Want to make sure my Code is SECURE =)
Posted: Sat Dec 26, 2009 3:36 pm
my code
it uses smarty templating engine.
it uses smarty templating engine.
Code: Select all
<?php
session_start();
require "../config.php";
require "../libs/Smarty.class.php";
$smarty = new Smarty;
if($_SESSION['rpg_' .$game_name . 'userrank'] != 1)
{
die("You dont belong here");
}
//if adding new char/enemy
if(isset($_POST['Submit']))
{
//vars
$name = strip_tags(mysql_real_escape_string($_POST['textName']));
$brave = strip_tags(mysql_real_escape_string($_POST['textBrave']));
$crimegroup = strip_tags(mysql_real_escape_string($_POST['selectCrimeGroups']));
$formula = strip_tags(mysql_real_escape_string($_POST['textFormula']));
$minmoney = strip_tags(mysql_real_escape_string($_POST['textMinMoney']));
$maxmoney = strip_tags(mysql_real_escape_string($_POST['textMaxMoney']));
$minexp = strip_tags(mysql_real_escape_string($_POST['textMinExp']));
$maxexp = strip_tags(mysql_real_escape_string($_POST['textMaxExp']));
$text = stripslashes(strip_tags(mysql_real_escape_string($_POST['textText'])));
$failtext = stripslashes(strip_tags(mysql_real_escape_string($_POST['textFailedText'])));
$suctext = stripslashes(strip_tags(mysql_real_escape_string($_POST['textSuccessText'])));
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
$file_typ = array();
$file_typ = explode('.',strtolower($_FILES["file"]["name"]));
$file_type = $file_typ[count($file_typ)-1];
if($file_type == "jpg" || $file_type == "png" || $file_type == "gif" || $imageinfo['mime'] == "image/gif" || $imageinfo['mime'] == "image/jpg" || $imageinfo['mime'] == "image/jpeg" || $imageinfo['mime'] == "image/png" && isset($imageinfo) )
{
//check if item name not in use
$result = mysql_query("SELECT crimeID FROM crimes WHERE crimeNAME='$name' AND game='$game_name'") or die(mysql_error());
if(mysql_num_rows($result) == 0)
{
//if successfully moved file
if(move_uploaded_file($_FILES["file"]["tmp_name"], "../../gamedata/$game_name/crimes/$name.$file_type"))
{
mysql_query("INSERT INTO crimes (crimeNAME, crimeFTYPE, crimeBRAVE, crimePERCFORM, crimeMinMoney, crimeMaxMoney, crimeGROUP, crimeITEXT, crimeFTEXT, crimeSTEXT, crimeMinEXP, crimeMaxEXP, game) VALUES ('$name', '$file_type', '$brave', '$formula', '$minmoney', '$maxmoney', '$crimegroup', '$text', '$failtext', '$suctext', '$minexp', '$maxexp', '$game_name')") or die(mysql_error());
$msg = "Crime successfully added...";
}
else
{
$msg = 'Failed to upload crime image...';
}
}
else
{
$msg = "Name can not be same as another crime name...";
}
}
else
{
$msg = "Item Image must be jpg/gif/png image...";
}
}
//crime groups query
$result = mysql_query("SELECT cgID, cgNAME FROM crimegroups WHERE game='$game_name' ORDER BY cgNAME ASC") or die(mysql_error());
//get all crime groups
while($group = mysql_fetch_object($result))
{
if(empty($crimegroupsel))
{
$crimegroupsel = $group->cgID;
}
$crimegroups[$group->cgID] = $group->cgNAME;
}
$smarty->assign("CrimeGroups", $crimegroups);
$smarty->assign("CrimeGroupsSel", $crimegroupsel);
//set template var
$smarty->assign("MSG", $msg);
//parse templates
$smarty->display('crimeadd.tpl');
?>