massacremichael Posted May 14, 2010 Share Posted May 14, 2010 ctype_digit($take_amm); ctype_digit($save_amm); I need my bank, to have, instead of manually typing in how many points to deposit, to have a drop down box for up to 9 digits for depositing & saving points... How can I go about this? My programmer is out of town for 2 weeks & we were experiencing mysql injections. Any advice? Use "ctrl+f" to find the "save_amm" section. Thanks! // ----------------- SAVE if(isset($_POST[save_amm])){ if($_POST[save_amm]>0 && $_POST[save_amm]<1000000000){ $sql89 = "SELECT * from users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$_POST[save_amm]){ $save_amm = clean($_POST[save_amm]); $sql80 = "UPDATE users SET points=points-$save_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount+$save_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } } // ----------------- TAKE if(isset($_POST[take_amm])){ if($_POST[take_amm]>0 && $_POST[take_amm]<1000000000){ if($bank_amount>=$_POST[take_amm]){ $take_amm = clean($_POST[take_amm]); $sql80 = "UPDATE users SET points=points+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount-$take_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints in your bank</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } http://icepets.com/bank_55_4433_ed Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/ Share on other sites More sharing options...
massacremichael Posted May 15, 2010 Author Share Posted May 15, 2010 Anyone? Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058871 Share on other sites More sharing options...
Mchl Posted May 15, 2010 Share Posted May 15, 2010 <?php if(isset($_POST['save_amm'])){ if((int)$_POST['save_amm']>0 && (int)$_POST['save_amm']<1000000000){ $sql89 = "SELECT points FROM users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$_POST['save_amm']){ $save_amm = (int)clean($_POST['save_amm']); $sql80 = "UPDATE users SET points=points-$save_amm, bank_amount = bank_amount+$save_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } } Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058890 Share on other sites More sharing options...
massacremichael Posted May 15, 2010 Author Share Posted May 15, 2010 & that prevents mysql injections? Because it doesnt look like it would give a 0-9 drop down box with up to 8 spaces for depositing/Taking up to 99,999,999 Points or does it just prevent injections? Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058929 Share on other sites More sharing options...
Mchl Posted May 15, 2010 Share Posted May 15, 2010 I don't know where $user_name comes from, but as far as $_POST['save_amm'] variable is concerned it should be secure. Here's slightly improved version: if(isset($_POST['save_amm'])){ $save_amm = (int)$_POST['save_amm']; if($save_amm>0 && $save_amm<1000000000){ $sql89 = "SELECT points FROM users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$save_amm){ $sql80 = "UPDATE users SET points=points-$save_amm, bank_amount = bank_amount+$save_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } } } Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058934 Share on other sites More sharing options...
massacremichael Posted May 15, 2010 Author Share Posted May 15, 2010 Thanks a ton MCHL. So in theory it would be safe to open up the bank again on my site for users? Without having to worry about injections? Or would it be safer to go ahead & make the 'type in box' for depositing/saving a numerical drop down field? Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058940 Share on other sites More sharing options...
massacremichael Posted May 15, 2010 Author Share Posted May 15, 2010 The TAKE function doesn't work, when using your above code, replacing the 'SAVE' with 'TAKE'. When I replace each SAVE with the TAKE the TAKE function doesnt work // ----------------- TAKE if(isset($_POST[take_amm])){ if($_POST[take_amm]>0 && $_POST[take_amm]<1000000000){ if($bank_amount>=$_POST[take_amm]){ $take_amm = clean($_POST[take_amm]); $sql80 = "UPDATE users SET points=points+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql70 = "UPDATE users SET bank_amount = bank_amount-$take_amm WHERE user_name = '$user_name'"; $res70 = mysql_query($sql70,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints in your bank</font></b><br>"; } }else{ $errorinfo = "<br><font color='#FF0000'>Invalid Ammount</font></b><br>"; } YOUR CODE BELOW if(isset($_POST['take_amm'])){ $take_amm = (int)$_POST['take_amm']; if($take_amm>0 && $take_amm<1000000000){ $sql89 = "SELECT points FROM users WHERE user_name = '$user_name'"; $res89 = mysql_query($sql89,$conn); $userap = mysql_result($res89,0,'points'); if($userap>=$take_amm){ $sql80 = "UPDATE users SET points=points-$take_amm, bank_amount = bank_amount+$take_amm WHERE user_name = '$user_name'"; $res80 = mysql_query($sql80,$conn); $sql980 = "INSERT into dailies (user_name,title) VALUES ('$user_name','bankinterest')"; $res980 = mysql_query($sql980,$conn); header("Location: bank.php?"); exit; }else{ $errorinfo = "<br><font color='#FF0000'>You dont have that many icePoints</font></b><br>"; } } } I think what I want is to take the current coding I had & replace it with numerical drop downs from 0,1,2,3,4,5,6,7,8,9 with 9 spots for each Link to comment https://forums.phpfreaks.com/topic/201806-ctype_digit/#findComment-1058948 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.