Topic: [MCCode] Secured Crystal Market (Read 6089 times)

Cronus · « **on:** June 12, 2009, 06:42:22 AM »

I found this secured crystal market just lying around so I thought I would share.
This is for use with Version 2, however, it can easily be converted to Version 1.

Like I said I just found it, didn't test, just did a quick browse over the code.
If there are any errors, report them and I will correct it.

The file is attached in .php form.
You will need to be registered and logged in to access it.

Agon · « **Reply #1 on:** October 29, 2009, 10:21:42 AM »

Would you be willing to provide the SQL for this?

Thanks

Cronus · « **Reply #2 on:** October 29, 2009, 10:24:31 AM »

The sql should be the default sql that comes with mccode v2.

Diesel · « **Reply #3 on:** December 05, 2009, 05:14:05 AM »

Nah ... this is still SQL Injectable through the 'buy' function. I'm not sure how to fix it though.

JoshuaDams · « **Reply #4 on:** December 08, 2009, 11:10:03 AM »

Give me a second and I'll look at it, the best Cmarket so far was done by MTG , it's the one I use and exploit proof.
But i cant post links to it or they get mad at me >,<

JoshuaDams · « **Reply #5 on:** December 08, 2009, 11:26:53 AM »

Not as good as MTGS but you cant exploit the SQL hack now

Code: [Select]

<?php
include(DIRNAME(__FILE__) . '/globals.php');
$_GET['ID'] = isset($_GET['ID']) && is_numeric($_GET['ID']) ? abs(@intval($_GET['ID'])) : false;
print "<h3>Crystal Market</h3>";
$_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : "";
switch($_GET['action'])
{
case "buy":
crystal_buy();
break;

case "remove":
crystal_remove();
break;

case "add":
crystal_add();
break;

default:
cmarket_index();
break;
}
function cmarket_index()
{
global $db,$ir,$c,$userid,$h;
print "<a href='cmarket.php?action=add'>&gt; Add A Listing</a><br /><br />
Viewing all listings...
<table width=75% cellspacing=1 class='table'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>";
$q=$db->query("SELECT cm.*, u.* FROM crystalmarket cm LEFT JOIN users u ON u.userid=cm.cmADDER ORDER BY cmPRICE/cmQTY ASC");
while($r=$db->fetch_row($q))
{
if($r['cmADDER'] == $userid) { $link = "<a href='cmarket.php?action=remove&ID={$r['cmID']}'>Remove</a>"; } else { $link = "<a href='cmarket.php?action=buy&ID={$r['cmID']}'>Buy</a>"; }
$each= (int) $r['cmPRICE'] / $r['cmQTY'];
print "\n<tr> <td><a href='viewuser.php?u={$r['userid']}'>{$r['username']}</a> [{$r['userid']}]</td> <td>{$r['cmQTY']}</td> <td> \$" . number_format($each)."</td> <td>\$".number_format($r['cmPRICE'])."</td> <td>[$link]</td> </tr>";
}
print "</table>";
}
function crystal_remove()
{
global $db,$ir,$c,$userid,$h;
$q=$db->query("SELECT * FROM crystalmarket WHERE cmID='{$_GET['ID']}' AND cmADDER=$userid");
if(!$db->num_rows($q))
{
print "Error, either these crystals do not exist, or you are not the owner.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$r=$db->fetch_row($q);
$db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid");
$db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'");
print "Crystals removed from market!<br />
<a href='cmarket.php'>&gt; Back</a>";
}
function crystal_buy()
{
global $db,$ir,$c,$userid,$h;

$q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID='{$_GET['ID']}'");
if(!$db->num_rows($q))
{
print "Error, either these crystals do not exist, or they have already been bought.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$r=$db->fetch_row($q);
if($r['cmPRICE'] > $ir['money'])
{
print "Error, you do not have the funds to buy these crystals.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid");
$db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'");
$db->query("UPDATE users SET money=money-{$r['cmPRICE']} where userid=$userid");
$db->query("UPDATE users SET money=money+{$r['cmPRICE']} where userid={$r['cmADDER']}");
event_add($r['cmADDER'],"<a href='viewuser.php?u=$userid'>{$ir['username']}</a> bought your {$r['cmQTY']} crystals from the market for \$".number_format($r['cmPRICE']).".",$c);
print "You bought the {$r['cmQTY']} crystals from the market for \$".number_format($r['cmPRICE']).".";

}
function crystal_add()
{
global $db,$ir,$c,$userid,$h;
$_POST['amnt'] = abs(@intval($_POST['amnt']));
$_POST['price'] = abs(@intval($_POST['price']));

if(!$_POST['amnt'])
{
print "You did not enter a valid amount";
$h->endpage();
exit;
}
if($_POST['amnt'])
{
if($_POST['amnt'] > $ir['crystals'])
{
die ("You are trying to add more crystals to the market than you have.");
}
$tp=$_POST['amnt']*$_POST['price'];
$db->query("INSERT INTO crystalmarket VALUES('',{$_POST['amnt']},$userid,$tp)");
$db->query("UPDATE users SET crystals=crystals-{$_POST['amnt']} WHERE userid=abs(@intval($userid))");
print "Crystals added to market!<br />
<a href='cmarket.php'>&gt; Back</a>";
}
else
{
print "<b>Adding a listing...</b><br /><br />
You have <b>{$ir['crystals']}</b> crystal(s) that you can add to the market.<form action='cmarket.php?action=add' method='post'><table width=50% border=2><tr>
<td>Crystals:</td> <td><input type='text' name='amnt' value='{$ir['crystals']}' /></td></tr><tr>
<td>Price Each:</td> <td><input type='text' name='price' value='200' /></td></tr><tr>
<td colspan=2 align=center><input type='submit' value='Add To Market' /></tr></table></form>";
}
}
$h->endpage();
?>

Jordan · « **Reply #6 on:** February 24, 2010, 03:28:37 AM »

While Immortals is ''securer'' I would have to say you'll need to filter the username, If you don't filter it in preferences

Prostate · « **Reply #7 on:** May 07, 2010, 02:29:43 PM »

Can some one please convert to lite

getty · « **Reply #8 on:** November 20, 2010, 08:32:43 PM »

Quote from: Maketextgames.com on December 08, 2009, 11:26:53 AM

Not as good as MTGS but you cant exploit the SQL hack now

Code: [Select]
<?php include(DIRNAME(__FILE__) . '/globals.php'); $_GET['ID'] = isset($_GET['ID']) && is_numeric($_GET['ID']) ? abs(@intval($_GET['ID'])) : false; print "<h3>Crystal Market</h3>"; $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : ""; switch($_GET['action']) { case "buy": crystal_buy(); break; case "remove": crystal_remove(); break; case "add": crystal_add(); break; default: cmarket_index(); break; } function cmarket_index() { global $db,$ir,$c,$userid,$h; print "<a href='cmarket.php?action=add'>> Add A Listing</a><br /><br /> Viewing all listings... <table width=75% cellspacing=1 class='table'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>"; $q=$db->query("SELECT cm.*, u.* FROM crystalmarket cm LEFT JOIN users u ON u.userid=cm.cmADDER ORDER BY cmPRICE/cmQTY ASC"); while($r=$db->fetch_row($q)) { if($r['cmADDER'] == $userid) { $link = "<a href='cmarket.php?action=remove&ID={$r['cmID']}'>Remove</a>"; } else { $link = "<a href='cmarket.php?action=buy&ID={$r['cmID']}'>Buy</a>"; } $each= (int) $r['cmPRICE'] / $r['cmQTY']; print "\n<tr> <td><a href='viewuser.php?u={$r['userid']}'>{$r['username']}</a> [{$r['userid']}]</td> <td>{$r['cmQTY']}</td> <td> \$" . number_format($each)."</td> <td>\$".number_format($r['cmPRICE'])."</td> <td>[$link]</td> </tr>"; } print "</table>"; } function crystal_remove() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket WHERE cmID='{$_GET['ID']}' AND cmADDER=$userid"); if(!$db->num_rows($q)) { print "Error, either these crystals do not exist, or you are not the owner.<br /> <a href='cmarket.php'>> Back</a>"; $h->endpage(); exit; } $r=$db->fetch_row($q); $db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid"); $db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'"); print "Crystals removed from market!<br /> <a href='cmarket.php'>> Back</a>"; } function crystal_buy() { global $db,$ir,$c,$userid,$h; $q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID='{$_GET['ID']}'"); if(!$db->num_rows($q)) { print "Error, either these crystals do not exist, or they have already been bought.<br /> <a href='cmarket.php'>> Back</a>"; $h->endpage(); exit; } $r=$db->fetch_row($q); if($r['cmPRICE'] > $ir['money']) { print "Error, you do not have the funds to buy these crystals.<br /> <a href='cmarket.php'>> Back</a>"; $h->endpage(); exit; } $db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid"); $db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'"); $db->query("UPDATE users SET money=money-{$r['cmPRICE']} where userid=$userid"); $db->query("UPDATE users SET money=money+{$r['cmPRICE']} where userid={$r['cmADDER']}"); event_add($r['cmADDER'],"<a href='viewuser.php?u=$userid'>{$ir['username']}</a> bought your {$r['cmQTY']} crystals from the market for \$".number_format($r['cmPRICE']).".",$c); print "You bought the {$r['cmQTY']} crystals from the market for \$".number_format($r['cmPRICE'])."."; } function crystal_add() { global $db,$ir,$c,$userid,$h; $_POST['amnt'] = abs(@intval($_POST['amnt'])); $_POST['price'] = abs(@intval($_POST['price'])); if(!$_POST['amnt']) { print "You did not enter a valid amount"; $h->endpage(); exit; } if($_POST['amnt']) { if($_POST['amnt'] > $ir['crystals']) { die ("You are trying to add more crystals to the market than you have."); } $tp=$_POST['amnt']*$_POST['price']; $db->query("INSERT INTO crystalmarket VALUES('',{$_POST['amnt']},$userid,$tp)"); $db->query("UPDATE users SET crystals=crystals-{$_POST['amnt']} WHERE userid=abs(@intval($userid))"); print "Crystals added to market!<br /> <a href='cmarket.php'>> Back</a>"; } else { print "<b>Adding a listing...</b><br /><br /> You have <b>{$ir['crystals']}</b> crystal(s) that you can add to the market.<form action='cmarket.php?action=add' method='post'><table width=50% border=2><tr> <td>Crystals:</td> <td><input type='text' name='amnt' value='{$ir['crystals']}' /></td></tr><tr> <td>Price Each:</td> <td><input type='text' name='price' value='200' /></td></tr><tr> <td colspan=2 align=center><input type='submit' value='Add To Market' /></tr></table></form>"; } } $h->endpage(); ?>

This doesnt work for me when i click add a listing i get this message

You did not enter a valid amount

MonoD · « **Reply #9 on:** July 07, 2011, 06:48:05 AM »

Nice one, Looking over the Mccodes version 2 codes, I Noticed that the crystal market was so poorly coded.

But this one is a much safer option!

Peterisgb · « **Reply #10 on:** November 24, 2011, 07:10:03 AM »

Quote

This doesnt work for me when i click add a listing i get this message

You did not enter a valid amount

Code: [Select]

<?php
include(DIRNAME(__FILE__) . '/globals.php');
$_GET['ID'] = isset($_GET['ID']) && is_numeric($_GET['ID']) ? abs(@intval($_GET['ID'])) : false;
print "<h3>Gold Market</h3>";
$_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : "";
switch($_GET['action'])
{
case "buy":
crystal_buy();
break;

case "remove":
crystal_remove();
break;

case "add":
crystal_add();
break;

default:
cmarket_index();
break;
}
function cmarket_index()
{
global $db,$ir,$c,$userid,$h;
print "<a href='cmarket.php?action=add'>&gt; Add A Listing</a><br /><br />
Viewing all listings...
<table width=75% cellspacing=1 class='table'> <tr style='background:gray'> <th>Adder</th> <th>Qty</th> <th>Price each</th> <th>Price total</th> <th>Links</th> </tr>";
$q=$db->query("SELECT cm.*, u.* FROM crystalmarket cm LEFT JOIN users u ON u.userid=cm.cmADDER ORDER BY cmPRICE/cmQTY ASC");
while($r=$db->fetch_row($q))
{
if($r['cmADDER'] == $userid) { $link = "<a href='cmarket.php?action=remove&ID={$r['cmID']}'>Remove</a>"; } else { $link = "<a href='cmarket.php?action=buy&ID={$r['cmID']}'>Buy</a>"; }
$each= (int) $r['cmPRICE'] / $r['cmQTY'];
print "\n<tr> <td><a href='viewuser.php?u={$r['userid']}'>{$r['username']}</a> [{$r['userid']}]</td> <td>{$r['cmQTY']}</td> <td> \$" . number_format($each)."</td> <td>\$".number_format($r['cmPRICE'])."</td> <td>[$link]</td> </tr>";
}
print "</table>";
}
function crystal_remove()
{
global $db,$ir,$c,$userid,$h;
$q=$db->query("SELECT * FROM crystalmarket WHERE cmID='{$_GET['ID']}' AND cmADDER=$userid");
if(!$db->num_rows($q))
{
print "Error, either these gold coins do not exist, or you are not the owner.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$r=$db->fetch_row($q);
$db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid");
$db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'");
print "Gold Coins removed from market!<br />
<a href='cmarket.php'>&gt; Back</a>";
}
function crystal_buy()
{
global $db,$ir,$c,$userid,$h;

$q=$db->query("SELECT * FROM crystalmarket cm WHERE cmID='{$_GET['ID']}'");
if(!$db->num_rows($q))
{
print "Error, either these Gold coins do not exist, or they have already been bought.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$r=$db->fetch_row($q);
if($r['cmPRICE'] > $ir['money'])
{
print "Error, you do not have the funds to buy these Gold coins.<br />
<a href='cmarket.php'>&gt; Back</a>";
$h->endpage();
exit;
}
$db->query("UPDATE users SET crystals=crystals+{$r['cmQTY']} where userid=$userid");
$db->query("DELETE FROM crystalmarket WHERE cmID='{$_GET['ID']}'");
$db->query("UPDATE users SET money=money-{$r['cmPRICE']} where userid=$userid");
$db->query("UPDATE users SET money=money+{$r['cmPRICE']} where userid={$r['cmADDER']}");
event_add($r['cmADDER'],"<a href='viewuser.php?u=$userid'>{$ir['username']}</a> bought your {$r['cmQTY']} Gold coins from the market for \$".number_format($r['cmPRICE']).".",$c);
print "You bought the {$r['cmQTY']} Gold coins from the market for \$".number_format($r['cmPRICE']).".";

}
function crystal_add()
{
global $db,$ir,$c,$userid,$h;
$_POST['amnt'] = abs(@intval($_POST['amnt']));
$_POST['price'] = abs(@intval($_POST['price']));

if(!$_POST['amnt'] =='' )
{
print "You did not enter a valid amount";
$h->endpage();
exit;
}
if($_POST['amnt'])
{
if($_POST['amnt'] > $ir['crystals'])
{
die ("You are trying to add more Gold coins to the market than you have.");
}
$tp=$_POST['amnt']*$_POST['price'];
$db->query("INSERT INTO crystalmarket VALUES('',{$_POST['amnt']},$userid,$tp)");
$db->query("UPDATE users SET crystals=crystals-{$_POST['amnt']} WHERE userid=abs(@intval($userid))");
print "Gold coins added to market!<br />
<a href='cmarket.php'>&gt; Back</a>";
}
else
{
print "<b>Adding a listing...</b><br /><br />
You have <b>{$ir['crystals']}</b> Gold Coin(s) that you can add to the market.<form action='cmarket.php?action=add' method='post'><table width=50% border=2><tr>
<td>Gold Coins:</td> <td><input type='text' name='amnt' value='{$ir['crystals']}' /></td></tr><tr>
<td>Price Each:</td> <td><input type='text' name='price' value='200' /></td></tr><tr>
<td colspan=2 align=center><input type='submit' value='Add To Market' /></tr></table></form>";
}
}
$h->endpage();
?>

Here you go buddy, Fixed for you.

Cronwerks MCCode/MCCodes Forums

News:

AuthorTopic: [MCCode] Secured Crystal Market (Read 6089 times)

Cronus

[MCCode] Secured Crystal Market

Agon

Re: [MCCode] Secured Crystal Market

Cronus

Re: [MCCode] Secured Crystal Market

Diesel

Re: [MCCode] Secured Crystal Market

JoshuaDams

Re: [MCCode] Secured Crystal Market

JoshuaDams

Re: [MCCode] Secured Crystal Market

Jordan

Re: [MCCode] Secured Crystal Market

Prostate

Re: [MCCode] Secured Crystal Market

getty

Re: [MCCode] Secured Crystal Market

MonoD

Re: [MCCode] Secured Crystal Market

Peterisgb

Re: [MCCode] Secured Crystal Market