Jump to content

Is this script buggy?

imhere2009

By imhere2009
in PHP Coding Help

 Share

Recommended Posts

imhere2009 Newbie

imhere2009

Posted
  • Author
Posted
Hi

thank you . here is the code i have that needs the once over, please bare with me im still learning php

[code=php:0]<?

include("html.php");



$res = mysql_fetch_array(mysql_query("SELECT res FROM $tab[pimp] WHERE id='$id';"));



if((maxlength($reserves) != bad) && ($reserves > 0) && (!preg_match ('[0-9]', $reserves)) && (!strstr($reserves,"+")) && (!strstr($reserves,"*")) && (!strstr($reserves,"-")) && (!strstr($reserves,".")) && ($reserves <= $res[0]))

{

mysql_query("UPDATE $tab[pimp] SET trn=trn+$reserves, res=res-$reserves WHERE id='$id';");

}



$pmp = mysql_fetch_array(mysql_query("SELECT pimp,rank,nrank,city,networth,money,trn,res,condom,medicine,crack,weed,glock,shotgun,uzi,ak47,whore,thug,whappy,thappy,payout,crew,msg,atk,ivt,lowrider,attin,attackout,lastattackby,lastattack,cmsg,hummer,bike FROM $tab[pimp] WHERE id='$id';"));

$crw = mysql_fetch_array(mysql_query("SELECT name,founder,icon FROM $tab[crew] WHERE id='$pmp[21]';"));

$cty = mysql_fetch_array(mysql_query("SELECT name FROM $tab[city] WHERE id='$pmp[3]';"));



// turn info

$turnupdate = mysql_fetch_array(mysql_query("SELECT lastran FROM $tab[cron] WHERE cronjob='turns';"));

$game = mysql_fetch_array(mysql_query("SELECT speed,maxbuild,prize,other,startjackpot FROM $tab[game] WHERE round='$tru';"));

$tw=$pmp[12]+$pmp[13]+$pmp[14]+$pmp[15];

$figure=$time - $pmp[28];

$count=round($figure / (60*60*24));

$tillmax=number_format(((($game[1] - $pmp[6])/($game[0] * 6))*60)*60,0);

$tillmax = strtotime("+".str_replace(' ','',str_replace(',','',$tillmax))." seconds", $turnupdate[0]);

$supstatus = mysql_fetch_array(mysql_query("SELECT status,statusexpire FROM $tab[user] WHERE id='$id1';"));


GAMEHEADER("Main Menu");

?>

<table width="100%" align="center" cellspacing="0" cellpadding="12" border="0">

<tr>

  <td align="center" valign="top">

  <table width="100%">

  <tr>

    <td valign="top"><table cellspacing="0" cellpadding="0"><tr><?if($crw[2]){?><td height="32" valign="bottom"><a href="crew.php?cid=<?=$pmp[21]?>&tru=<?=$tru?>"><img src="<?=$crw[2]?>" border="0" width="32" height="32"></a>&nbsp;</td><?}?><td><font color="white">  <?
  $days = ($supstatus[1]-$time);
  $daysleft = round($days/86400);
  if($supstatus[0] == admin || $supstatus[0] == supporter AND $supstatus[1] != 0){?>
  <b>You are a supporter for <?=$daysleft?> more days.</b>
  <?} elseif($supstatus[1] == 0) {?>
  <b>You are a supporter for unlimited time.</b>
  <?}?>
  </font><br>
  <font color="white">Currently ranked</font> <?=$pmp[1]?> <font color="white">in <?=$cty[0]?>,</font> <?=$pmp[2]?> <font color="white">National<br>Currently worth</font> $<?=commas($pmp[4])?> <?if($pmp[21] > 0){?><br><?if($pmp[0] == $crw[1]){?>founder of<?}else{?>member of<?}?> <a href="crew.php?cid=<?=$pmp[21]?>&tru=<?=$tru?>"><?=$crw[0]?></a>.<?}?></small></td></tr></table></td>

  <td align="right" valign="top"><a href="mailbox.php?tru=<?=$tru?>">Open Mailbox</a><br>
    <?if($pmp[22] == 1){?><font color="#66CCFF">you have 1 new message</font><?}elseif($pmp[22] > 1){?><font color="#66CCFF">you have <?=$pmp[22]?> new messages</font><?}else{?>you have no new messages<?}?><?if($pmp[23] == 1){?><br><font color="#white">you have been attacked!</font><?}elseif($pmp[23] > 1){?><br><font color="#white">you have been attacked <?=$pmp[23]?> times!</font><?}?><?if($pmp[24] == 1){?><br><font color="#0066CC">you have a invitation!</font><?}elseif($pmp[24] > 1){?><br><font color="#0066CC">you have <?=$pmp[24]?> new invitations!</font><?}elseif($pmp[30] > 0){?><br><a href="cboard.php?cid=<?=$pmp[21]?>&tru=<?=$tru?>"><?=$pmp[30]?> new crew message</a><?}?></td>

  </tr>

  </table>

  <?if($bigman){?><font color="#white" size="3"><?=$bigman?></font><br><?}?>
  <br><font size="+1">&nbsp;

  </font>

  <br><font size="+1"><font color="White"><?=commas($pmp[6])?> turns</font> and <font color="White">$<?=commas($pmp[5])?> cash</font> on hand.</font>


  <?if($pmp[6] < $game[1]){?><br>Max turns in <?=countup($tillmax);?> <? } else { ?><br>You have reached the maximum turns for this round <?}?>

  <?if($takeout == reserves){?><br><form method="post" action="index.php?tru=<?=$tru?>">how many turns would you like to add? &nbsp;<input maxlength="7" type="text" class="text" size="7" name="reserves">&nbsp;<input maxlength="7" type="submit" class="button" value="apply"></form><?}else{?>

  <?if($pmp[7] != 0){?><br><a href="?takeout=reserves&tru=<?=$tru?>"><font color="#FFFFFF">you also have</font> <?=commas($pmp[7])?> <font color="#FFFFFF">reserve turns</font></a></small><?}?>

  <?}?>

  <br>

  <br>

  <table>

  <tr>

    <td>

  <table>

  <tr><td align="right"><b>Weapons:</b></td><td>&nbsp;</td></tr>

  <tr><td align="right"><font color="white">Glocks:</font></td><td><?=commas($pmp[12])?></td></tr>

  <tr><td align="right"><font color="white">Shotguns:</font></td><td><?=commas($pmp[13])?></td></tr>

  <tr><td align="right"><font color="white">Uzi's:</font></td><td><?=commas($pmp[14])?></td></tr>

  <tr><td align="right"><font color="white">AK-47's:</font></td><td><?=commas($pmp[15])?></td></tr>

  <tr><td align="right"><b>Accessories</b></td><td>&nbsp;</td></tr>

  <tr><td align="right"><font color="white">Condoms:</font></td><td><?=commas($pmp[8])?></td></tr>

  <tr><td align="right"><font color="white">Meds:</font></td><td><?=commas($pmp[9])?></td></tr>

  <tr><td align="right"><font color="white">Crack:</font></td><td><?=commas($pmp[10])?></td></tr>

  <tr><td align="right"><font color="white">Weed:</font></td><td><?=commas($pmp[11])?></td></tr>

  <?if($pmp[25] > 0){?><tr><td align="right"><b>Rides:</b></td><td>&nbsp;</td></tr><tr><td align="right"><font color="white">Lowriders:</font></td><td><?=commas($pmp[25])?></td></tr><?}?>
  <?if($pmp[31] > 0){?><tr><td align="right"><font color="white">Hummers:</font></td><td><?=commas($pmp[31])?></td></tr><?}?>
  <?if($pmp[32] > 0){?><tr><td align="right"><font color="white">Bikes:</font></td><td><?=commas($pmp[32])?></td></tr><?}?>

  </table>

    </td>

    <td width="50"></td>

    <td>

    <table>

    <tr>

      <td>

      <nobr>

      <?=commas($pmp[17])?> Thugs

      <br><font color="White"><?=$pmp[19]?>%</font> <font color="white">Happy, with

      <br><?=commas($tw)?> weapons total

      </nobr>

      </td>

    </tr>

    </table>

    <br>

    <table>

    <form method="post" action="set.php?tru=<?=$tru?>">

    <tr>

      <td>

      <nobr>

      <?=commas($pmp[16])?> Hoes

      <br><font color="white"><?=$pmp[18]?>%</font> <font color="white">Happy, at

      <br><input maxlength="7" type="text" class="text" name="pay" size="3" value="<?=$pmp[20]?>">% payout. <input maxlength="7" type="submit" class="button" name="setpay" value="Set">

      </nobr>

      </td>

    </tr>

    </form>

    </table>

    </td>

  </tr>

  </table>

  <br><font color="white">Attacks in:</font> <?=$pmp[26]?> &nbsp;<font color="white">Attacks Out:</font> <?=$pmp[27]?>

  <br>
  <?if($pmp[6] < $game[1]){?>
  <br><?if($turnupdate[0]){?>You will receive <font color="white"><?=$game[0]?></font> <font color="white">turns</font> in: <?=countup($turnupdate[0]+600)?>
  <br><small>You can hold up to <font color="white"><?=commas($game[1])?></font> <font color="white">turns</font>.<?}else{?><i><b>Turns will start processing in less then 10 minutes...</b></i><?}?>
  <? } else { ?>
  <br>You have reached the maximum turns for this round
  <?}?>
  </td>

</tr>

</table>

<?

GAMEFOOTER();

?>[/code]
Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
[quote]i just need to see if its secure[/quote]

That is an extremely objective question.

I can tell you the code is poorly formatted and will be difficult to debug. You also appear to be using variables that I don't see being declared anywhere.

This very first line.....

[code=php:0]$res = mysql_fetch_array(mysql_query("SELECT res FROM $tab[pimp] WHERE id='$id';"));[/code]

Where is $id being declared? Also, before using any variable within an sql query you should sanitize it at very least with [url=http://php.net/mysql_real_escape_string]mysql_real_escape_string[/url]. And please.... nesting functions like that makes your code VERY difficult to debug and prone to errors. You should always check your query actually succeeds before trying to use the result with mysql_fetch_array.
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.