");

    db::run("INSERT INTO pollanswers VALUES($pollid, ".$CURUSER['id'].", $choice)");
    
    if (!db::$aff)
        die("Hiba lépett fel.");

    db::run("UPDATE users SET new_poll = 0 WHERE id = ".$CURUSER["id"]);
    bonus("+2");

    polltable($pollid);

    die;
__________________
Do not ask me to help you work on your site that is not phpMyBitTorrent
Do not ask me to make a mod for any other source
Do not Ask me to setup your site.
I will no longer help you setup your site, there is a setup script if you have trouble with it post in the forum here or in BT.Manager™ forum
My Current Demo is here http://demo.btmanager.org/
Reply With Quote
The Following User Says Thank You to joeroberts For This Useful Post:
romano1 (28th July 2013)