I've been working on something new for my game, and been coding this from scratch.
It all seems to work, but I'm worried about security and the more I read the more confused I get on what I need to do to make sure nobody does anything to my db.
Here is what I have so far, what else do I need to do to the GET and POSTS?
Code: Select all
<?php
include("lib.php");
define("PAGENAME", "CAC Public Market");
$player = check_user($secret_key, $db);
$getcategories =$db->execute("SELECT `Weapon_Type`, `ID` FROM weapon_type");
$getmarket=stripslashes($_GET['catid']);
$viewmarket = $db->execute("SELECT c.market_ID as mID, c.Item_Sold_ID, c.Seller_ID, c.Price, c.days_left, p.username, p.id as pid, b.id as wid, b.name as wname, b.type as wtype FROM market_new c
INNER JOIN players p ON c.Seller_ID = p.id
INNER JOIN blueprint_items b ON c.Item_Sold_ID = b.id
Where b.type=?", array($getmarket));
include("templates/private_header.php");
switch ($_GET['act'])
{
case "cat":
if ($viewmarket->recordcount() == 0)
{
echo "Sorry, No items for sale in this Market <!-- s:( --><img src=\"{SMILIES_PATH}/icon_sad.gif\" alt=\":(\" title=\"Sad\" /><!-- s:( -->";
}
else
{
echo "<table width=\"100%\" border=\"1\">";
echo "<tr align=\"center\">";
echo "<td><h3>Item</h3></td>";
echo "<td><h3>Seller</h3></td>";
echo "<td><h3>Cost</h3></td>";
echo "<td><h3>Days Left</h3></td>";
echo "<td><h3>Purchase</h3></td>";
while ($marketview = $viewmarket->fetchrow())
{
echo "<tr>";
echo "<td>" . $marketview['wname'] . "</td>";
echo "<td>" . $marketview['username'] . "</td>";
echo "<td>" . $marketview['Price'] . "</td>";
echo "<td></td>";
echo "<td><a href=\"marketnew.php?act=buy&buyid=" . $marketview['mID'] . "\">Buy</a><br /></td>";
echo "</tr>";
}
echo "</table>";
}
break;
case "buy":
{
$buy=stripslashes($_GET['buyid']);
$query = $db->execute("SELECT m.Seller_ID, m.Price, m.Item_Sold_ID, m.market_ID, b.id as wid, b.name as wname from market_new m
INNER JOIN blueprint_items b ON m.Item_Sold_ID = b.id
where m.market_ID=?", array($buy));
$marketbuy = $query->fetchrow();
if ($player->id == $marketbuy['Seller_ID'])
{
echo "You can't buy your own items dummy<p>";
echo "<a href=\"home.php\">Home</a>\n";
}
elseif($marketbuy['Price'] > $player->gold)
{
Echo "You don't have enough money to buy this item";
}
else
{
//update players info
$itemcheck = $db->execute("SELECT `player_id`, `item_id` FROM `items` WHERE `player_id`=? and `item_id`=?", array($player->id, $marketbuy['Item_Sold_ID']));
$itemcheck1 = $itemcheck->fetchrow();
$itembought=$marketbuy['Item_Sold_ID'];
$seller=$marketbuy['Seller_ID'];
if($itemcheck->recordcount() == 0)
{
$db->query("INSERT INTO items (player_id,item_id,status,quantity) VALUES ('$player->id', '$itembought', 'unequipped', '1')");
$updatebuyergold = $db->execute("UPDATE `players` SET `gold` = `gold` - ? WHERE `id`=?", array($marketbuy['Price'], $player->id));
$updatesellergold = $db->execute("UPDATE `players` SET `gold` = `gold` + ? WHERE `id`=?", array($marketbuy['Price'], $marketbuy['Seller_ID']));
$deleteitem = $db->execute("delete from `market_new` where `market_ID`=?", array($marketbuy['market_ID']));
$logmsg = "Your\n" . $marketbuy['wname'] . "\non the market was purchased by <a href=\"profile.php?id=" . $player->id . "\">" . $player->username . "</a> ";
addlog($marketbuy['Seller_ID'], $logmsg, $db);
echo "you just purchased this item from the market";
}
else
{
$updateweapon = $db->execute("update `items` SET `quantity` = `quantity` + ? WHERE `player_id`=? and `item_id`=?", array(1, $player->id, $itembought));
$updatebuyergold = $db->execute("UPDATE `players` SET `gold` = `gold` - ? WHERE `id`=?", array($marketbuy['Price'], $player->id));
$updatesellergold = $db->execute("UPDATE `players` SET `gold` = `gold` + ? WHERE `id`=?", array($marketbuy['Price'], $marketbuy['Seller_ID']));
$deleteitem = $db->execute("delete from `market_new` where `market_ID`=?", array($marketbuy['market_ID']));
$logmsg = "Your\n" . $marketbuy['wname'] . "\non the market was purchased by <a href=\"profile.php?id=" . $player->id . "\">" . $player->username . "</a> ";
addlog($marketbuy['Seller_ID'], $logmsg, $db);
echo "you just purchased this item from the market";
}
}
}
break;
case "sell":
$sell=stripslashes($_GET['sellid']);
{
$itemcheck = $db->execute("SELECT items.item_id, items.player_id, items.quantity, items.id, b.id, b.name FROM items
INNER JOIN blueprint_items b ON items.item_id = b.id
WHERE items.player_id=? and items.item_id=?", array($player->id, $sell));
$itemcheck1 = $itemcheck->fetchrow();
if($itemcheck->recordcount() == 0)
{
echo "You don't own this item";
}
else
{
$item=$_GET['sellid'];
echo "CAC BlackMarket if you would like to sell an item on the market our fee is 10% of the item sell price or at least $1.<br>This must be paid up front and is non refundable<p>";
echo "You may only sell up to 3 items at one time and all items remain on the market for 5 days.<br>";
echo "After 5 days the items will be put back into your inventory";
echo "<form method=\"POST\" action=\"marketnew.php?act=confirm\" >";
echo "You are placing your \n" . $itemcheck1['name'] . "\non the market.<p>";
echo "<input type=\"hidden\" name=\"act\" value=\"confirm\">";
echo "<input type=\"hidden\" name=\"item\" value=\"$item\">";
echo "Asking Sell Price: <input type=\"text\" name=\"price\"><p>";
echo "<input type=\"submit\" value=\"Submit\">";
echo "</form>";
}
}
break;
case "confirm":
{
$item=stripslashes($_POST['item']);
$price=stripslashes($_POST['price']);
$fee=floor($price/10);
if ($fee<1){$fee=1;}
if($price<=0){
echo "Sorry, We do not allow you to give things away.";
break;
}else
{
echo "Please confirm that you want to sell this item";
echo "<form method=\"post\" action=\"marketnew.php?act=list\">";
echo "<input type=\"hidden\" name=\"item\" value=\"$item\">";
echo "<input type=\"hidden\" name=\"price\" value=\"$price\">";
echo "<input type=\"hidden\" name=\"fee\" value=\"$fee\">";
echo "<input type=\"submit\" name=\"list\" value=\"Yes, I am sure!\">";
echo "</form>";
}
}
break;
case "list":
{
$item=stripslashes($_POST['item']);
$price=stripslashes($_POST['price']);
$total=$price;
$fee=stripslashes($_POST['fee']);
//check to see if player can afford to list
if($player->gold<$fee)
{
echo "Sorry, you can afford to list that item.";
}
elseif($item <= 0)
{
echo "you must select an item to sell";
}
else
{
//add items to market
$additem = $db->execute("INSERT INTO market_new (Seller_ID,Price,Item_Sold_ID) VALUES ('$player->id', '$price', '$item')");
//remove fee from player
$query = $db->execute("update `players` set `gold`=? where `id`=?", array($player->gold - $fee, $player->id));
//remove item from inventory
$gettotal = $db->execute("SELECT `player_id`, `item_id`, `quantity` FROM `items` WHERE `player_id`=? and `item_id`=?", array($player->id, $item));
$gettotal1 = $gettotal->fetchrow();
if ($gettotal1['quantity'] > 1)
{
$update = $db->execute("UPDATE `items` set `quantity` = `quantity`- ? WHERE `player_id`=?", array(1, $player->id));
}
else
{
$remove = $db->execute("Delete from `items` where `player_id`=? and `item_id`=?", array($player->id, $item));
}
echo "You have placed your item on the market";
}
}
break;
default:
{
echo "Please Select a Market to search";
echo "<table width=\"100%\" border=\"1\">";
echo "<tr>";
while ($categories = $getcategories->fetchrow())
{
echo "<td>";
echo "<a href=\"marketnew.php?act=cat&catid=" . $categories['ID'] . "\">" . $categories['Weapon_Type'] . "</a><br />";
echo "</td>";
echo "</tr>";
}
echo "</table>";
}
break;
}
include("templates/private_footer.php");
?>