Jump to content

Webshop Tampering

theeliter

By theeliter
in PHP Coding Help

 Share

Recommended Posts

theeliter Newbie

theeliter

Posted
Posted

Hello Guys. Btw my name is Matthy.

 

i come here to ask for tips about my script.

 

Well this is easy. but i am so weak and no knowledge about this. look at this

    if($rows>0) {
        $rows=mssql_fetch_assoc($result); 
        extract($rows);
        
        $UserPoint = ($UserPoint);
        $ID = ($Username);
        $Usernum = ($UserNum);

    if($UserPoint<$Price) {
            echo "<font color=red size=2><center>Sorry not enough Credits to Avail this Item.<p>";
            $error = 1; delayedrefresh('webshop.php');
        }
    if($Price <= 0) {
            echo "<font color=red size=2><center>Tampering Detected<p>";
            $error = 1; delayedrefresh('webshop.php');
        }
    $result1=mssql_query("SELECT ItemStock FROM Ranshop.dbo.ShopItemMap Where ProductNum = '$ItemNum'");
    $rows1=mssql_num_rows($result1);
    if ($rows1>0) {
    $rows1=mssql_fetch_assoc($result1); 
    extract($rows1);

    $ItemStock = ($ItemStock);
    $ItemMoney = ($ItemMoney);
    $PurPrice = $_POST['PurPrice'];
    $ItemMoney = $_POST['ItemMoney'];

 

i have problem about this

because someone use Data Tampering to change the value of price. so ive put if($Price <= 0) {.

but its still not effective.because when they still change to 1-999. its still can

 

any idea guys what the best way to prevent changing price on Data Tamper to this script

 

thank you

Link to comment
Share on other sites
RussellReal Member

RussellReal

Posted
Posted

don't send the price in the request.. send the item id number.. then you pull that id from the database, and get the price from teh database, if you've secured your sql theres no way he/she can alter those values, so you can definately rely on them..

Link to comment
Share on other sites
theeliter Newbie

theeliter

Posted
  • Author
Posted

^

^

Yeah its safe if the price is on DB only.but how about Item ID.

If the Item ID is still Changable. they can get expensive item by purchasing cheap item and change the item IDit into expensive item ID.

 

so what would you suggest bro?

 

Heres a Screenie

hereh.jpg

 

Link to comment
Share on other sites
pkedpker Member

pkedpker

Posted
Posted

all itemId's should be put with price in database.. nothing should be displayed thats not in database.. when someone submits a new item to sell.. they submit the new item ID and price to database. there is no way that you can temper that data.

 

what your doing right now is how paypal donation system works.. where a person can put any amount he wants and it puts that in the database

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.