Jump to content

am I: doing this security Input right?


Monkuar

Recommended Posts

am I missing anymore input attacks to pass not having 2 of the same balls?

$numbers = "19|20|19";
$numArray = explode("|", $numbers);
if ($numArray['0'] == $numArray['1'] OR $numArray['0'] == $numArray['2'] ){
$std->Error2("You cannot pick 2 numbers with the same ticket");
}

 

The if function will see if 19 = 20, or 19 = 20

 

 

then I would it need to do $numArray['1'] == $numArray['2'] and so on right to get all possible ways?

If so, is there a easier way instead of just using all OR Statements and not manually thinking about what possible way, isn't there just a way to check if 2 arrays are the same? :P (or 3)

 

 

Link to comment
Share on other sites

Well, first of all that logic doesn't check if item #1 matches item #2. Second of all, that's more complicated than it needs to be. Just use array_unique() on the array to remove duplicate values and then check if the result still has three elements.

$numArray = array_unique(explode("|", $numbers));
if(count($numArray)<3)
{
    $std->Error2("You cannot pick 2 numbers with the same ticket");
}

 

I still don't know why you are passing the values in the format "#|#|#" instead of using arrays to being with. You are making your "project" 10x more complicated than it needs to be based on the posts of yours I have seen.

 

As for checking if there are two sets of values with the same numbers that will not be easy with what you have now. From what I have seen you don't have any logic to put the numbers in numerical order. So, a user could have "3|5|8" and "8|3|5". Personally, I would convert ALL the user picks into a mulch-dimensional array. And, when doing so, sort each pick so they are in numerical order. Then in addition to using array_unique() on each pick to ensure there are no duplicate numbers in the pick, you could use array_unique() on the parent array to see if there are any picks with the same numbers.

Link to comment
Share on other sites

Well, first of all that logic doesn't check if item #1 matches item #2. Second of all, that's more complicated than it needs to be. Just use array_unique() on the array to remove duplicate values and then check if the result still has three elements.

$numArray = array_unique(explode("|", $numbers));
if(count($numArray)<3)
{
    $std->Error2("You cannot pick 2 numbers with the same ticket");
}

 

I still don't know why you are passing the values in the format "#|#|#" instead of using arrays to being with. You are making your "project" 10x more complicated than it needs to be based on the posts of yours I have seen.

 

As for checking if there are two sets of values with the same numbers that will not be easy with what you have now. From what I have seen you don't have any logic to put the numbers in numerical order. So, a user could have "3|5|8" and "8|3|5". Personally, I would convert ALL the user picks into a mulch-dimensional array. And, when doing so, sort each pick so they are in numerical order. Then in addition to using array_unique() on each pick to ensure there are no duplicate numbers in the pick, you could use array_unique() on the parent array to see if there are any picks with the same numbers.

 

Well if the jackpot numbers were 3|5|8, if someone chose 8|3|5, they wouldn't win anyway? i used some different code that you made me a couple days ago, because quite frankly it was just to much to handle  :confused:  , Ben made me some new code which i modified a little, which is:

 

$query = $DB->query("SELECT l.*,m.name,m.id FROM ibf_lottery_tickets l
							LEFT JOIN ibf_members m ON (m.id=l.memberid)
							WHERE l.lotteryid='{$lotto['i_id']}' ORDER BY time_bought DESC");
			while($ticket2 = $DB->fetch_row($query)) {


//Check Exact winnings/Jackpot
$numbers_chosen = "2|5|1,20|2|5";
$winning_numbers = "2|5|1";
// Let's get those winning numbers into an array
$jackpot = explode('|', $winning_numbers);
$tiers_won = array();
$tickets = explode(',', $numbers_chosen);
foreach ($tickets as $ticket) {
$balls = explode('|', $ticket);
if ($balls == $jackpot) {
	// All three balls match the jackpot (in the right order too)
	$tiers_won[] = 100;		
	$jackpotwon = True;
	$jackpotamount = "{$ticket2['name']}";
	$numbersthatwonjackpot = "{$balls['0']}|{$balls['1']}|{$balls['2']}";
	$nameinfo = "{$ticket2['id']}|{$ticket2['name']}|{$ticket2['star']}";
}
elseif ( ! array_diff($balls, $jackpot)) {
	// All the balls are the same but not necessarily in the correct order.
	$tiers_won[] = 30;			
}
elseif ($balls[0] == $jackpot[0] AND $balls[1] == $jackpot[1]) {
	// The first two balls match those of the jackpot
	$tiers_won[] = 20;		
}
elseif (count(array_diff($balls, $jackpot)) == 1) {
	// Only one ball is a mismatch (not considering the order)
	$tiers_won[] = 5;		
}
}
if ($jackpotwon){
//I run my queries here to for $nameinfo  <br>$numbersthatwonjackpot/etc to give them the amount of gold in the jackpot
}

 

 

That code above pulls my data for each users ticket

 

And I sort it by DESC and date so whoever chose that jackpot number FIRST is actually going to win first, (I don't know how to make it so the 2nd jackpot winner could win also) (Maybe in the future?) :P

 

 

 

 

The code for this topic is because, I used this to generate my winning jackpot number:

 

function choose_numbers($number,$max) {
		global $ibforums,$std;
		$array = array();
$i = 0;
while($i != $number)
{
$rand = mt_rand(1,$max);
if(!in_array($rand,$array)) {
   $array[] = $rand;
$i++;
}
}
return $array;

 

That will never EVER display 2 of the same numbers, (I hope not 3 either), so that is why I need to check the user input and not let them tamper my data to try to edit the post data and make all there balls the same, which the code works fine that you provided, Thanks ^^

 

As of right now, it's working correctly and I am going to be ditching the cron job I could just store my function to re-run the lottery on the main index on my forum, so it will be refreshed all the time while people browse on my forum, and if that condition is true, it will re-update the lottery, that code is actually here:

 

$end_date = $lotto['start_time'] +$lotto['run_for'];
		if($end_date < time() and $lotto['type'] == 'exact') {
		$newnumbers = $this->choose_numbers(3,36);
			$this->drawn_lotto++;

			//$wn = implode("|",$lotto['correct_balls']);
			//$winning_numbers = explode("|", $lotto['correct_balls']);

				//echo "im about to get a new lottery going";
				//exit;

			$lp = time();
				$temp = $DB->query("UPDATE ibf_lottery_lotterys SET correct_balls='{$newnumbers['0']}|{$newnumbers['1']}|{$newnumbers['2']}',start_time='$lp',run_for='3600',jackpot='',lastticket=''

				WHERE i_id='{$lotto['i_id']}' LIMIT 1");
				//Truncate db  delete everyones tickets
				$DB->query("TRUNCATE TABLE ibf_lottery_tickets");
		}

 

This essentially just will update the lottery and remove all the tickets..

 

But I will have to store the $lotto's start time and run for into a mysql field that will be run with each refresh, like just put it in a array on my board forum statistics or something, so it can be called

 

 

 

Link to comment
Share on other sites

And, when doing so, sort each pick so they are in numerical order.

 

But that would change the user's input and it may no longer match.

 

If the jackpot was 3|1|2 and they entered 3|1|2, changing the numerical order would make it 1|2|3 and thus not a match.

 

$numbers = "32|22|22,32|22|21";
$numArray2 = array_unique(explode("|", $numbers));
if(count($numArray2)<3)
{
    $std->Error2("You cannot pick 2 numbers with the same ticket");
}else{
echo "not working ?";
exit;
}

 

I think the array_unique reads the code wrong with the comma....

cuz that should show the error, because the first Array is 32|22|22

 

no idea?

 

I always have problems :(

Link to comment
Share on other sites

You're going to have to split them at the comma first. Try this:

$numbers = "32|22|22,32|22|21";

foreach(explode(',', $numbers) as $num_set)
{
$num_array = array_unique(explode('|', $num_set));

if (count(num_array) < 3) {
	$std->Error2("You cannot pick 2 numbers with the same ticket");

	break;
}
}

Link to comment
Share on other sites

You're going to have to split them at the comma first. Try this:

$numbers = "32|22|22,32|22|21";

foreach(explode(',', $numbers) as $num_set)
{
$num_array = array_unique(explode('|', $num_set));

if (count(num_array) < 3) {
	$std->Error2("You cannot pick 2 numbers with the same ticket");

	break;
}
}

 

yep working now

 

topic solved

Link to comment
Share on other sites

There are other validations you are not doing, such as are the entries numbers, are they within the allowed range, etc. This should contain all the validations that you need. you will be left with a final array that contains ALL the picks of the user that are valid. For the error conditions you can completely reject all the picks or just provide an error message that some of the picks were rejected.

$numbers = "19|20|19,1|2|3,3|2|1,4|5|6";

$picksAry = array();
foreach(explode(',', $numbers) as $pick)
{
    //Remove duplicate values in pick
    $pick = array_unique(explode("|", $pick));
    //Remove non-numeric values
    $pick = array_filter($pick, 'ctype_digit');
    //Sort the array
    sort($pick);
    //Verify if this pick has correct count of unique values
    if(count($pick) != 3)
    {
        //Pick does not contain 3 unique numbers
    }
    //Verify if values in pick are within acceptable range
    else if($pick[0] < 1 || $pick[2] > 56)
    {
        //Pick contain values outside acceptable range
    }
    else
    {
        //Pick is valid add it to result array
        $picksAry[] = $pick;
    }
}
//Check if there are any duplicates between picks
if(count($picksAry) != count(array_unique($picksAry)))
{
   //There are duplicate picks. Either reject all or continue with array_unique() values
}

$validPicks = array_unique($picksAry);

Link to comment
Share on other sites

Wow, wonderful Psycho, I added that to it for even more security, (Sick of tamper data noobs)

 

This lottery system is actually turning out greater then expected, I am learning so much in so little time, it's crazy, Thank you.

 

I will be adding more validations with that code also if I ever want to change the way the lottery works, this is Great!

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.