PDA

View Full Version : Resolved [Help]please help me.



hystrix
08-20-2009, 03:25 AM
Hi,

can anyone help me how to secure this php from tampering data.

hope anyone can teach me what code should i add to prevent changing the $price and the $ProductNum of the item.


<?PHP
$account_id = stripslashes($_SESSION['user']);
$account_id = clean_var($account_id);
if($account_id == NULL){ quickrefresh('index.php'); Die ("<img src=\"images/warning.gif\" alt=\"Access Denied\"> Access Denied! Login Please!</div></table></div></table></table>"); }

$error=1;
function getD ($int) {
if ($int == 1) { $char = "1 Hour"; }
if ($int == 2) { $char = "2 Hour"; }
if ($int == 3) { $char = "5 Hour"; }
if ($int == 4) { $char = "10 Hour"; }
if ($int == 5) { $char = "1 Day"; }
if ($int == 6) { $char = "3 Days"; }
if ($int == 7) { $char = "5 Days"; }
if ($int == 8) { $char = "7 Days"; }
if ($int == 9) { $char = "10 Days"; }
if ($int == 10) { $char = "15 Days"; }
if ($int == 11) { $char = "30 Days"; }
if ($int == 12) { $char = "60 Days"; }
if ($int == 13) { $char = "90 Days"; }
if ($int == 14) { $char = "100 Days"; }
if ($int == 15) { $char = "120 Days"; }
if ($int == 16) { $char = "345 Days"; }
if ($int == 31) { $char = "Permanent"; }
return $char;
}
if($_POST['lostpassword']=='Buy') {

$error = 2;
$account_id = stripslashes($_SESSION['user']);
$ItemNum = $_POST['ItemNum'];
$ItemId = $_POST['ItemID'];
$ItemOpt = $_POST['ItemOpt'];
$Duration = $_POST['Duration'];
$Price = $_POST['Price'];
$PurPrice = ($PurPrice);
$PurPrice = $_POST['PurPrice'];
$ItemStock = $_POST['ItemStock'];

$result = mssql_query ("SELECT Username, UserPoint, UserNum FROM Ranuser.dbo.Userinfo Where Username = '$account_id'");
$rows=mssql_num_rows($result);

if($rows>0) {
$rows=mssql_fetch_assoc($result);
extract($rows);

$UserPoint = ($UserPoint);
$ID = ($Username);
$Usernum = ($UserNum);

if($UserPoint<$Price) {
echo "<font color=red size=2><center>Sorry not enough CR-Points to Avail this Item.<p>";
$error = 1; delayedrefresh('webshop.php');
}
if($Price <= 0) {
echo "<font color=red size=2><center>Item Hack Detected **** You...<p>";
$error = 1; delayedrefresh('http://tinyurl.com/2la2fy');
}
$result1=mssql_query("SELECT ItemStock FROM Ranshop.dbo.ShopItemMap Where ProductNum = '$ItemNum'");
$rows1=mssql_num_rows($result1);
if ($rows1>0) {
$rows1=mssql_fetch_assoc($result1);
extract($rows1);

$ItemStock = ($ItemStock);
$ItemMoney = ($ItemMoney);
$PurPrice = $_POST['PurPrice'];
$ItemMoney = $_POST['ItemMoney'];

if($ItemStock<=0) {
echo "<font size=2 color=red><center><strong>Sorry out of Stock!</strong></font><p>";
$error = 1; delayedrefresh('webshop.php');
}





} else {
echo "Account does not exist!<p>";
$error = 1;
}
}
}
if($error==1) {

}
if($error==2) {
$account_id = stripslashes($_SESSION['user']);
$ItemName = $_POST['ItemName'];
$ItemNum = $_POST['ItemNum'];
$ItemId = $_POST['ItemMain'];
$ItemOpt = $_POST['ItemSub'];
$Duration = $_POST['Duration'];
$Price = $_POST['Price'];
$ItemStock = $_POST['ItemStock'];
$ItemImage = $_POST['ItemImage'];
$Usernum = ($UserNum);
$UserPoint = ($UserPoint);
$Point = ($UserPoint);
$ProductNum = $_POST['ProductNum'];
$PurPrice = $_POST['PurPrice'];
$UserUID = $_POST['UserUID'];
$PurFlag=$_POST['PurFlag'];


$pur = mt_rand(10000000,99999999);
mssql_query ("UPDATE Ranuser.dbo.Userinfo SET UserPoint = UserPoint - '$Price' WHERE Username = '$account_id'");
mssql_query ("UPDATE RanShop.dbo.ShopItemMap SET ItemStock = ItemStock - 1 WHERE ProductNum = '$ItemNum' ");
mssql_query("INSERT INTO RanShop.dbo.ShopPurchase (UserUID, ProductNum, PurPrice,Purkey)
VALUES('$account_id','$ItemNum','$Price','$pur')");


mssql_query ("INSERT INTO Ranuser.dbo.Donation (Name,Date, Item, Quantity, Duration, Usernum)
VALUES('$ItemName',getdate(),'$ItemImage',1,'$Duration','$Usernum')");
$result = mssql_query ("SELECT Username, UserPoint, UserNum FROM Ranuser.dbo.Userinfo Where Username = '$account_id'");
$rows=mssql_num_rows($result);

if($rows>0) {
$rows=mssql_fetch_assoc($result);
extract($rows);
$ProductNum = ($ProductNum);
$UserPoint = ($UserPoint);
}
echo "<font size=3 color=green><center>Item Bought Succesfully</font><br><br><font size=2 color=black>Your Account have:</font> <font color=red size=2><b>$UserPoint</font></b><font size=2 color=black> CR-Points Left</font>";
delayedrefresh('webshop.php');
}
?>

hoping someone will help me..

JShor
08-20-2009, 01:23 PM
You can't protect data from getting changed, but you can encrypt it so it cannot be seen.

See:
http://br2.php.net/md5

hystrix
08-27-2009, 12:29 PM
@JShor

thank you sir..

@mods
please close this thread.. problem solved.

JShor
08-27-2009, 05:29 PM
You can just mark the thread as 'Resolved'.