From 057f713528229b4c591b60a108c31772956aea8a Mon Sep 17 00:00:00 2001 From: Martin Ambrus Date: Wed, 18 Oct 2017 00:33:03 +0200 Subject: [PATCH] fix: a LOT of manual typecastings for DB values that should be INTs --- GameEngine/Account.php | 2 +- GameEngine/Alliance.php | 2 +- GameEngine/Automation.php | 191 +++++----- GameEngine/Battle.php | 32 +- GameEngine/Chat.php | 8 +- GameEngine/Database.php | 751 +++++++++++++++++++------------------- dorf1.php | 2 +- 7 files changed, 495 insertions(+), 493 deletions(-) diff --git a/GameEngine/Account.php b/GameEngine/Account.php index bf7baf19..f265da9f 100755 --- a/GameEngine/Account.php +++ b/GameEngine/Account.php @@ -164,7 +164,7 @@ class Account { private function Unreg() { global $database; - $q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$database->escape($_POST['id'])."'"; + $q = "SELECT * FROM ".TB_PREFIX."activate where id = '".$database->escape((int) $_POST['id'])."'"; $result = mysqli_query($GLOBALS['link'],$q); $dbarray = mysqli_fetch_array($result); if(md5($_POST['pw']) == $dbarray['password']) { diff --git a/GameEngine/Alliance.php b/GameEngine/Alliance.php index 8fb52b4c..ceec4741 100755 --- a/GameEngine/Alliance.php +++ b/GameEngine/Alliance.php @@ -454,7 +454,7 @@ private function updateMax($leader) { global $bid18, $database; - $leader = $database->escape($leader); + $leader = $database->escape((int) $leader); $q = mysqli_query($GLOBALS['link'],"SELECT * FROM " . TB_PREFIX . "alidata where leader = $leader"); if(mysqli_num_rows($q) > 0){ $villages = $database->getVillagesID2($leader); diff --git a/GameEngine/Automation.php b/GameEngine/Automation.php index 0942914e..f788f677 100755 --- a/GameEngine/Automation.php +++ b/GameEngine/Automation.php @@ -101,6 +101,7 @@ class Automation { function recountPop($vid){ global $database; + $vid = (int) $vid; $fdata = $database->getResourceLevel($vid); $popTot = 0; @@ -122,7 +123,8 @@ class Automation { } function recountCP($vid){ - global $database; + global $database; + $vid = (int) $vid; $fdata = $database->getResourceLevel($vid); $popTot = 0; @@ -889,6 +891,7 @@ class Automation { $endtime = $time + round((60 * 60 * 24) / INCREASE_SPEED); // -.- + $vid = (int) $vid; mysqli_query($GLOBALS['link'],'INSERT INTO `' . TB_PREFIX . 'ww_attacks` (`vid`, `attack_time`) VALUES (' . $vid . ', ' . $endtime . ')'); mysqli_query($GLOBALS['link'],'INSERT INTO `' . TB_PREFIX . 'ww_attacks` (`vid`, `attack_time`) VALUES (' . $vid . ', ' . ($endtime + 1) . ')'); @@ -906,7 +909,7 @@ class Automation { while ($row = mysqli_fetch_assoc($query)) { // delete the attack - $query3 = mysqli_query($GLOBALS['link'],'DELETE FROM `' . TB_PREFIX . 'ww_attacks` WHERE `vid` = ' . $row['vid'] . ' AND `attack_time` = ' . $row['attack_time']); + $query3 = mysqli_query($GLOBALS['link'],'DELETE FROM `' . TB_PREFIX . 'ww_attacks` WHERE `vid` = ' . (int) $row['vid'] . ' AND `attack_time` = ' . (int) $row['attack_time']); } } @@ -1833,7 +1836,7 @@ class Automation { } } if ($herosend_att>0){ - $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".$from['owner'].""; + $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".(int) $from['owner'].""; $resulth = mysqli_query($GLOBALS['link'],$qh); $hero_f=mysqli_fetch_array($resulth); $hero_unit=$hero_f['unit']; @@ -1904,7 +1907,7 @@ class Automation { if ($data['ctar2']==0) { - $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = $basearray"); + $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = " . (int) $basearray); $bdo=mysqli_fetch_array($bdo2); $rand=$data['ctar1']; @@ -1966,7 +1969,7 @@ class Automation { if($tbid>=19 && $tbid!=99) { $database->setVillageLevel($data['to'],"f".$tbid."t",'0'); } $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800; @@ -1974,7 +1977,7 @@ class Automation { $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800; @@ -2009,7 +2012,7 @@ class Automation { $info_cata=" damaged from level ".$tblevel." to level ".$totallvl."."; $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800; @@ -2017,7 +2020,7 @@ class Automation { $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800; @@ -2035,7 +2038,7 @@ class Automation { } else { - $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = $basearray"); + $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = ". (int) $basearray); $bdo=mysqli_fetch_array($bdo2); $rand=$data['ctar1']; if ($rand != 0) @@ -2095,7 +2098,7 @@ class Automation { if($tbid>=19 && $tbid!=99) { $database->setVillageLevel($data['to'],"f".$tbid."t",'0'); } $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800*32; @@ -2103,7 +2106,7 @@ class Automation { $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800*32; @@ -2140,7 +2143,7 @@ class Automation { $info_cata=" damaged from level ".$tblevel." to level ".$totallvl."."; $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800; @@ -2148,11 +2151,11 @@ class Automation { $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800; - $q = "UPDATE ".TB_PREFIX."vdata SET `maxcrop`='".$tmaxcrop."' WHERE wref=".$data['to']; + $q = "UPDATE ".TB_PREFIX."vdata SET `maxcrop`='".$tmaxcrop."' WHERE wref=".(int) $data['to']; $database->query($q); } if ($tbgid==18){ @@ -2163,7 +2166,7 @@ class Automation { $info_cat = "".$catp_pic.",".$this->procResType($tbgid,$can_destroy,$isoasis).$info_cata; $database->setVillageLevel($data['to'],"f".$tbid."",$totallvl); } - $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = $basearray"); + $bdo2=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "fdata where vref = " . (int) $basearray); $bdo=mysqli_fetch_array($bdo2); $rand=$data['ctar2']; if ($rand != 99) @@ -2224,19 +2227,19 @@ class Automation { if($tbid>=19 && $tbid!=99) { $database->setVillageLevel($data['to'],"f".$tbid."t",'0'); } $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800; - $q = "UPDATE ".TB_PREFIX."vdata SET `maxstore`='".$tmaxstore."' WHERE wref=".$data['to']; + $q = "UPDATE ".TB_PREFIX."vdata SET `maxstore`='".$tmaxstore."' WHERE wref=".(int) $data['to']; $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800; - $q = "UPDATE ".TB_PREFIX."vdata SET `maxcrop`='".$tmaxcrop."' WHERE wref=".$data['to']; + $q = "UPDATE ".TB_PREFIX."vdata SET `maxcrop`='".$tmaxcrop."' WHERE wref=".(int) $data['to']; $database->query($q); } if ($tbgid==18){ @@ -2268,7 +2271,7 @@ class Automation { $info_cata=" damaged from level ".$tblevel." to level ".$totallvl."."; $buildarray = $GLOBALS["bid".$tbgid]; if ($tbgid==10 || $tbgid==38) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxstore=$t_sql['maxstore']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxstore<800) $tmaxstore=800; @@ -2276,7 +2279,7 @@ class Automation { $database->query($q); } if ($tbgid==11 || $tbgid==39) { - $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".$data['to'].""); + $tsql=mysqli_query($GLOBALS['link'],"select `maxstore`,`maxcrop` from ".TB_PREFIX."vdata where wref=".(int) $data['to']); $t_sql=mysqli_fetch_array($tsql); $tmaxcrop=$t_sql['maxcrop']+$buildarray[$totallvl]['attri']-$buildarray[$tblevel]['attri']; if ($tmaxcrop<800) $tmaxcrop=800; @@ -2853,7 +2856,7 @@ $wallimg = "0){ - $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".$from['owner'].""; + $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".(int) $from['owner'].""; $resulth = mysqli_query($GLOBALS['link'],$qh); $hero_f=mysqli_fetch_array($resulth); $hero_unit=$hero_f['unit']; @@ -3132,7 +3135,7 @@ $wallimg = " 0){ - $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".$from['owner'].""; + $qh = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = ".(int) $from['owner'].""; $resulth = mysqli_query($GLOBALS['link'],$qh); $hero_f=mysqli_fetch_array($resulth); $hero_unit=$hero_f['unit']; @@ -4139,20 +4142,20 @@ $wallimg = "= $hero_levels[$i]){ - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX ."hero SET level = $i WHERE heroid = '".$hdata['heroid']."'"); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX ."hero SET level = $i WHERE heroid = '".(int) $hdata['heroid']."'"); if($i < 99){ - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX ."hero SET points = points + 5 WHERE heroid = '".$hdata['heroid']."'"); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX ."hero SET points = points + 5 WHERE heroid = '".(int) $hdata['heroid']."'"); } } } $villunits = $database->getUnit($hdata['wref']); if($villunits['hero'] == 0 && $hdata['trainingtime'] < time() && $hdata['inrevive'] == 1){ - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".$hdata['wref'].""); - mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."hero SET `dead` = '0', `inrevive` = '0', `health` = '100', `lastupdate` = ".$hdata['trainingtime']." WHERE `uid` = '".$hdata['uid']."'"); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".(int) $hdata['wref'].""); + mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."hero SET `dead` = '0', `inrevive` = '0', `health` = '100', `lastupdate` = ".(int) $hdata['trainingtime']." WHERE `uid` = ".(int) $hdata['uid']); } if($villunits['hero'] == 0 && $hdata['trainingtime'] < time() && $hdata['intraining'] == 1){ - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".$hdata['wref'].""); - mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."hero SET `intraining` = '0', `lastupdate` = ".$hdata['trainingtime']." WHERE `uid` = '".$hdata['uid']."'"); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".(int) $hdata['wref']); + mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."hero SET `intraining` = '0', `lastupdate` = ".(int) $hdata['trainingtime']." WHERE `uid` = ".(int) $hdata['uid']); } } } @@ -4206,7 +4209,7 @@ $wallimg = "dblink)); + mysqli_query($GLOBALS['link'],'UPDATE `' . TB_PREFIX . 'vdata` SET `maxstore` = ' . (int) $ress . ', `maxcrop` = ' . (int) $crop . ' WHERE `wref` = ' . (int) $row['vref']) or die(mysqli_error($database->dblink)); } } @@ -4243,7 +4246,7 @@ $wallimg = "query_return($q); foreach($array as $user) { - $numusers = mysqli_query($GLOBALS['link'],"SELECT * FROM ".TB_PREFIX."users WHERE id = ".$user['invited']); + $numusers = mysqli_query($GLOBALS['link'],"SELECT * FROM ".TB_PREFIX."users WHERE id = ".(int) $user['invited']); if(mysqli_num_rows($numusers) > 0){ $varray = count($database->getProfileVillages($user['id'])); if($varray > 1){ @@ -4263,7 +4266,7 @@ $wallimg = "query_return($q); foreach($array as $general) { if(time() - (86400*8) > $general['time']){ - mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."general SET shown = 0 WHERE id = ".$general['id'].""); + mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."general SET shown = 0 WHERE id = ".(int) $general['id'].""); } } } @@ -4707,8 +4710,8 @@ $wallimg = "query_return($q); foreach($array as $banlist) { - mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."banlist SET active = 0 WHERE id = ".$banlist['id'].""); - mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET access = 2 WHERE id = ".$banlist['uid'].""); + mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."banlist SET active = 0 WHERE id = ".(int) $banlist['id'].""); + mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET access = 2 WHERE id = ".(int) $banlist['uid'].""); } } @@ -4727,7 +4730,7 @@ $wallimg = "getHero($session->uid,1); if ($herodata[0]['dead']==1){ - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 0 WHERE vref = ".$session->villages[0].""); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 0 WHERE vref = ".(int) $session->villages[0].""); } if($herodata[0]['trainingtime'] <= time()) { if($herodata[0]['trainingtime'] != 0) { if($herodata[0]['dead'] == 0) { - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "hero SET trainingtime = '0' WHERE uid = " . $session->uid . ""); - mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".$session->villages[0].""); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "hero SET trainingtime = '0' WHERE uid = " . (int) $session->uid . ""); + mysqli_query($GLOBALS['link'],"UPDATE " . TB_PREFIX . "units SET hero = 1 WHERE vref = ".(int) $session->villages[0].""); } } } @@ -4821,7 +4824,7 @@ $wallimg = "getBattleHero($Reinforcer); - $_result=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "hero where `dead`='0' and `heroid`='".$heroarraydefender['heroid']."'"); + $_result=mysqli_query($GLOBALS['link'],"select * from " . TB_PREFIX . "hero where `dead`='0' and `heroid`=".(int) $heroarraydefender['heroid']); $fdb = mysqli_fetch_array($_result); - $hero_id=$fdb['heroid']; + $hero_id=(int) $fdb['heroid']; $hero_health=$fdb['health']; $damage_health=round(100*$result[2]); if ($hero_health<=$damage_health or $damage_health>90){ //hero die $result['deadheroref'][$defenders['id']] = 1; - mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `dead`='1' where `heroid`='".$hero_id."'"); - mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `health`='0' where `heroid`='".$hero_id."'"); + mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `dead`='1' where `heroid`=".(int) $hero_id); + mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `health`='0' where `heroid`=".(int) $hero_id); }else{ $result['deadheroref'][$defenders['id']] = 0; - mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `health`=`health`-".$damage_health." where `heroid`='".$hero_id."'"); + mysqli_query($GLOBALS['link'],"update " . TB_PREFIX . "hero set `health`=`health`-".(int) $damage_health." where `heroid`=".(int) $hero_id); } } } diff --git a/GameEngine/Chat.php b/GameEngine/Chat.php index 0bc87724..fd0fa103 100755 --- a/GameEngine/Chat.php +++ b/GameEngine/Chat.php @@ -359,10 +359,10 @@ if (!isset($SAJAX_INCLUDED)) { $name = addslashes($session->username); if ($msg != ""){ - $id_user = $session->uid; - $alliance = $session->alliance; + $id_user = (int) $session->uid; + $alliance = $database->escape($session->alliance); $now = time(); - echo $q = "INSERT into ".TB_PREFIX."chat (id_user,name,alli,date,msg) values ('$id_user','$name','$alliance','$now','$msg')"; + echo $q = "INSERT into ".TB_PREFIX."chat (id_user,name,alli,date,msg) values ($id_user,'$name','$alliance','$now','$msg')"; mysqli_query($GLOBALS['link'],$q); } } @@ -370,7 +370,7 @@ if (!isset($SAJAX_INCLUDED)) { function get_data() { global $session,$database; - $alliance = $session->alliance; + $alliance = $database->escape($session->alliance); $query = mysqli_query($GLOBALS['link'],"select * from ".TB_PREFIX."chat where alli='$alliance' order by id desc limit 0,13"); while ($r = mysqli_fetch_array($query)) { $dates = date("g:i",$r[date]); diff --git a/GameEngine/Database.php b/GameEngine/Database.php index f99da4dc..fb6de3dd 100755 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -64,7 +64,7 @@ class MYSQLi_DB { } $timep = $time + PROTECTION; $time = time(); - $q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, $tribe, '$act', $timep, $time, $time)"; + $q = "INSERT INTO " . TB_PREFIX . "users (username,password,access,email,timestamp,tribe,act,protect,lastupdate,regtime) VALUES ('$username', '$password', " . USER . ", '$email', $time, " . (int) $tribe . ", '$act', $timep, $time, $time)"; if(mysqli_query($this->dblink,$q)) { return mysqli_insert_id($this->dblink); } else { @@ -76,7 +76,7 @@ class MYSQLi_DB { list($username, $password, $email, $tribe, $locate, $act, $act2) = $this->escape_input($username, $password, $email, $tribe, $locate, $act, $act2); $time = time(); - $q = "INSERT INTO " . TB_PREFIX . "activate (username,password,access,email,tribe,timestamp,location,act,act2) VALUES ('$username', '$password', " . USER . ", '$email', $tribe, $time, $locate, '$act', '$act2')"; + $q = "INSERT INTO " . TB_PREFIX . "activate (username,password,access,email,tribe,timestamp,location,act,act2) VALUES ('$username', '$password', " . USER . ", '$email', " . (int) $tribe .", $time, $locate, '$act', '$act2')"; if(mysqli_query($this->dblink,$q)) { return mysqli_insert_id($this->dblink); } else { @@ -91,13 +91,13 @@ class MYSQLi_DB { return mysqli_query($this->dblink,$q); } function deleteReinf($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE from " . TB_PREFIX . "enforcement where id = '$id'"; mysqli_query($this->dblink,$q); } function updateResource($vid, $what, $number) { - list($vid, $what, $number) = $this->escape_input($vid, $what, $number); + list($vid, $what, $number) = $this->escape_input((int) $vid, $what, (int) $number); $q = "UPDATE " . TB_PREFIX . "vdata set " . $what . "=" . $number . " where wref = $vid"; @@ -140,7 +140,7 @@ class MYSQLi_DB { public function hasBeginnerProtection($vid) { list($vid) = $this->escape_input($vid); - $q = "SELECT u.protect FROM ".TB_PREFIX."users u,".TB_PREFIX."vdata v WHERE u.id=v.owner AND v.wref=".$vid; + $q = "SELECT u.protect FROM ".TB_PREFIX."users u,".TB_PREFIX."vdata v WHERE u.id=v.owner AND v.wref=".(int) $vid; $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); if(!empty($dbarray)) { @@ -160,13 +160,13 @@ class MYSQLi_DB { if(!$switch) { $q = "UPDATE " . TB_PREFIX . "users set $field = '$value' where username = '$ref'"; } else { - $q = "UPDATE " . TB_PREFIX . "users set $field = '$value' where id = '$ref'"; + $q = "UPDATE " . TB_PREFIX . "users set $field = '$value' where id = " . (int) $ref; } return mysqli_query($this->dblink,$q); } function getSitee($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT id from " . TB_PREFIX . "users where sit1 = $uid or sit2 = $uid"; $result = mysqli_query($this->dblink,$q); @@ -174,7 +174,7 @@ class MYSQLi_DB { } function getVilWref($x, $y) { - list($x, $y) = $this->escape_input($x, $y); + list($x, $y) = $this->escape_input((int) $x, (int) $y); $q = "SELECT * FROM " . TB_PREFIX . "wdata where x = $x AND y = $y"; $result = mysqli_query($this->dblink,$q); @@ -183,20 +183,20 @@ class MYSQLi_DB { } function caststruc($user) { - list($user) = $this->escape_input($user); + list($user) = $this->escape_input((int) $user); //loop search village user - $query = mysqli_query($this->dblink,"SELECT * FROM ".TB_PREFIX."vdata WHERE owner = ".$user.""); + $query = mysqli_query($this->dblink,"SELECT * FROM ".TB_PREFIX."vdata WHERE owner = ".$user); while($villaggi_array = mysqli_fetch_array($query)) //loop structure village - $query1 = mysqli_query($this->dblink,"SELECT * FROM ".TB_PREFIX."fdata WHERE vref = ".$villaggi_array['wref'].""); + $query1 = mysqli_query($this->dblink,"SELECT * FROM ".TB_PREFIX."fdata WHERE vref = ".(int) $villaggi_array['wref'].""); $strutture= mysqli_fetch_array($query1); return $strutture; } function removeMeSit($uid, $uid2) { - list($uid, $uid2) = $this->escape_input($uid, $uid2); + list($uid, $uid2) = $this->escape_input((int) $uid, (int) $uid2); $q = "UPDATE " . TB_PREFIX . "users set sit1 = 0 where id = $uid and sit1 = $uid2"; mysqli_query($this->dblink,$q); @@ -208,7 +208,7 @@ class MYSQLi_DB { list($ref, $field, $mode) = $this->escape_input($ref, $field, $mode); if(!$mode) { - $q = "SELECT $field FROM " . TB_PREFIX . "users where id = '$ref'"; + $q = "SELECT $field FROM " . TB_PREFIX . "users where id = " . (int) $ref; } else { $q = "SELECT $field FROM " . TB_PREFIX . "users where username = '$ref'"; } @@ -222,7 +222,7 @@ class MYSQLi_DB { } function getInvitedUser($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "users where invited = $uid order by regtime desc"; $result = mysqli_query($this->dblink,$q); @@ -230,16 +230,16 @@ class MYSQLi_DB { } function getVrefField($ref, $field) { - list($ref, $field) = $this->escape_input($ref, $field); - $q = "SELECT $field FROM " . TB_PREFIX . "vdata where wref = '$ref'"; + list($ref, $field) = $this->escape_input((int) $ref, $field); + $q = "SELECT $field FROM " . TB_PREFIX . "vdata where wref = $ref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray[$field]; } function getVrefCapital($ref) { - list($ref) = $this->escape_input($ref); - $q = "SELECT * FROM " . TB_PREFIX . "vdata where owner = '$ref' and capital = 1"; + list($ref) = $this->escape_input((int) $ref); + $q = "SELECT * FROM " . TB_PREFIX . "vdata where owner = $ref and capital = 1"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); $dbarray = mysqli_fetch_array($result); return $dbarray; @@ -261,7 +261,7 @@ class MYSQLi_DB { list($ref, $field, $mode) = $this->escape_input($ref, $field, $mode); if(!$mode) { - $q = "SELECT $field FROM " . TB_PREFIX . "activate where id = '$ref'"; + $q = "SELECT $field FROM " . TB_PREFIX . "activate where id = " . (int) $ref; } else { $q = "SELECT $field FROM " . TB_PREFIX . "activate where username = '$ref'"; } @@ -299,12 +299,12 @@ class MYSQLi_DB { $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); if($dbarray['sit1'] != 0) { - $q2 = "SELECT password FROM " . TB_PREFIX . "users where id = " . $dbarray['sit1'] . " and access != " . BANNED; + $q2 = "SELECT password FROM " . TB_PREFIX . "users where id = " . (int) $dbarray['sit1'] . " and access != " . BANNED; $result2 = mysqli_query($this->dblink,$q2); $dbarray2 = mysqli_fetch_array($result2); } if($dbarray['sit2'] != 0) { - $q3 = "SELECT password FROM " . TB_PREFIX . "users where id = " . $dbarray['sit2'] . " and access != " . BANNED; + $q3 = "SELECT password FROM " . TB_PREFIX . "users where id = " . (int) $dbarray['sit2'] . " and access != " . BANNED; $result3 = mysqli_query($this->dblink,$q3); $dbarray3 = mysqli_fetch_array($result3); } @@ -320,7 +320,7 @@ class MYSQLi_DB { } function setDeleting($uid, $mode) { - list($uid, $mode) = $this->escape_input($uid, $mode); + list($uid, $mode) = $this->escape_input((int) $uid, $mode); $time = time() + 72 * 3600; if(!$mode) { @@ -332,7 +332,7 @@ class MYSQLi_DB { } function isDeleting($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT timestamp from " . TB_PREFIX . "deleting where uid = $uid"; $result = mysqli_query($this->dblink,$q); @@ -341,7 +341,7 @@ class MYSQLi_DB { } function modifyGold($userid, $amt, $mode) { - list($userid, $amt, $mode) = $this->escape_input($userid, $amt, $mode); + list($userid, $amt, $mode) = $this->escape_input((int) $userid, (int) $amt, $mode); if(!$mode) { $q = "UPDATE " . TB_PREFIX . "users set gold = gold - $amt where id = $userid"; @@ -364,7 +364,7 @@ class MYSQLi_DB { if(!$mode) { $q = "SELECT * FROM " . TB_PREFIX . "users where username = '$ref'"; } else { - $q = "SELECT * FROM " . TB_PREFIX . "users where id = '$ref'"; + $q = "SELECT * FROM " . TB_PREFIX . "users where id = " . (int) $ref; } $result = mysqli_query($this->dblink,$q); return mysqli_fetch_array($result); @@ -420,21 +420,21 @@ class MYSQLi_DB { } function submitProfile($uid, $gender, $location, $birthday, $des1, $des2) { - list($uid, $gender, $location, $birthday, $des1, $des2) = $this->escape_input($uid, $gender, $location, $birthday, $des1, $des2); + list($uid, $gender, $location, $birthday, $des1, $des2) = $this->escape_input((int) $uid, (int) $gender, $location, $birthday, $des1, $des2); $q = "UPDATE " . TB_PREFIX . "users set gender = $gender, location = '$location', birthday = '$birthday', desc1 = '$des1', desc2 = '$des2' where id = $uid"; return mysqli_query($this->dblink,$q); } function gpack($uid, $gpack) { - list($uid, $gpack) = $this->escape_input($uid, $gpack); + list($uid, $gpack) = $this->escape_input((int) $uid, $gpack); $q = "UPDATE " . TB_PREFIX . "users set gpack = '$gpack' where id = $uid"; return mysqli_query($this->dblink,$q); } function GetOnline($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT sit FROM " . TB_PREFIX . "online where uid = $uid"; $result = mysqli_query($this->dblink,$q); @@ -443,17 +443,17 @@ class MYSQLi_DB { } function UpdateOnline($mode, $name = "", $time = "", $uid = 0) { - list($mode, $name, $time, $uid) = $this->escape_input($mode, $name, $time, $uid); + list($mode, $name, $time, $uid) = $this->escape_input($mode, $name, $time, (int) $uid); global $session; if($mode == "login") { - $q = "INSERT IGNORE INTO " . TB_PREFIX . "online (name, uid, time, sit) VALUES ('$name', '$uid', " . time() . ", 0)"; + $q = "INSERT IGNORE INTO " . TB_PREFIX . "online (name, uid, time, sit) VALUES ('$name', $uid, '" . time() . "', 0)"; return mysqli_query($this->dblink,$q); } else if($mode == "sitter") { - $q = "INSERT IGNORE INTO " . TB_PREFIX . "online (name, uid, time, sit) VALUES ('$name', '$uid', " . time() . ", 1)"; + $q = "INSERT IGNORE INTO " . TB_PREFIX . "online (name, uid, time, sit) VALUES ('$name', $uid, '" . time() . "', 1)"; return mysqli_query($this->dblink,$q); } else { - $q = "DELETE FROM " . TB_PREFIX . "online WHERE name ='" . addslashes($session->username) . "'"; + $q = "DELETE FROM " . TB_PREFIX . "online WHERE name ='" . $this->escape($session->username) . "'"; return mysqli_query($this->dblink,$q); } } @@ -488,17 +488,16 @@ class MYSQLi_DB { } switch($sector) { case 1: - $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x < -$wide1 and x > -$wide2) and (y > $wide1 and y < $wide2) and occupied = 0"; //x- y+ - break; + $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x < -$wide1 and x > -$wide2) and (y > $wide1 and y < $wide2) and occupied = 0"; //x- y+ + break; case 2: - $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x > $wide1 and x < $wide2) and (y > $wide1 and y < $wide2) and occupied = 0"; //x+ y+ - break; + $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x > $wide1 and x < $wide2) and (y > $wide1 and y < $wide2) and occupied = 0"; //x+ y+ + break; case 3: - $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x < -$wide1 and x > -$wide2) and (y < -$wide1 and y > -$wide2) and occupied = 0"; //x- y- - break; - case 4: - $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x > $wide1 and x < $wide2) and (y < -$wide1 and y > -$wide2) and occupied = 0"; //x+ y- - break; + $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x < -$wide1 and x > -$wide2) and (y < -$wide1 and y > -$wide2) and occupied = 0"; //x- y- + break; + default: + $q = "Select * from ".TB_PREFIX."wdata where fieldtype = 3 and (x > $wide1 and x < $wide2) and (y < -$wide1 and y > -$wide2) and occupied = 0"; //x+ y- } $result = mysqli_query($this->dblink,$q); $num_rows = mysqli_num_rows($result); @@ -510,14 +509,14 @@ class MYSQLi_DB { } function setFieldTaken($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); - $q = "UPDATE " . TB_PREFIX . "wdata set occupied = 1 where id = $id"; + $q = "UPDATE " . TB_PREFIX . "wdata set occupied = 1 where id = ". $id; return mysqli_query($this->dblink,$q); } function addVillage($wid, $uid, $username, $capital) { - list($wid, $uid, $username, $capital) = $this->escape_input($wid, $uid, $username, $capital); + list($wid, $uid, $username, $capital) = $this->escape_input((int) $wid, (int) $uid, $username, (int) $capital); $total = count($this->getVillagesID($uid)); if($total >= 1) { @@ -526,12 +525,12 @@ class MYSQLi_DB { $vname = $username . "\'s village"; } $time = time(); - $q = "INSERT into " . TB_PREFIX . "vdata (wref, owner, name, capital, pop, cp, celebration, wood, clay, iron, maxstore, crop, maxcrop, lastupdate, created) values ('$wid', '$uid', '$vname', '$capital', 2, 1, 0, 750, 750, 750, ".STORAGE_BASE.", 750, ".STORAGE_BASE.", '$time', '$time')"; + $q = "INSERT into " . TB_PREFIX . "vdata (wref, owner, name, capital, pop, cp, celebration, wood, clay, iron, maxstore, crop, maxcrop, lastupdate, created) values ($wid, $uid, '$vname', $capital, 2, 1, 0, 750, 750, 750, ".STORAGE_BASE.", 750, ".STORAGE_BASE.", $time, $time)"; return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); } function addResourceFields($vid, $type) { - list($vid, $type) = $this->escape_input($vid, $type); + list($vid, $type) = $this->escape_input((int) $vid, $type); switch($type) { case 1: @@ -574,9 +573,9 @@ class MYSQLi_DB { return mysqli_query($this->dblink,$q); } function isVillageOases($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); - $q = "SELECT id, oasistype FROM " . TB_PREFIX . "wdata where id = $wref"; + $q = "SELECT id, oasistype FROM " . TB_PREFIX . "wdata where id = ". $wref; $result = mysqli_query($this->dblink,$q); if($result){ $dbarray = mysqli_fetch_array($result); @@ -585,19 +584,19 @@ class MYSQLi_DB { } public function VillageOasisCount($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); - $q = "SELECT count(*) FROM `".TB_PREFIX."odata` WHERE conqured=$vref"; + $q = "SELECT count(*) FROM `".TB_PREFIX."odata` WHERE conqured=". $vref; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); return $row[0]; } public function countOasisTroops($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); //count oasis troops: $troops_o $troops_o=0; - $o_unit2=mysqli_query($this->dblink,"select * from ".TB_PREFIX."units where `vref`='".$vref."'"); + $o_unit2=mysqli_query($this->dblink,"select * from ".TB_PREFIX."units where `vref`=".$vref); $o_unit=mysqli_fetch_array($o_unit2); for ($i=1;$i<51;$i++) @@ -606,7 +605,7 @@ class MYSQLi_DB { } $troops_o+=$o_unit['hero']; - $o_unit2=mysqli_query($this->dblink,"select * from ".TB_PREFIX."enforcement where `vref`='".$vref."'"); + $o_unit2=mysqli_query($this->dblink,"select * from ".TB_PREFIX."enforcement where `vref`=".$vref); while ($o_unit=@mysqli_fetch_array($o_unit2)) { for ($i=1;$i<51;$i++) @@ -652,22 +651,22 @@ class MYSQLi_DB { } public function conquerOasis($vref,$wref) { - list($vref,$wref) = $this->escape_input($vref,$wref); + list($wref) = $this->escape_input((int) $wref); $vinfo = $this->getVillage($vref); - $uid = $vinfo['owner']; - $q = "UPDATE `".TB_PREFIX."odata` SET conqured=$vref,loyalty=100,lastupdated=".time().",owner=$uid,name='Occupied Oasis' WHERE wref=$wref"; + $uid = (int) $vinfo['owner']; + $q = "UPDATE `".TB_PREFIX."odata` SET conqured=".(int) $vref. ",loyalty=100,lastupdated=".time().",owner=$uid,name='Occupied Oasis' WHERE wref=".$wref; return mysqli_query($this->dblink,$q); } public function modifyOasisLoyalty($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); if($this->isVillageOases($wref) != 0) { $OasisInfo = $this->getOasisInfo($wref); if($OasisInfo['conqured'] != 0) { $LoyaltyAmendment = floor(100 / min(3,(4-$this->VillageOasisCount($OasisInfo['conqured'])))); - $q = "UPDATE `".TB_PREFIX."odata` SET loyalty=loyalty-$LoyaltyAmendment, lastupdated=".time()." WHERE wref=$wref"; + $q = "UPDATE `".TB_PREFIX."odata` SET loyalty=loyalty-$LoyaltyAmendment, lastupdated=".time()." WHERE wref=".$wref; $result=mysqli_query($this->dblink,$q); return $OasisInfo['loyalty']-$LoyaltyAmendment; } @@ -686,16 +685,18 @@ class MYSQLi_DB { } function populateOasisUnits($wid, $high) { - list($wid, $high) = $this->escape_input($wid, $high); + list($wid, $high) = $this->escape_input((int) $wid, $high); $basearray = $this->getOasisInfo($wid); if($high == 0){ $max = rand(15,30); - }elseif($high == 1){ - $max = rand(50,70); - }elseif($high == 2){ - $max = rand(90,120); - } + }elseif($high == 1){ + $max = rand(50,70); + }elseif($high == 2){ + $max = rand(90,120); + } else { + $max = rand(50,70); + } $max2 = 0; $rand = rand(0,3); if($rand == 1){ @@ -754,7 +755,7 @@ class MYSQLi_DB { $q2 = "SELECT * FROM " . TB_PREFIX . "wdata where oasistype != 0"; $result2 = mysqli_query($this->dblink,$q2); while($row = mysqli_fetch_array($result2)) { - $wid = $row['id']; + $wid = (int) $row['id']; switch($row['oasistype']) { case 1: case 2: @@ -805,9 +806,9 @@ class MYSQLi_DB { } function removeOases($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); - $q = "UPDATE ".TB_PREFIX."odata SET conqured = 0, owner = 2, name = 'Unoccupied Oasis' WHERE wref = $wref"; + $q = "UPDATE ".TB_PREFIX."odata SET conqured = 0, owner = 2, name = 'Unoccupied Oasis' WHERE wref = ".$wref; return mysqli_query($this->dblink,$q); } @@ -817,9 +818,9 @@ class MYSQLi_DB { References: Village ID ***************************/ function getVillageType($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); - $q = "SELECT id, fieldtype FROM " . TB_PREFIX . "wdata where id = $wref"; + $q = "SELECT id, fieldtype FROM " . TB_PREFIX . "wdata where id = ".$wref; $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); return $dbarray['fieldtype']; @@ -832,9 +833,9 @@ class MYSQLi_DB { References: Village ID *****************************************/ function getVillageState($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); - $q = "SELECT oasistype,occupied FROM " . TB_PREFIX . "wdata where id = $wref"; + $q = "SELECT oasistype,occupied FROM " . TB_PREFIX . "wdata where id = ".$wref; $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); if($dbarray['occupied'] != 0 || $dbarray['oasistype'] != 0) { @@ -845,7 +846,7 @@ class MYSQLi_DB { } function getProfileVillages($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT capital,wref,name,pop,created from " . TB_PREFIX . "vdata where owner = $uid order by pop desc"; $result = mysqli_query($this->dblink,$q); @@ -853,7 +854,7 @@ class MYSQLi_DB { } function getProfileMedal($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT id,categorie,plaats,week,img,points from " . TB_PREFIX . "medal where userid = $uid and del = 0 order by id desc"; $result = mysqli_query($this->dblink,$q); @@ -862,7 +863,7 @@ class MYSQLi_DB { } function getProfileMedalAlly($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT id,categorie,plaats,week,img,points from " . TB_PREFIX . "allimedal where allyid = $uid and del = 0 order by id desc"; $result = mysqli_query($this->dblink,$q); @@ -871,7 +872,7 @@ class MYSQLi_DB { } function getVillageID($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT wref FROM " . TB_PREFIX . "vdata WHERE owner = $uid"; $result = mysqli_query($this->dblink,$q); @@ -881,7 +882,7 @@ class MYSQLi_DB { function getVillagesID($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT wref from " . TB_PREFIX . "vdata where owner = $uid order by capital DESC,pop DESC"; $result = mysqli_query($this->dblink,$q); @@ -894,7 +895,7 @@ class MYSQLi_DB { } function getVillagesID2($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT wref from " . TB_PREFIX . "vdata where owner = $uid order by capital DESC,pop DESC"; $result = mysqli_query($this->dblink,$q); @@ -903,7 +904,7 @@ class MYSQLi_DB { } function getVillage($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "vdata where wref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -911,7 +912,7 @@ class MYSQLi_DB { } public function getVillageBattleData($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT u.id,u.tribe,v.capital,f.f40 AS wall FROM ".TB_PREFIX."users u,".TB_PREFIX."fdata f,".TB_PREFIX."vdata v WHERE u.id=v.owner AND f.vref=v.wref AND v.wref=".$vid; $result = mysqli_query($this->dblink,$q); @@ -919,7 +920,7 @@ class MYSQLi_DB { } public function getPopulation($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT sum(pop) AS pop FROM ".TB_PREFIX."vdata WHERE owner=".$uid; $result = mysqli_query($this->dblink,$q); @@ -928,7 +929,7 @@ class MYSQLi_DB { } function getOasisV($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "odata where wref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -936,7 +937,7 @@ class MYSQLi_DB { } function getMInfo($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "wdata left JOIN " . TB_PREFIX . "vdata ON " . TB_PREFIX . "vdata.wref = " . TB_PREFIX . "wdata.id where " . TB_PREFIX . "wdata.id = $id"; $result = mysqli_query($this->dblink,$q); @@ -944,7 +945,7 @@ class MYSQLi_DB { } function getOMInfo($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "wdata left JOIN " . TB_PREFIX . "odata ON " . TB_PREFIX . "odata.wref = " . TB_PREFIX . "wdata.id where " . TB_PREFIX . "wdata.id = $id"; $result = mysqli_query($this->dblink,$q); @@ -952,7 +953,7 @@ class MYSQLi_DB { } function getOasis($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "odata where conqured = $vid"; $result = mysqli_query($this->dblink,$q); @@ -960,7 +961,7 @@ class MYSQLi_DB { } function getOasisInfo($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "odata where wref = $wid"; $result = mysqli_query($this->dblink,$q); @@ -968,7 +969,7 @@ class MYSQLi_DB { } function getVillageField($ref, $field) { - list($ref, $field) = $this->escape_input($ref, $field); + list($ref, $field) = $this->escape_input((int) $ref, $field); $q = "SELECT $field FROM " . TB_PREFIX . "vdata where wref = $ref"; $result = mysqli_query($this->dblink,$q); @@ -981,7 +982,7 @@ class MYSQLi_DB { } function getOasisField($ref, $field) { - list($ref, $field) = $this->escape_input($ref, $field); + list($ref, $field) = $this->escape_input((int) $ref, $field); $q = "SELECT $field FROM " . TB_PREFIX . "odata where wref = $ref"; $result = mysqli_query($this->dblink,$q); @@ -990,21 +991,21 @@ class MYSQLi_DB { } function setVillageField($ref, $field, $value) { - list($ref, $field, $value) = $this->escape_input($ref, $field, $value); + list($ref, $field, $value) = $this->escape_input((int) $ref, $field, $value); $q = "UPDATE " . TB_PREFIX . "vdata set $field = '$value' where wref = $ref"; return mysqli_query($this->dblink,$q); } function setVillageLevel($ref, $field, $value) { - list($ref, $field, $value) = $this->escape_input($ref, $field, $value); + list($ref, $field, $value) = $this->escape_input((int) $ref, $field, $value); $q = "UPDATE " . TB_PREFIX . "fdata set " . $field . " = '" . $value . "' where vref = " . $ref . ""; return mysqli_query($this->dblink,$q); } function getResourceLevel($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * from " . TB_PREFIX . "fdata where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -1025,23 +1026,23 @@ class MYSQLi_DB { } function getMarketLogVillage($village) { - list($village) = $this->escape_input($village); + list($village) = $this->escape_input((int) $village); $q = "SELECT wref,owner,name from " . TB_PREFIX . "vdata where wref =$village "; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } function getMarketLogUsers($id_user) { - list($id_user) = $this->escape_input($id_user); + list($id_user) = $this->escape_input((int) $id_user); - $q = "SELECT id,username from " . TB_PREFIX . "users where id =$id_user "; + $q = "SELECT id,username from " . TB_PREFIX . "users where id = $id_user "; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } //end fix function getCoor($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); if ($wref !=""){ $q = "SELECT x,y FROM " . TB_PREFIX . "wdata where id = $wref"; @@ -1051,7 +1052,7 @@ class MYSQLi_DB { } function CheckForum($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * from " . TB_PREFIX . "forum_cat where alliance = '$id'"; $result = mysqli_query($this->dblink,$q); @@ -1192,7 +1193,7 @@ class MYSQLi_DB { } function CheckCloseTopic($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT close from " . TB_PREFIX . "forum_topic where id = '$id'"; $result = mysqli_query($this->dblink,$q); @@ -1226,7 +1227,7 @@ class MYSQLi_DB { } function getVillageType2($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT * FROM " . TB_PREFIX . "wdata where id = $wref"; $result = mysqli_query($this->dblink,$q); @@ -1235,7 +1236,7 @@ class MYSQLi_DB { } function getVillageType3($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT * FROM " . TB_PREFIX . "wdata where id = $wref"; $result = mysqli_query($this->dblink,$q); @@ -1244,7 +1245,7 @@ class MYSQLi_DB { } function getFLData($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "farmlist where id = $id"; $result = mysqli_query($this->dblink,$q); @@ -1252,7 +1253,7 @@ class MYSQLi_DB { } function checkVilExist($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT * FROM " . TB_PREFIX . "vdata where wref = '$wref'"; $result = mysqli_query($this->dblink,$q); @@ -1264,7 +1265,7 @@ class MYSQLi_DB { } function checkOasisExist($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT * FROM " . TB_PREFIX . "odata where wref = '$wref'"; $result = mysqli_query($this->dblink,$q); @@ -1276,23 +1277,23 @@ class MYSQLi_DB { } function UpdateEditTopic($id, $title, $cat) { - list($id, $title, $cat) = $this->escape_input($id, $title, $cat); + list($id, $title, $cat) = $this->escape_input((int) $id, $title, $cat); $q = "UPDATE " . TB_PREFIX . "forum_topic set title = '$title', cat = '$cat' where id = $id"; return mysqli_query($this->dblink,$q); } function UpdateEditForum($id, $name, $des) { - list($id, $name, $des) = $this->escape_input($id, $name, $des); + list($id, $name, $des) = $this->escape_input((int) $id, $name, $des); $q = "UPDATE " . TB_PREFIX . "forum_cat set forum_name = '$name', forum_des = '$des' where id = $id"; return mysqli_query($this->dblink,$q); } function StickTopic($id, $mode) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); - $q = "UPDATE " . TB_PREFIX . "forum_topic set stick = '$mode' where id = '$id'"; + $q = "UPDATE " . TB_PREFIX . "forum_topic set stick = '$mode' where id = $id"; return mysqli_query($this->dblink,$q); } @@ -1313,9 +1314,9 @@ class MYSQLi_DB { } function ShowTopic($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); - $q = "SELECT * from " . TB_PREFIX . "forum_topic where id = '$id'"; + $q = "SELECT * from " . TB_PREFIX . "forum_topic where id = $id"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } @@ -1329,9 +1330,9 @@ class MYSQLi_DB { } function ShowPostEdit($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); - $q = "SELECT * from " . TB_PREFIX . "forum_post where id = '$id'"; + $q = "SELECT * from " . TB_PREFIX . "forum_post where id = $id"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } @@ -1345,10 +1346,10 @@ class MYSQLi_DB { } function CreatTopic($title, $post, $cat, $owner, $alli, $ends, $alliance, $player, $coor, $report) { - list($title, $post, $cat, $owner, $alli, $ends, $alliance, $player, $coor, $report) = $this->escape_input($title, $post, $cat, $owner, $alli, $ends, $alliance, $player, $coor, $report); + list($title, $post, $cat, $owner, $alli, $ends, $alliance, $player, $coor, $report) = $this->escape_input($title, $post, $cat, $owner, $alli, $ends, (int) $alliance, (int) $player, (int) $coor, (int) $report); $date = time(); - $q = "INSERT into " . TB_PREFIX . "forum_topic values (0,'$title','$post','$date','$date','$cat','$owner','$alli','$ends','','','$alliance','$player','$coor','$report')"; + $q = "INSERT into " . TB_PREFIX . "forum_topic values (0,'$title','$post','$date','$date','$cat','$owner','$alli','$ends','','',$alliance,$player,$coor,$report)"; mysqli_query($this->dblink,$q); return mysqli_insert_id($this->dblink); } @@ -1365,7 +1366,7 @@ class MYSQLi_DB { } function getSurvey($topic) { - list($topic) = $this->escape_input($topic); + list($topic) = $this->escape_input((int) $topic); $q = "SELECT * FROM " . TB_PREFIX . "forum_survey where topic = $topic"; $result = mysqli_query($this->dblink,$q); @@ -1373,7 +1374,7 @@ class MYSQLi_DB { } function checkSurvey($topic) { - list($topic) = $this->escape_input($topic); + list($topic) = $this->escape_input((int) $topic); $q = "SELECT * FROM " . TB_PREFIX . "forum_survey where topic = $topic"; $result = mysqli_query($this->dblink,$q); @@ -1385,14 +1386,14 @@ class MYSQLi_DB { } function Vote($topic, $num, $text) { - list($topic, $num, $text) = $this->escape_input($topic, $num, $text); + list($topic, $num, $text) = $this->escape_input((int) $topic, (int) $num, $text); $q = "UPDATE " . TB_PREFIX . "forum_survey set vote".$num." = vote".$num." + 1, voted = '$text' where topic = ".$topic.""; return mysqli_query($this->dblink,$q); } function checkVote($topic, $uid) { - list($topic, $uid) = $this->escape_input($topic, $uid); + list($topic, $uid) = $this->escape_input((int) $topic, $uid); $q = "SELECT * FROM " . TB_PREFIX . "forum_survey where topic = $topic"; $result = mysqli_query($this->dblink,$q); @@ -1406,7 +1407,7 @@ class MYSQLi_DB { } function getVoteSum($topic) { - list($topic) = $this->escape_input($topic); + list($topic) = $this->escape_input((int) $topic); $q = "SELECT * FROM " . TB_PREFIX . "forum_survey where topic = $topic"; $result = mysqli_query($this->dblink,$q); @@ -1424,16 +1425,16 @@ class MYSQLi_DB { *************************/ function CreatPost($post, $tids, $owner, $alliance, $player, $coor, $report) { - list($post, $tids, $owner, $alliance, $player, $coor, $report) = $this->escape_input($post, $tids, $owner, $alliance, $player, $coor, $report); + list($post, $tids, $owner, $alliance, $player, $coor, $report) = $this->escape_input($post, $tids, $owner, (int) $alliance, (int) $player, (int) $coor, (int) $report); $date = time(); - $q = "INSERT into " . TB_PREFIX . "forum_post values (0,'$post','$tids','$owner','$date','$alliance','$player','$coor','$report')"; + $q = "INSERT into " . TB_PREFIX . "forum_post values (0,'$post','$tids','$owner','$date',$alliance,$player,$coor,$report)"; mysqli_query($this->dblink,$q); return mysqli_insert_id($this->dblink); } function UpdatePostDate($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $date = time(); $q = "UPDATE " . TB_PREFIX . "forum_topic set post_date = '$date' where id = $id"; @@ -1441,23 +1442,23 @@ class MYSQLi_DB { } function EditUpdateTopic($id, $post, $alliance, $player, $coor, $report) { - list($id, $post, $alliance, $player, $coor, $report) = $this->escape_input($id, $post, $alliance, $player, $coor, $report); + list($id, $post, $alliance, $player, $coor, $report) = $this->escape_input((int) $id, $post, (int) $alliance, (int) $player, (int) $coor, (int) $report); - $q = "UPDATE " . TB_PREFIX . "forum_topic set post = '$post', alliance0 = '$alliance', player0 = '$player', coor0 = '$coor', report0 = '$report' where id = $id"; + $q = "UPDATE " . TB_PREFIX . "forum_topic set post = '$post', alliance0 = $alliance, player0 = $player, coor0 = $coor, report0 = $report where id = $id"; return mysqli_query($this->dblink,$q); } function EditUpdatePost($id, $post, $alliance, $player, $coor, $report) { - list($id, $post, $alliance, $player, $coor, $report) = $this->escape_input($id, $post, $alliance, $player, $coor, $report); + list($id, $post, $alliance, $player, $coor, $report) = $this->escape_input((int) $id, $post, (int) $alliance, (int) $player, (int) $coor, (int) $report); - $q = "UPDATE " . TB_PREFIX . "forum_post set post = '$post', alliance0 = '$alliance', player0 = '$player', coor0 = '$coor', report0 = '$report' where id = $id"; + $q = "UPDATE " . TB_PREFIX . "forum_post set post = '$post', alliance0 = $alliance, player0 = $player, coor0 = $coor, report0 = $report where id = $id"; return mysqli_query($this->dblink,$q); } function LockTopic($id, $mode) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); - $q = "UPDATE " . TB_PREFIX . "forum_topic set close = '$mode' where id = '$id'"; + $q = "UPDATE " . TB_PREFIX . "forum_topic set close = '$mode' where id = $id"; return mysqli_query($this->dblink,$q); } @@ -1502,7 +1503,7 @@ class MYSQLi_DB { } function getAllianceName($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); if (!$id) { return ''; @@ -1518,7 +1519,7 @@ class MYSQLi_DB { list($ref, $field, $mode) = $this->escape_input($ref, $field, $mode); if(!$mode) { - $q = "SELECT $field FROM " . TB_PREFIX . "ali_permission where uid = '$ref'"; + $q = "SELECT $field FROM " . TB_PREFIX . "ali_permission where uid = ". (int) $ref; } else { $q = "SELECT $field FROM " . TB_PREFIX . "ali_permission where username = '$ref'"; } @@ -1528,7 +1529,7 @@ class MYSQLi_DB { } function getAlliance($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * from " . TB_PREFIX . "alidata where id = $id"; $result = mysqli_query($this->dblink,$q); @@ -1536,16 +1537,16 @@ class MYSQLi_DB { } function setAlliName($aid, $name, $tag) { - list($aid, $name, $tag) = $this->escape_input($aid, $name, $tag); + list($aid, $name, $tag) = $this->escape_input((int) $aid, $name, $tag); $q = "UPDATE " . TB_PREFIX . "alidata set name = '$name', tag = '$tag' where id = $aid"; return mysqli_query($this->dblink,$q); } function isAllianceOwner($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); - $q = "SELECT * from " . TB_PREFIX . "alidata where leader = '$id'"; + $q = "SELECT * from " . TB_PREFIX . "alidata where leader = ". $id; $result = mysqli_query($this->dblink,$q); if(mysqli_num_rows($result)) { return true; @@ -1567,14 +1568,14 @@ class MYSQLi_DB { } function modifyPoints($aid, $points, $amt) { - list($aid, $points, $amt) = $this->escape_input($aid, $points, $amt); + list($aid, $points, $amt) = $this->escape_input((int) $aid, (int) $points, (int) $amt); $q = "UPDATE " . TB_PREFIX . "users set $points = $points + $amt where id = $aid"; return mysqli_query($this->dblink,$q); } function modifyPointsAlly($aid, $points, $amt) { - list($aid, $points, $amt) = $this->escape_input($aid, $points, $amt); + list($aid, $points, $amt) = $this->escape_input((int) $aid, (int) $points, (int) $amt); $q = "UPDATE " . TB_PREFIX . "alidata set $points = $points + $amt where id = $aid"; return mysqli_query($this->dblink,$q); @@ -1585,7 +1586,7 @@ class MYSQLi_DB { References: *****************************************/ function createAlliance($tag, $name, $uid, $max) { - list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, $uid, $max); + list($tag, $name, $uid, $max) = $this->escape_input($tag, $name, (int) $uid, (int) $max); $q = "INSERT into " . TB_PREFIX . "alidata values (0,'$name','$tag',$uid,0,0,0,'','',$max,'','','','','','','','','')"; mysqli_query($this->dblink,$q); @@ -1633,7 +1634,7 @@ class MYSQLi_DB { References: *****************************************/ function deleteAlliance($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $result = mysqli_query($this->dblink,"SELECT * FROM " . TB_PREFIX . "users where alliance = $aid"); $num_rows = mysqli_num_rows($this->dblink, $result); @@ -1649,7 +1650,7 @@ class MYSQLi_DB { References: *****************************************/ function readAlliNotice($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * from " . TB_PREFIX . "ali_log where aid = $aid ORDER BY date DESC"; $result = mysqli_query($this->dblink,$q); @@ -1684,7 +1685,7 @@ class MYSQLi_DB { References: *****************************************/ function updateAlliPermissions($uid, $aid, $rank, $opt1, $opt2, $opt3, $opt4, $opt5, $opt6, $opt7) { - list($uid, $aid, $rank, $opt1, $opt2, $opt3, $opt4, $opt5, $opt6, $opt7) = $this->escape_input($uid, $aid, $rank, $opt1, $opt2, $opt3, $opt4, $opt5, $opt6, $opt7); + list($uid, $aid, $rank, $opt1, $opt2, $opt3, $opt4, $opt5, $opt6, $opt7) = $this->escape_input((int) $uid, (int) $aid, $rank, $opt1, $opt2, $opt3, $opt4, $opt5, $opt6, $opt7); $q = "UPDATE " . TB_PREFIX . "ali_permission SET rank = '$rank', opt1 = '$opt1', opt2 = '$opt2', opt3 = '$opt3', opt4 = '$opt4', opt5 = '$opt5', opt6 = '$opt6', opt7 = '$opt7' where uid = $uid && alliance =$aid"; @@ -1696,7 +1697,7 @@ class MYSQLi_DB { References: ID, notice, description *****************************************/ function getAlliPermissions($uid, $aid) { - list($uid, $aid) = $this->escape_input($uid, $aid); + list($uid, $aid) = $this->escape_input((int) $uid, (int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "ali_permission where uid = $uid && alliance = $aid"; $result = mysqli_query($this->dblink,$q); @@ -1708,7 +1709,7 @@ class MYSQLi_DB { References: ID, notice, description *****************************************/ function submitAlliProfile($aid, $notice, $desc) { - list($aid, $notice, $desc) = $this->escape_input($aid, $notice, $desc); + list($aid, $notice, $desc) = $this->escape_input((int) $aid, $notice, $desc); $q = "UPDATE " . TB_PREFIX . "alidata SET `notice` = '$notice', `desc` = '$desc' where id = $aid"; @@ -1716,14 +1717,14 @@ class MYSQLi_DB { } function diplomacyInviteAdd($alli1, $alli2, $type) { - list($alli1, $alli2, $type) = $this->escape_input($alli1, $alli2, $type); + list($alli1, $alli2, $type) = $this->escape_input((int) $alli1, (int) $alli2, $type); $q = "INSERT INTO " . TB_PREFIX . "diplomacy (alli1,alli2,type,accepted) VALUES ($alli1,$alli2," . (int)intval($type) . ",0)"; return mysqli_query($this->dblink,$q); } function diplomacyOwnOffers($session_alliance) { - list($session_alliance) = $this->escape_input($session_alliance); + list($session_alliance) = $this->escape_input((int) $session_alliance); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli1 = $session_alliance AND accepted = 0"; $result = mysqli_query($this->dblink,$q); @@ -1740,7 +1741,7 @@ class MYSQLi_DB { } function getDiplomacy($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE id = $aid"; $result = mysqli_query($this->dblink,$q); @@ -1748,28 +1749,28 @@ class MYSQLi_DB { } function diplomacyCancelOffer($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE FROM " . TB_PREFIX . "diplomacy WHERE id = $id"; return mysqli_query($this->dblink,$q); } function diplomacyInviteAccept($id, $session_alliance) { - list($id, $session_alliance) = $this->escape_input($id, $session_alliance); + list($id, $session_alliance) = $this->escape_input((int) $id, (int) $session_alliance); $q = "UPDATE " . TB_PREFIX . "diplomacy SET accepted = 1 WHERE id = $id AND alli2 = $session_alliance"; return mysqli_query($this->dblink,$q); } function diplomacyInviteDenied($id, $session_alliance) { - list($id, $session_alliance) = $this->escape_input($id, $session_alliance); + list($id, $session_alliance) = $this->escape_input((int) $id, (int) $session_alliance); $q = "DELETE FROM " . TB_PREFIX . "diplomacy WHERE id = $id AND alli2 = $session_alliance"; return mysqli_query($this->dblink,$q); } function diplomacyInviteCheck($session_alliance) { - list($session_alliance) = $this->escape_input($session_alliance); + list($session_alliance) = $this->escape_input((int) $session_alliance); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli2 = $session_alliance AND accepted = 0"; $result = mysqli_query($this->dblink,$q); @@ -1777,7 +1778,7 @@ class MYSQLi_DB { } function diplomacyInviteCheck2($ally1, $ally2) { - list($ally1, $ally2) = $this->escape_input($ally1, $ally2); + list($ally1, $ally2) = $this->escape_input((int) $ally1, (int) $ally2); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli1 = $ally1 AND alli2 = $ally2 accepted = 0"; $result = mysqli_query($this->dblink,$q); @@ -1845,7 +1846,7 @@ class MYSQLi_DB { } function diplomacyExistingRelationships($session_alliance) { - list($session_alliance) = $this->escape_input($session_alliance); + list($session_alliance) = $this->escape_input((int) $session_alliance); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli2 = $session_alliance AND accepted = 1"; $result = mysqli_query($this->dblink,$q); @@ -1853,7 +1854,7 @@ class MYSQLi_DB { } function diplomacyExistingRelationships2($session_alliance) { - list($session_alliance) = $this->escape_input($session_alliance); + list($session_alliance) = $this->escape_input((int) $session_alliance); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli1 = $session_alliance AND accepted = 1"; $result = mysqli_query($this->dblink,$q); @@ -1861,14 +1862,14 @@ class MYSQLi_DB { } function diplomacyCancelExistingRelationship($id, $session_alliance) { - list($id, $session_alliance) = $this->escape_input($id, $session_alliance); + list($id, $session_alliance) = $this->escape_input((int) $id, (int) $session_alliance); $q = "DELETE FROM " . TB_PREFIX . "diplomacy WHERE id = $id AND alli2 = $session_alliance OR id = $id AND alli1 = $session_alliance"; return mysqli_query($this->dblink,$q); } function checkDiplomacyInviteAccept($aid, $type) { - list($aid, $type) = $this->escape_input($aid, $type); + list($aid, $type) = $this->escape_input((int) $aid, (int) $type); $q = "SELECT * FROM " . TB_PREFIX . "diplomacy WHERE alli1 = $aid AND type = $type AND accepted = 1 OR alli2 = $aid AND type = $type AND accepted = 1"; $result = mysqli_query($this->dblink,$q); @@ -1884,14 +1885,14 @@ class MYSQLi_DB { } function setAlliForumdblink($aid, $dblink) { - list($aid, $dblink) = $this->escape_input($aid, $dblink); + list($aid, $dblink) = $this->escape_input((int) $aid, $dblink); $q = "UPDATE " . TB_PREFIX . "alidata SET `forumdblink` = '$dblink' WHERE id = $aid"; return mysqli_query($this->dblink,$q); } function getUserAlliance($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT " . TB_PREFIX . "alidata.tag from " . TB_PREFIX . "users join " . TB_PREFIX . "alidata where " . TB_PREFIX . "users.alliance = " . TB_PREFIX . "alidata.id and " . TB_PREFIX . "users.id = $id"; $result = mysqli_query($this->dblink,$q); @@ -1906,7 +1907,7 @@ class MYSQLi_DB { /////////////ADDED BY BRAINIAC - THANK YOU function modifyResource($vid, $wood, $clay, $iron, $crop, $mode) { - list($vid, $wood, $clay, $iron, $crop, $mode) = $this->escape_input($vid, $wood, $clay, $iron, $crop, $mode); + list($vid, $wood, $clay, $iron, $crop, $mode) = $this->escape_input((int) $vid, (int) $wood, (int) $clay, (int) $iron, (int) $crop, $mode); $shit = false; $q="SELECT wood,clay,iron,crop,maxstore,maxcrop from " . TB_PREFIX . "vdata where wref = ".$vid.""; @@ -1938,7 +1939,7 @@ class MYSQLi_DB { } function modifyOasisResource($vid, $wood, $clay, $iron, $crop, $mode) { - list($vid, $wood, $clay, $iron, $crop, $mode) = $this->escape_input($vid, $wood, $clay, $iron, $crop, $mode); + list($vid, $wood, $clay, $iron, $crop, $mode) = $this->escape_input((int) $vid, (int) $wood, (int) $clay, (int) $iron, (int) $crop, $mode); $shit = false; $q="SELECT wood,clay,iron,crop,maxstore,maxcrop from " . TB_PREFIX . "odata where wref = ".$vid.""; @@ -1970,7 +1971,7 @@ class MYSQLi_DB { } function getFieldLevel($vid, $field) { - list($vid, $field) = $this->escape_input($vid, $field); + list($vid, $field) = $this->escape_input((int) $vid, $field); $q = "SELECT f" . $field . " from " . TB_PREFIX . "fdata where vref = $vid LIMIT 1"; $result = mysqli_query($this->dblink,$q); @@ -1979,7 +1980,7 @@ class MYSQLi_DB { } function getFieldType($vid, $field) { - list($vid, $field) = $this->escape_input($vid, $field); + list($vid, $field) = $this->escape_input((int) $vid, $field); $q = "SELECT f" . $field . "t from " . TB_PREFIX . "fdata where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -1988,7 +1989,7 @@ class MYSQLi_DB { } function getFieldDistance($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "vdata where owner > 4 and wref != $wid"; $array = $this->query_return($q); @@ -2018,7 +2019,7 @@ class MYSQLi_DB { } function getVSumField($uid, $field) { - list($uid, $field) = $this->escape_input($uid, $field); + list($uid, $field) = $this->escape_input((int) $uid, $field); if($field != "cp"){ $q = "SELECT sum(" . $field . ") FROM " . TB_PREFIX . "vdata where owner = $uid"; @@ -2031,7 +2032,7 @@ class MYSQLi_DB { } function updateVillage($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $time = time(); $q = "UPDATE " . TB_PREFIX . "vdata set lastupdate = $time where wref = $vid"; @@ -2040,7 +2041,7 @@ class MYSQLi_DB { function updateOasis($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $time = time(); $q = "UPDATE " . TB_PREFIX . "odata set lastupdated = $time where wref = $vid"; @@ -2048,7 +2049,7 @@ class MYSQLi_DB { } function updateOasis2($vid, $time) { - list($vid, $time) = $this->escape_input($vid, $time); + list($vid, $time) = $this->escape_input((int) $vid, $time); $time = time(); $time2 = NATURE_REGTIME; @@ -2057,7 +2058,7 @@ class MYSQLi_DB { } function setVillageName($vid, $name) { - list($vid, $name) = $this->escape_input($vid, $name); + list($vid, $name) = $this->escape_input((int) $vid, $name); if(!empty($name)) { @@ -2067,7 +2068,7 @@ class MYSQLi_DB { } function modifyPop($vid, $pop, $mode) { - list($vid, $pop, $mode) = $this->escape_input($vid, $pop, $mode); + list($vid, $pop, $mode) = $this->escape_input((int) $vid, (int) $pop, $mode); if(!$mode) { $q = "UPDATE " . TB_PREFIX . "vdata set pop = pop + $pop where wref = $vid"; @@ -2078,14 +2079,14 @@ class MYSQLi_DB { } function addCP($ref, $cp) { - list($ref, $cp) = $this->escape_input($ref, $cp); + list($ref, $cp) = $this->escape_input((int) $ref, (int) $cp); $q = "UPDATE " . TB_PREFIX . "vdata set cp = cp + $cp where wref = $ref"; return mysqli_query($this->dblink,$q); } function addCel($ref, $cel, $type) { - list($ref, $cel, $type) = $this->escape_input($ref, $cel, $type); + list($ref, $cel, $type) = $this->escape_input((int) $ref, (int) $cel, (int) $type); $q = "UPDATE " . TB_PREFIX . "vdata set celebration = $cel, type= $type where wref = $ref"; return mysqli_query($this->dblink,$q); @@ -2098,20 +2099,20 @@ class MYSQLi_DB { } function clearCel($ref) { - list($ref) = $this->escape_input($ref); + list($ref) = $this->escape_input((int) $ref); $q = "UPDATE " . TB_PREFIX . "vdata set celebration = 0, type = 0 where wref = $ref"; return mysqli_query($this->dblink,$q); } function setCelCp($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); $q = "UPDATE " . TB_PREFIX . "users set cp = cp + $cp where id = $user"; return mysqli_query($this->dblink,$q); } function clearExpansionSlot($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); for($i = 1; $i <= 3; $i++) { $q = "UPDATE " . TB_PREFIX . "vdata SET exp" . $i . "=0 WHERE exp" . $i . "=" . $id; @@ -2120,7 +2121,7 @@ class MYSQLi_DB { } function getInvitation($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "ali_invite where uid = $uid"; $result = mysqli_query($this->dblink,$q); @@ -2128,7 +2129,7 @@ class MYSQLi_DB { } function getInvitation2($uid, $aid) { - list($uid, $aid) = $this->escape_input($uid, $aid); + list($uid, $aid) = $this->escape_input((int) $uid, (int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "ali_invite where uid = $uid and alliance = $aid"; $result = mysqli_query($this->dblink,$q); @@ -2136,7 +2137,7 @@ class MYSQLi_DB { } function getAliInvitations($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "ali_invite where alliance = $aid && accept = 0"; $result = mysqli_query($this->dblink,$q); @@ -2144,7 +2145,7 @@ class MYSQLi_DB { } function sendInvitation($uid, $alli, $sender) { - list($uid, $alli, $sender) = $this->escape_input($uid, $alli, $sender); + list($uid, $alli, $sender) = $this->escape_input((int) $uid, (int) $alli, (int) $sender); $time = time(); $q = "INSERT INTO " . TB_PREFIX . "ali_invite values (0,$uid,$alli,$sender,$time,0)"; @@ -2152,29 +2153,29 @@ class MYSQLi_DB { } function removeInvitation($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE FROM " . TB_PREFIX . "ali_invite where id = $id"; return mysqli_query($this->dblink,$q); } function sendMessage($client, $owner, $topic, $message, $send, $alliance, $player, $coor, $report) { - list($client, $owner, $topic, $message, $send, $alliance, $player, $coor, $report) = $this->escape_input($client, $owner, $topic, $message, $send, $alliance, $player, $coor, $report); + list($client, $owner, $topic, $message, $send, $alliance, $player, $coor, $report) = $this->escape_input((int) $client, (int) $owner, $topic, $message, (int) $send, (int) $alliance, (int) $player, (int) $coor, (int) $report); $time = time(); - $q = "INSERT INTO " . TB_PREFIX . "mdata values (0,$client,$owner,'$topic',\"$message\",0,0,$send,$time,0,0,$alliance,$player,$coor,$report)"; + $q = "INSERT INTO " . TB_PREFIX . "mdata values (0,$client,$owner,'$topic','$message',0,0,$send,$time,0,0,$alliance,$player,$coor,$report)"; return mysqli_query($this->dblink,$q); } function setArchived($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "mdata set archived = 1 where id = $id"; return mysqli_query($this->dblink,$q); } function setNorm($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "mdata set archived = 0 where id = $id"; return mysqli_query($this->dblink,$q); @@ -2191,7 +2192,7 @@ class MYSQLi_DB { References: User ID/Message ID, Mode ***************************/ function getMessage($id, $mode) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); global $session; switch($mode) { @@ -2238,7 +2239,7 @@ class MYSQLi_DB { } function getDelSent($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "mdata WHERE owner = $uid and delowner = 1 ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); @@ -2246,7 +2247,7 @@ class MYSQLi_DB { } function getDelInbox($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "mdata WHERE target = $uid and deltarget = 1 ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); @@ -2254,7 +2255,7 @@ class MYSQLi_DB { } function getDelArchive($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "mdata WHERE target = $uid and archived = 1 and deltarget = 1 OR owner = $uid and archived = 1 and delowner = 1 ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); @@ -2262,45 +2263,45 @@ class MYSQLi_DB { } function unarchiveNotice($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "ndata set ntype = archive, archive = 0 where id = $id"; return mysqli_query($this->dblink,$q); } function archiveNotice($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "update " . TB_PREFIX . "ndata set archive = ntype, ntype = 9 where id = $id"; return mysqli_query($this->dblink,$q); } function removeNotice($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "ndata set del = 1,viewed = 1 where id = $id"; return mysqli_query($this->dblink,$q); } function noticeViewed($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "ndata set viewed = 1 where id = $id"; return mysqli_query($this->dblink,$q); } - function addNotice($uid, $toWref, $ally, $type, $topic, $data, $time = 0) { - list($uid, $toWref, $ally, $type, $topic, $data, $time) = $this->escape_input($uid, $toWref, $ally, $type, $topic, $data, $time); + function addNotice($uid, $toWref, $ally, $type, $topic, $data, $time = 0) { + list($uid, $toWref, $ally, $type, $topic, $data, $time) = $this->escape_input($uid, $toWref, $ally, $type, $topic, $data, $time); - if($time == 0) { - $time = time(); - } - $q = "INSERT INTO " . TB_PREFIX . "ndata (id, uid, toWref, ally, topic, ntype, data, time, viewed) values (0,'$uid','$toWref','$ally','$topic',$type,'$data',$time,0)"; - return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); - } + if($time == 0) { + $time = time(); + } + $q = "INSERT INTO " . TB_PREFIX . "ndata (id, uid, toWref, ally, topic, ntype, data, time, viewed) values (0,'$uid','$toWref','$ally','$topic',$type,'$data',$time,0)"; + return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); + } function getNotice($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "ndata where uid = $uid and del = 0 ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); @@ -2317,7 +2318,7 @@ class MYSQLi_DB { } function getNotice3($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "ndata where uid = $uid ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); @@ -2325,23 +2326,23 @@ class MYSQLi_DB { } function getNotice4($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "ndata where id = $id ORDER BY time DESC"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } function getUnViewNotice($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "ndata where uid = $uid AND viewed=0"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } function createTradeRoute($uid,$wid,$from,$r1,$r2,$r3,$r4,$start,$deliveries,$merchant,$time) { - list($uid,$wid,$from,$r1,$r2,$r3,$r4,$start,$deliveries,$merchant,$time) = $this->escape_input($uid,$wid,$from,$r1,$r2,$r3,$r4,$start,$deliveries,$merchant,$time); + list($uid,$wid,$from,$r1,$r2,$r3,$r4,$start,$deliveries,$merchant,$time) = $this->escape_input((int) $uid,(int) $wid,(int) $from,(int) $r1,(int) $r2,(int) $r3,(int) $r4,(int) $start,(int) $deliveries,(int) $merchant,(int) $time); - $x = "UPDATE " . TB_PREFIX . "users SET gold = gold - 2 WHERE id = ".$uid.""; + $x = "UPDATE " . TB_PREFIX . "users SET gold = gold - 2 WHERE id = ".$uid; mysqli_query($this->dblink,$x); $timeleft = time()+604800; $q = "INSERT into " . TB_PREFIX . "route values (0,$uid,$wid,$from,$r1,$r2,$r3,$r4,$start,$deliveries,$merchant,$time,$timeleft)"; @@ -2349,7 +2350,7 @@ class MYSQLi_DB { } function getTradeRoute($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "route where uid = $uid ORDER BY timestamp ASC"; $result = mysqli_query($this->dblink,$q); @@ -2357,7 +2358,7 @@ class MYSQLi_DB { } function getTradeRoute2($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "route where id = $id"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -2366,7 +2367,7 @@ class MYSQLi_DB { } function getTradeRouteUid($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "route where id = $id"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -2375,7 +2376,7 @@ class MYSQLi_DB { } function editTradeRoute($id,$column,$value,$mode) { - list($id,$column,$value,$mode) = $this->escape_input($id,$column,$value,$mode); + list($id,$column,$value,$mode) = $this->escape_input((int) $id,$column,(int) $value,$mode); if(!$mode){ $q = "UPDATE " . TB_PREFIX . "route set $column = $value where id = $id"; @@ -2386,14 +2387,14 @@ class MYSQLi_DB { } function deleteTradeRoute($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE FROM " . TB_PREFIX . "route where id = $id"; return mysqli_query($this->dblink,$q); } function addBuilding($wid, $field, $type, $loop, $time, $master, $level) { - list($wid, $field, $type, $loop, $time, $master, $level) = $this->escape_input($wid, $field, $type, $loop, $time, $master, $level); + list($wid, $field, $type, $loop, $time, $master, $level) = $this->escape_input((int) $wid, $field, (int) $type, (int) $loop, (int) $time, (int) $master, (int) $level); $x = "UPDATE " . TB_PREFIX . "fdata SET f" . $field . "t=" . $type . " WHERE vref=" . $wid; mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); @@ -2402,7 +2403,7 @@ class MYSQLi_DB { } function removeBuilding($d) { - list($d) = $this->escape_input($d); + list($d) = $this->escape_input((int) $d); global $building, $village; $jobLoopconID = -1; @@ -2456,7 +2457,7 @@ class MYSQLi_DB { $uprequire = $building->resourceRequired($jobs[1]['field'],$jobs[1]['type'],1); $time = $uprequire['time']; $timestamp = $time+time(); - $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".$jobs[1]['id'].""; + $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".(int) $jobs[1]['id']; mysqli_query($this->dblink,$q); } }else if($SameBuildCount == 6){ @@ -2464,7 +2465,7 @@ class MYSQLi_DB { $uprequire = $building->resourceRequired($jobs[2]['field'],$jobs[2]['type'],1); $time = $uprequire['time']; $timestamp = $time+time(); - $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".$jobs[2]['id'].""; + $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".(int) $jobs[2]['id']; mysqli_query($this->dblink,$q); } }else if($SameBuildCount == 7){ @@ -2472,7 +2473,7 @@ class MYSQLi_DB { $uprequire = $building->resourceRequired($jobs[2]['field'],$jobs[2]['type'],1); $time = $uprequire['time']; $timestamp = $time+time(); - $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".$jobs[2]['id'].""; + $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=".$timestamp." WHERE id=".(int) $jobs[2]['id']; mysqli_query($this->dblink,$q); } } @@ -2480,28 +2481,28 @@ class MYSQLi_DB { $uprequire1 = $building->resourceRequired($jobs[$jobMaster]['field'],$jobs[$jobMaster]['type'],2); $time1 = $uprequire1['time']; $timestamp1 = $time1; - $q1 = "UPDATE " . TB_PREFIX . "bdata SET level=level-1,timestamp=".$timestamp1." WHERE id=".$jobs[$jobMaster]['id'].""; + $q1 = "UPDATE " . TB_PREFIX . "bdata SET level=level-1,timestamp=".$timestamp1." WHERE id=".(int) $jobs[$jobMaster]['id']; mysqli_query($this->dblink,$q1); }else{ $uprequire1 = $building->resourceRequired($jobs[$jobMaster]['field'],$jobs[$jobMaster]['type'],1); $time1 = $uprequire1['time']; $timestamp1 = $time1; - $q1 = "UPDATE " . TB_PREFIX . "bdata SET level=level-1,timestamp=".$timestamp1." WHERE id=".$jobs[$jobMaster]['id'].""; + $q1 = "UPDATE " . TB_PREFIX . "bdata SET level=level-1,timestamp=".$timestamp1." WHERE id=".(int) $jobs[$jobMaster]['id']; mysqli_query($this->dblink,$q1); } }else if($d == $jobs[floor($SameBuildCount / 3)]['id'] || $d == $jobs[floor($SameBuildCount / 2) + 1]['id']) { - $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=" . $jobs[floor($SameBuildCount / 3)]['timestamp'] . " WHERE master = 0 AND id > ".$d." and (ID=" . $jobs[floor($SameBuildCount / 3)]['id'] . " OR ID=" . $jobs[floor($SameBuildCount / 2) + 1]['id'] . ")"; + $q = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,level=level-1,timestamp=" . (int) $jobs[floor($SameBuildCount / 3)]['timestamp'] . " WHERE master = 0 AND id > ".$d." and (ID=" . (int) $jobs[floor($SameBuildCount / 3)]['id'] . " OR ID=" . (int) $jobs[floor($SameBuildCount / 2) + 1]['id'] . ")"; mysqli_query($this->dblink,$q); } } else { if($jobs[$jobDeleted]['field'] >= 19) { - $x = "SELECT f" . $jobs[$jobDeleted]['field'] . " FROM " . TB_PREFIX . "fdata WHERE vref=" . $jobs[$jobDeleted]['wid']; + $x = "SELECT f" . $jobs[$jobDeleted]['field'] . " FROM " . TB_PREFIX . "fdata WHERE vref=" . (int) $jobs[$jobDeleted]['wid']; $result = mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); $fieldlevel = mysqli_fetch_row($result); if($fieldlevel[0] == 0) { if ($village->natar==1 && $jobs[$jobDeleted]['field']==99) { //fix by ronix }else{ - $x = "UPDATE " . TB_PREFIX . "fdata SET f" . $jobs[$jobDeleted]['field'] . "t=0 WHERE vref=" . $jobs[$jobDeleted]['wid']; + $x = "UPDATE " . TB_PREFIX . "fdata SET f" . $jobs[$jobDeleted]['field'] . "t=0 WHERE vref=" . (int) $jobs[$jobDeleted]['wid']; mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); } } @@ -2509,7 +2510,7 @@ class MYSQLi_DB { if(($jobLoopconID >= 0) && ($jobs[$jobDeleted]['loopcon'] != 1)) { if(($jobs[$jobLoopconID]['field'] <= 18 && $jobs[$jobDeleted]['field'] <= 18) || ($jobs[$jobLoopconID]['field'] >= 19 && $jobs[$jobDeleted]['field'] >= 19) || sizeof($jobs) < 3) { $uprequire = $building->resourceRequired($jobs[$jobLoopconID]['field'], $jobs[$jobLoopconID]['type']); - $x = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,timestamp=" . (time() + $uprequire['time']) . " WHERE wid=" . $jobs[$jobDeleted]['wid'] . " AND loopcon=1 AND master=0"; + $x = "UPDATE " . TB_PREFIX . "bdata SET loopcon=0,timestamp=" . (time() + (int) $uprequire['time']) . " WHERE wid=" . (int) $jobs[$jobDeleted]['wid'] . " AND loopcon=1 AND master=0"; mysqli_query($this->dblink,$x) or die(mysqli_error($database->dblink)); } } @@ -2519,7 +2520,7 @@ class MYSQLi_DB { } function addDemolition($wid, $field) { - list($wid, $field) = $this->escape_input($wid, $field); + list($wid, $field) = $this->escape_input((int) $wid, (int) $field); global $building, $village; $q = "DELETE FROM ".TB_PREFIX."bdata WHERE field=$field AND wid=$wid"; @@ -2531,7 +2532,7 @@ class MYSQLi_DB { function getDemolition($wid = 0) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); if($wid) { $q = "SELECT * FROM " . TB_PREFIX . "demolition WHERE vref=" . $wid; @@ -2547,7 +2548,7 @@ class MYSQLi_DB { } function finishDemolition($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "UPDATE " . TB_PREFIX . "demolition SET timetofinish=" . time() . " WHERE vref=" . $wid; $result= mysqli_query($this->dblink,$q); @@ -2555,14 +2556,14 @@ class MYSQLi_DB { } function delDemolition($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "DELETE FROM " . TB_PREFIX . "demolition WHERE vref=" . $wid; return mysqli_query($this->dblink,$q); } function getJobs($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid order by master,timestamp ASC"; $result = mysqli_query($this->dblink,$q); @@ -2570,7 +2571,7 @@ class MYSQLi_DB { } function FinishWoodcutter($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $time = time()-1; $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and type = 1 order by master,timestamp ASC"; @@ -2594,7 +2595,7 @@ class MYSQLi_DB { } function getMasterJobs($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and master = 1 order by master,timestamp ASC"; $result = mysqli_query($this->dblink,$q); @@ -2602,7 +2603,7 @@ class MYSQLi_DB { } function getMasterJobsByField($wid,$field) { - list($wid,$field) = $this->escape_input($wid,$field); + list($wid,$field) = $this->escape_input((int) $wid,(int) $field); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and field = $field and master = 1 order by master,timestamp ASC"; $result = mysqli_query($this->dblink,$q); @@ -2610,7 +2611,7 @@ class MYSQLi_DB { } function getBuildingByField($wid,$field) { - list($wid,$field) = $this->escape_input($wid,$field); + list($wid,$field) = $this->escape_input((int) $wid,(int) $field); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and field = $field and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2618,7 +2619,7 @@ class MYSQLi_DB { } function getBuildingByField2($wid,$field) { - list($wid,$field) = $this->escape_input($wid,$field); + list($wid,$field) = $this->escape_input((int) $wid,(int) $field); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and field = $field and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2626,7 +2627,7 @@ class MYSQLi_DB { } function getBuildingByType($wid,$type) { - list($wid,$type) = $this->escape_input($wid,$type); + list($wid,$type) = $this->escape_input((int) $wid,(int) $type); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and type = $type and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2634,7 +2635,7 @@ class MYSQLi_DB { } function getBuildingByType2($wid,$type) { - list($wid,$type) = $this->escape_input($wid,$type); + list($wid,$type) = $this->escape_input((int) $wid,(int) $type); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and type = $type and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2642,7 +2643,7 @@ class MYSQLi_DB { } function getDorf1Building($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and field < 19 and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2650,7 +2651,7 @@ class MYSQLi_DB { } function getDorf2Building($wid) { - list($wid) = $this->escape_input($wid); + list($wid) = $this->escape_input((int) $wid); $q = "SELECT * FROM " . TB_PREFIX . "bdata where wid = $wid and field > 18 and master = 0"; $result = mysqli_query($this->dblink,$q); @@ -2658,7 +2659,7 @@ class MYSQLi_DB { } function updateBuildingWithMaster($id, $time,$loop) { - list($id, $time,$loop) = $this->escape_input($id, $time,$loop); + list($id, $time,$loop) = $this->escape_input((int) $id, (int) $time,(int) $loop); $q = "UPDATE " . TB_PREFIX . "bdata SET master = 0, timestamp = ".$time.",loopcon = ".$loop." WHERE id = ".$id.""; return mysqli_query($this->dblink,$q); @@ -2678,7 +2679,7 @@ class MYSQLi_DB { References: id ***************************/ function setMarketAcc($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "market set accept = 1 where id = $id"; return mysqli_query($this->dblink,$q); @@ -2691,7 +2692,7 @@ class MYSQLi_DB { References: Wood/ID, Clay, Iron, Crop, Mode ***************************/ function sendResource($ref, $clay, $iron, $crop, $merchant, $mode) { - list($ref, $clay, $iron, $crop, $merchant, $mode) = $this->escape_input($ref, $clay, $iron, $crop, $merchant, $mode); + list($ref, $clay, $iron, $crop, $merchant, $mode) = $this->escape_input((int) $ref, (int) $clay, (int) $iron, (int) $crop, (int) $merchant, $mode); if(!$mode) { $q = "INSERT INTO " . TB_PREFIX . "send values (0,$ref,$clay,$iron,$crop,$merchant)"; @@ -2710,23 +2711,23 @@ class MYSQLi_DB { ***************************/ function getResourcesBack($vref, $gtype, $gamt) { - list($vref, $gtype, $gamt) = $this->escape_input($vref, $gtype, $gamt); + list($vref, $gtype, $gamt) = $this->escape_input((int) $vref, (int) $gtype, (int) $gamt); //Xtype (1) = wood, (2) = clay, (3) = iron, (4) = crop if($gtype == 1) { - $q = "UPDATE " . TB_PREFIX . "vdata SET `wood` = `wood` + '$gamt' WHERE wref = $vref"; + $q = "UPDATE " . TB_PREFIX . "vdata SET `wood` = `wood` + $gamt WHERE wref = $vref"; return mysqli_query($this->dblink,$q); } else if($gtype == 2) { - $q = "UPDATE " . TB_PREFIX . "vdata SET `clay` = `clay` + '$gamt' WHERE wref = $vref"; + $q = "UPDATE " . TB_PREFIX . "vdata SET `clay` = `clay` + $gamt WHERE wref = $vref"; return mysqli_query($this->dblink,$q); } else if($gtype == 3) { - $q = "UPDATE " . TB_PREFIX . "vdata SET `iron` = `iron` + '$gamt' WHERE wref = $vref"; + $q = "UPDATE " . TB_PREFIX . "vdata SET `iron` = `iron` + $gamt WHERE wref = $vref"; return mysqli_query($this->dblink,$q); } else if($gtype == 4) { - $q = "UPDATE " . TB_PREFIX . "vdata SET `crop` = `crop` + '$gamt' WHERE wref = $vref"; + $q = "UPDATE " . TB_PREFIX . "vdata SET `crop` = `crop` + $gamt WHERE wref = $vref"; return mysqli_query($this->dblink,$q); } } @@ -2747,7 +2748,7 @@ class MYSQLi_DB { } function removeAcceptedOffer($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE FROM " . TB_PREFIX . "market where id = $id"; $result = mysqli_query($this->dblink,$q); @@ -2761,7 +2762,7 @@ class MYSQLi_DB { References: Village, Give, Amt, Want, Amt, Time, Alliance, Mode ***************************/ function addMarket($vid, $gtype, $gamt, $wtype, $wamt, $time, $alliance, $merchant, $mode) { - list($vid, $gtype, $gamt, $wtype, $wamt, $time, $alliance, $merchant, $mode) = $this->escape_input($vid, $gtype, $gamt, $wtype, $wamt, $time, $alliance, $merchant, $mode); + list($vid, $gtype, $gamt, $wtype, $wamt, $time, $alliance, $merchant, $mode) = $this->escape_input((int) $vid, (int) $gtype, (int) $gamt, (int) $wtype, (int) $wamt, (int) $time, (int) $alliance, (int) $merchant, $mode); if(!$mode) { $q = "INSERT INTO " . TB_PREFIX . "market values (0,$vid,$gtype,$gamt,$wtype,$wamt,0,$time,$alliance,$merchant)"; @@ -2778,9 +2779,9 @@ class MYSQLi_DB { References: Village, Mode ***************************/ function getMarket($vid, $mode) { - list($vid, $mode) = $this->escape_input($vid, $mode); + list($vid, $mode) = $this->escape_input((int) $vid, $mode); - $alliance = $this->getUserField($this->getVillageField($vid, "owner"), "alliance", 0); + $alliance = (int) $this->getUserField($this->getVillageField($vid, "owner"), "alliance", 0); if(!$mode) { $q = "SELECT * FROM " . TB_PREFIX . "market where vref = $vid and accept = 0"; } else { @@ -2795,7 +2796,7 @@ class MYSQLi_DB { References: ID ***************************/ function getMarketInfo($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "market where id = $id"; $result = mysqli_query($this->dblink,$q); @@ -2803,7 +2804,7 @@ class MYSQLi_DB { } function setMovementProc($moveid) { - list($moveid) = $this->escape_input($moveid); + list($moveid) = $this->escape_input((int) $moveid); $q = "UPDATE " . TB_PREFIX . "movement set proc = 1 where moveid = $moveid"; return mysqli_query($this->dblink,$q); @@ -2814,7 +2815,7 @@ class MYSQLi_DB { References: Village ***************************/ function totalMerchantUsed($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $time = time(); $q = "SELECT sum(" . TB_PREFIX . "send.merchant) from " . TB_PREFIX . "send, " . TB_PREFIX . "movement where " . TB_PREFIX . "movement.from = '$vid' and " . TB_PREFIX . "send.id = " . TB_PREFIX . "movement.ref and " . TB_PREFIX . "movement.proc = 0 and sort_type = 0"; @@ -2879,7 +2880,7 @@ class MYSQLi_DB { } function addA2b($ckey, $timestamp, $to, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type) { - list($ckey, $timestamp, $to, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type) = $this->escape_input($ckey, $timestamp, $to, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type); + list($ckey, $timestamp, $to, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type) = $this->escape_input($ckey, (int) $timestamp, (int) $to, (int) $t1, (int) $t2, (int) $t3, (int) $t4, (int) $t5, (int) $t6, (int) $t7, (int) $t8, (int) $t9, (int) $t10, (int) $t11, (int) $type); $q = "INSERT INTO " . TB_PREFIX . "a2b (ckey,time_check,to_vid,u1,u2,u3,u4,u5,u6,u7,u8,u9,u10,u11,type) VALUES ('$ckey', '$timestamp', '$to', '$t1', '$t2', '$t3', '$t4', '$t5', '$t6', '$t7', '$t8', '$t9', '$t10', '$t11', '$type')"; mysqli_query($this->dblink,$q); @@ -2899,14 +2900,14 @@ class MYSQLi_DB { } function addMovement($type, $from, $to, $ref, $time, $endtime, $send = 1, $wood = 0, $clay = 0, $iron = 0, $crop = 0, $ref2 = 0) { - list($type, $from, $to, $ref, $time, $endtime, $send, $wood, $clay, $iron, $crop, $ref2) = $this->escape_input($type, $from, $to, $ref, $time, $endtime, $send, $wood, $clay, $iron, $crop, $ref2); + list($type, $from, $to, $ref, $time, $endtime, $send, $wood, $clay, $iron, $crop, $ref2) = $this->escape_input((int) $type, (int) $from, (int) $to, (int) $ref, (int) $time, (int) $endtime, (int) $send, (int) $wood, (int) $clay, (int) $iron, (int) $crop, (int) $ref2); $q = "INSERT INTO " . TB_PREFIX . "movement values (0,$type,$from,$to,$ref,$ref2,$time,$endtime,0,$send,$wood,$clay,$iron,$crop)"; return mysqli_query($this->dblink,$q); } function addAttack($vid, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type, $ctar1, $ctar2, $spy,$b1=0,$b2=0,$b3=0,$b4=0,$b5=0,$b6=0,$b7=0,$b8=0) { - list($vid, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type, $ctar1, $ctar2, $spy,$b1,$b2,$b3,$b4,$b5,$b6,$b7,$b8) = $this->escape_input($vid, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type, $ctar1, $ctar2, $spy,$b1,$b2,$b3,$b4,$b5,$b6,$b7,$b8); + list($vid, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10, $t11, $type, $ctar1, $ctar2, $spy,$b1,$b2,$b3,$b4,$b5,$b6,$b7,$b8) = $this->escape_input((int) $vid, (int) $t1, (int) $t2, (int) $t3, (int) $t4, (int) $t5, (int) $t6, (int) $t7, (int) $t8, (int) $t9, (int) $t10, (int) $t11, (int) $type, (int) $ctar1, (int) $ctar2, (int) $spy,(int) $b1,(int) $b2,(int) $b3,(int) $b4,(int) $b5,(int) $b6,(int) $b7,(int) $b8); $q = "INSERT INTO " . TB_PREFIX . "attacks values (0,$vid,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11,$type,$ctar1,$ctar2,$spy,$b1,$b2,$b3,$b4,$b5,$b6,$b7,$b8)"; mysqli_query($this->dblink,$q); @@ -2914,7 +2915,7 @@ class MYSQLi_DB { } function modifyAttack($aid, $unit, $amt) { - list($aid, $unit, $amt) = $this->escape_input($aid, $unit, $amt); + list($aid, $unit, $amt) = $this->escape_input((int) $aid, $unit, (int) $amt); $unit = 't' . $unit; $q = "UPDATE " . TB_PREFIX . "attacks set $unit = $unit - $amt where id = $aid"; @@ -2922,7 +2923,7 @@ class MYSQLi_DB { } function modifyAttack2($aid, $unit, $amt) { - list($aid, $unit, $amt) = $this->escape_input($aid, $unit, $amt); + list($aid, $unit, $amt) = $this->escape_input((int) $aid, $unit, (int) $amt); $unit = 't' . $unit; $q = "UPDATE " . TB_PREFIX . "attacks set $unit = $unit + $amt where id = $aid"; @@ -2930,7 +2931,7 @@ class MYSQLi_DB { } function modifyAttack3($aid, $units) { - list($aid, $units) = $this->escape_input($aid, $units); + list($aid, $units) = $this->escape_input((int) $aid, $units); $q = "UPDATE ".TB_PREFIX."attacks set $units WHERE id = $aid"; return mysqli_query($this->dblink,$q); @@ -2955,14 +2956,14 @@ class MYSQLi_DB { } function getUserByTribe($tribe) { - list($tribe) = $this->escape_input($tribe); + list($tribe) = $this->escape_input((int) $tribe); $q = "SELECT * FROM " . TB_PREFIX . "users where tribe = $tribe"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } function getUserByAlliance($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "users where alliance = $aid"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); @@ -2975,7 +2976,7 @@ class MYSQLi_DB { } function getAllMember($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "users where alliance = $aid order by (SELECT sum(pop) FROM " . TB_PREFIX . "vdata WHERE owner = " . TB_PREFIX . "users.id) desc, " . TB_PREFIX . "users.id desc"; $result = mysqli_query($this->dblink,$q); @@ -2983,7 +2984,7 @@ class MYSQLi_DB { } function getAllMember2($aid) { - list($aid) = $this->escape_input($aid); + list($aid) = $this->escape_input((int) $aid); $q = "SELECT * FROM " . TB_PREFIX . "users where alliance = $aid order by (SELECT sum(pop) FROM " . TB_PREFIX . "vdata WHERE owner = " . TB_PREFIX . "users.id) desc, " . TB_PREFIX . "users.id desc LIMIT 1"; $result = mysqli_query($this->dblink,$q); @@ -2991,14 +2992,14 @@ class MYSQLi_DB { } function addUnits($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "INSERT into " . TB_PREFIX . "units (vref) values ($vid)"; return mysqli_query($this->dblink,$q); } function getUnit($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * from " . TB_PREFIX . "units where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3010,7 +3011,7 @@ class MYSQLi_DB { } function getUnitsNumber($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * from " . TB_PREFIX . "units where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3037,7 +3038,7 @@ class MYSQLi_DB { } function getHero($uid=0,$all=0) { - list($uid,$all) = $this->escape_input($uid,$all); + list($uid,$all) = $this->escape_input((int) $uid,$all); if ($all) { $q = "SELECT * FROM ".TB_PREFIX."hero WHERE uid=$uid"; @@ -3055,61 +3056,61 @@ class MYSQLi_DB { } function getHeroField($uid,$field) { - list($uid,$field) = $this->escape_input($uid,$field); + list($uid,$field) = $this->escape_input((int) $uid,$field); $q = "SELECT * FROM ".TB_PREFIX."hero WHERE uid = $uid"; $result = mysqli_query($this->dblink,$q); return $this->mysqli_fetch_all($result); } function modifyHero($column,$value,$heroid,$mode=0) { - list($column,$value,$heroid,$mode) = $this->escape_input($column,$value,$heroid,$mode); + list($column,$value,$heroid,$mode) = $this->escape_input($column,$value,(int) $heroid,$mode); if(!$mode) { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $value WHERE heroid = $heroid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = '$value' WHERE heroid = $heroid"; } elseif($mode=1) { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column + $value WHERE heroid = $heroid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column + ". (int) $value . " WHERE heroid = $heroid"; } else { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column - $value WHERE heroid = $heroid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column - ". (int) $value ." WHERE heroid = $heroid"; } return mysqli_query($this->dblink,$q); } function modifyHeroByOwner($column,$value,$uid,$mode=0) { - list($column,$value,$uid,$mode) = $this->escape_input($column,$value,$uid,$mode); + list($column,$value,$uid,$mode) = $this->escape_input($column,$value,(int) $uid,$mode); if(!$mode) { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $value WHERE uid = $uid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = '$value' WHERE uid = $uid"; } elseif($mode=1) { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column + $value WHERE uid = $uid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column + ". (int) $value ." WHERE uid = $uid"; } else { - $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column - $value WHERE uid = $uid"; + $q = "UPDATE `".TB_PREFIX."hero` SET $column = $column - ". (int) $value ." WHERE uid = $uid"; } return mysqli_query($this->dblink,$q); } function modifyHeroXp($column,$value,$heroid) { - list($column,$value,$heroid) = $this->escape_input($column,$value,$heroid); + list($column,$value,$heroid) = $this->escape_input($column,(int) $value,(int) $heroid); $q = "UPDATE ".TB_PREFIX."hero SET $column = $column + $value WHERE uid=$heroid"; return mysqli_query($this->dblink,$q); } function addTech($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "INSERT into " . TB_PREFIX . "tdata (vref) values ($vid)"; return mysqli_query($this->dblink,$q); } function addABTech($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "INSERT into " . TB_PREFIX . "abdata (vref) values ($vid)"; return mysqli_query($this->dblink,$q); } function getABTech($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "abdata where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3117,14 +3118,14 @@ class MYSQLi_DB { } function addResearch($vid, $tech, $time) { - list($vid, $tech, $time) = $this->escape_input($vid, $tech, $time); + list($vid, $tech, $time) = $this->escape_input((int) $vid, $tech, (int) $time); $q = "INSERT into " . TB_PREFIX . "research values (0,$vid,'$tech',$time)"; return mysqli_query($this->dblink,$q); } function getResearching($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "research where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3132,7 +3133,7 @@ class MYSQLi_DB { } function checkIfResearched($vref, $unit) { - list($vref, $unit) = $this->escape_input($vref, $unit); + list($vref, $unit) = $this->escape_input((int) $vref, $unit); $q = "SELECT $unit FROM " . TB_PREFIX . "tdata WHERE vref = $vref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3141,7 +3142,7 @@ class MYSQLi_DB { } function getTech($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * from " . TB_PREFIX . "tdata where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3149,7 +3150,7 @@ class MYSQLi_DB { } function getTraining($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "training where vref = $vid ORDER BY id"; $result = mysqli_query($this->dblink,$q); @@ -3157,7 +3158,7 @@ class MYSQLi_DB { } function countTraining($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * FROM " . TB_PREFIX . "training WHERE vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3166,7 +3167,7 @@ class MYSQLi_DB { } function trainUnit($vid, $unit, $amt, $pop, $each, $time, $mode) { - list($vid, $unit, $amt, $pop, $each, $time, $mode) = $this->escape_input($vid, $unit, $amt, $pop, $each, $time, $mode); + list($vid, $unit, $amt, $pop, $each, $time, $mode) = $this->escape_input((int) $vid, (int) $unit, (int) $amt, (int) $pop, (int) $each, (int) $time, $mode); global $village, $building, $session, $technology; @@ -3250,14 +3251,14 @@ class MYSQLi_DB { } function updateTraining($id, $trained, $each) { - list($id, $trained, $each) = $this->escape_input($id, $trained, $each); + list($id, $trained, $each) = $this->escape_input((int) $id, (int) $trained, (int) $each); $q = "UPDATE " . TB_PREFIX . "training set amt = amt - $trained, timestamp2 = timestamp2 + $each where id = $id"; return mysqli_query($this->dblink,$q); } function modifyUnit($vref, $array_unit, $array_amt, $array_mode) { - list($vref, $array_unit, $array_amt, $array_mode) = $this->escape_input($vref, $array_unit, $array_amt, $array_modes); + list($vref, $array_unit, $array_amt, $array_mode) = $this->escape_input((int) $vref, $array_unit, $array_amt, $array_modes); $i = -1; $units=''; $number = count($array_unit); @@ -3279,7 +3280,7 @@ class MYSQLi_DB { } function getEnforce($vid, $from) { - list($vid, $from) = $this->escape_input($vid, $from); + list($vid, $from) = $this->escape_input((int) $vid, (int) $from); $q = "SELECT * from " . TB_PREFIX . "enforcement where `from` = $from and vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3287,7 +3288,7 @@ class MYSQLi_DB { } function getOasisEnforce($ref, $mode=0) { - list($ref, $mode) = $this->escape_input($ref, $mode); + list($ref, $mode) = $this->escape_input((int) $ref, $mode); if (!$mode) { $q = "SELECT e.*,o.conqured FROM ".TB_PREFIX."enforcement as e LEFT JOIN ".TB_PREFIX."odata as o ON e.vref=o.wref where o.conqured = $ref AND e.from !=$ref"; @@ -3299,7 +3300,7 @@ class MYSQLi_DB { } function getOasisEnforceArray($id, $mode=0) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); if (!$mode) { $q = "SELECT e.*,o.conqured FROM ".TB_PREFIX."enforcement as e LEFT JOIN ".TB_PREFIX."odata as o ON e.vref=o.wref where e.id = $id"; @@ -3311,7 +3312,7 @@ class MYSQLi_DB { } function getEnforceControllTroops($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $q = "SELECT * from " . TB_PREFIX . "enforcement where vref = $vid"; $result = mysqli_query($this->dblink,$q); @@ -3321,7 +3322,7 @@ class MYSQLi_DB { function addEnforce($data) { list($data) = $this->escape_input($data); - $q = "INSERT into " . TB_PREFIX . "enforcement (vref,`from`) values (" . $data['to'] . "," . $data['from'] . ")"; + $q = "INSERT into " . TB_PREFIX . "enforcement (vref,`from`) values (" . (int) $data['to'] . "," . (int) $data['from'] . ")"; mysqli_query($this->dblink,$q); $id = mysqli_insert_id($this->dblink); $owntribe = $this->getUserField($this->getVillageField($data['from'], "owner"), "tribe", 0); @@ -3340,7 +3341,7 @@ class MYSQLi_DB { function addEnforce2($data,$tribe,$dead1,$dead2,$dead3,$dead4,$dead5,$dead6,$dead7,$dead8,$dead9,$dead10,$dead11) { list($data,$tribe,$dead1,$dead2,$dead3,$dead4,$dead5,$dead6,$dead7,$dead8,$dead9,$dead10,$dead11) = $this->escape_input($data,$tribe,$dead1,$dead2,$dead3,$dead4,$dead5,$dead6,$dead7,$dead8,$dead9,$dead10,$dead11); - $q = "INSERT into " . TB_PREFIX . "enforcement (vref,`from`) values (" . $data['to'] . "," . $data['from'] . ")"; + $q = "INSERT into " . TB_PREFIX . "enforcement (vref,`from`) values (" . (int) $data['to'] . "," . (int) $data['from'] . ")"; mysqli_query($this->dblink,$q); $id = mysqli_insert_id($this->dblink); $owntribe = $this->getUserField($this->getVillageField($data['from'], "owner"), "tribe", 0); @@ -3365,7 +3366,7 @@ class MYSQLi_DB { } function modifyEnforce($id, $unit, $amt, $mode) { - list($id, $unit, $amt, $mode) = $this->escape_input($id, $unit, $amt, $mode); + list($id, $unit, $amt, $mode) = $this->escape_input((int) $id, $unit, (int) $amt, $mode); if($unit != 'hero') { $unit = 'u' . $unit; } if(!$mode) { @@ -3377,7 +3378,7 @@ class MYSQLi_DB { } function getEnforceArray($id, $mode) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); if(!$mode) { $q = "SELECT * from " . TB_PREFIX . "enforcement where id = $id"; @@ -3389,7 +3390,7 @@ class MYSQLi_DB { } function getEnforceVillage($id, $mode) { - list($id, $mode) = $this->escape_input($id, $mode); + list($id, $mode) = $this->escape_input((int) $id, $mode); if(!$mode) { $q = "SELECT * from " . TB_PREFIX . "enforcement where vref = $id"; @@ -3458,7 +3459,7 @@ class MYSQLi_DB { ***************************/ function getWWLevel($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); $q = "SELECT f99 FROM " . TB_PREFIX . "fdata WHERE vref = $vref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3472,7 +3473,7 @@ class MYSQLi_DB { ***************************/ function getWWOwnerID($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); $q = "SELECT owner FROM " . TB_PREFIX . "vdata WHERE wref = $vref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3486,7 +3487,7 @@ class MYSQLi_DB { ***************************/ function getUserAllianceID($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT alliance FROM " . TB_PREFIX . "users where id = $id"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3500,7 +3501,7 @@ class MYSQLi_DB { ***************************/ function getWWName($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); $q = "SELECT wwname FROM " . TB_PREFIX . "fdata WHERE vref = $vref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3514,7 +3515,7 @@ class MYSQLi_DB { ***************************/ function submitWWname($vref, $name) { - list($vref, $name) = $this->escape_input($vref, $name); + list($vref, $name) = $this->escape_input((int) $vref, $name); $q = "UPDATE " . TB_PREFIX . "fdata SET `wwname` = '$name' WHERE " . TB_PREFIX . "fdata.`vref` = $vref"; return mysqli_query($this->dblink,$q); @@ -3522,70 +3523,70 @@ class MYSQLi_DB { //medal functions function addclimberpop($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set Rc = Rc + '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set Rc = Rc + $cp where id = $user"; return mysqli_query($this->dblink,$q); } function addclimberrankpop($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set clp = clp + '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set clp = clp + $cp where id = $user"; return mysqli_query($this->dblink,$q); } function removeclimberrankpop($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set clp = clp - '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set clp = clp - $cp where id = $user"; return mysqli_query($this->dblink,$q); } function setclimberrankpop($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set clp = '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set clp = $cp where id = $user"; return mysqli_query($this->dblink,$q); } function updateoldrank($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set oldrank = '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set oldrank = $cp where id = $user"; return mysqli_query($this->dblink,$q); } function removeclimberpop($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "users set Rc = Rc - '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "users set Rc = Rc - $cp where id = $user"; return mysqli_query($this->dblink,$q); } // ALLIANCE MEDAL FUNCTIONS function addclimberpopAlly($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "alidata set Rc = Rc + '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "alidata set Rc = Rc + $cp where id = $user"; return mysqli_query($this->dblink,$q); } function addclimberrankpopAlly($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "alidata set clp = clp + '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "alidata set clp = clp + $cp where id = $user"; return mysqli_query($this->dblink,$q); } function removeclimberrankpopAlly($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "alidata set clp = clp - '$cp'' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "alidata set clp = clp - $cp where id = $user"; return mysqli_query($this->dblink,$q); } function updateoldrankAlly($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "alidata set oldrank = '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "alidata set oldrank = $cp where id = $user"; return mysqli_query($this->dblink,$q); } function removeclimberpopAlly($user, $cp) { - list($user, $cp) = $this->escape_input($user, $cp); + list($user, $cp) = $this->escape_input((int) $user, (int) $cp); - $q = "UPDATE " . TB_PREFIX . "alidata set Rc = Rc - '$cp' where id = $user"; + $q = "UPDATE " . TB_PREFIX . "alidata set Rc = Rc - $cp where id = $user"; return mysqli_query($this->dblink,$q); } @@ -3655,7 +3656,7 @@ class MYSQLi_DB { //MARKET FIXES function getWoodAvailable($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT wood FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3664,7 +3665,7 @@ class MYSQLi_DB { } function getClayAvailable($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT clay FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3673,7 +3674,7 @@ class MYSQLi_DB { } function getIronAvailable($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT iron FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3682,7 +3683,7 @@ class MYSQLi_DB { } function getCropAvailable($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT crop FROM " . TB_PREFIX . "vdata WHERE wref = $wref"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); @@ -3691,7 +3692,7 @@ class MYSQLi_DB { } function Getowner($vid) { - list($vid) = $this->escape_input($vid); + list($vid) = $this->escape_input((int) $vid); $s = "SELECT owner FROM " . TB_PREFIX . "vdata where wref = $vid"; $result1 = mysqli_query($this->dblink,$s); @@ -3724,14 +3725,14 @@ class MYSQLi_DB { $high = 0; } //We switch type of oasis and instert record with apropriate infomation. - $q = "INSERT into " . TB_PREFIX . "odata VALUES ('" . $basearray['id'] . "'," . $basearray['oasistype'] . ",0,800,800,800,800,800,800," . time() . "," . time() . ",100,2,'Unoccupied Oasis',".$high.")"; + $q = "INSERT into " . TB_PREFIX . "odata VALUES ('" . $basearray['id'] . "'," . (int) $basearray['oasistype'] . ",0,800,800,800,800,800,800," . time() . "," . time() . ",100,2,'Unoccupied Oasis',".(int) $high.")"; $result = mysqli_query($this->dblink,$q); } } public function getAvailableExpansionTraining() { global $building, $session, $technology, $village; - $q = "SELECT (IF(exp1=0,1,0)+IF(exp2=0,1,0)+IF(exp3=0,1,0)) FROM " . TB_PREFIX . "vdata WHERE wref = $village->wid"; + $q = "SELECT (IF(exp1=0,1,0)+IF(exp2=0,1,0)+IF(exp3=0,1,0)) FROM " . TB_PREFIX . "vdata WHERE wref = ".(int) $village->wid; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); $maxslots = $row[0]; @@ -3744,11 +3745,11 @@ class MYSQLi_DB { $maxslots -= (3 - floor(($palace - 5) / 5)); } - $q = "SELECT (u10+u20+u30) FROM " . TB_PREFIX . "units WHERE vref = $village->wid"; + $q = "SELECT (u10+u20+u30) FROM " . TB_PREFIX . "units WHERE vref = ". (int) $village->wid; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); $settlers = $row[0]; - $q = "SELECT (u9+u19+u29) FROM " . TB_PREFIX . "units WHERE vref = $village->wid"; + $q = "SELECT (u9+u19+u29) FROM " . TB_PREFIX . "units WHERE vref = ". (int) $village->wid; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); $chiefs = $row[0]; @@ -3782,7 +3783,7 @@ class MYSQLi_DB { $chiefs += $build['t9']; } } - $q = "SELECT (u10+u20+u30) FROM " . TB_PREFIX . "enforcement WHERE `from` = $village->wid"; + $q = "SELECT (u10+u20+u30) FROM " . TB_PREFIX . "enforcement WHERE `from` = ".(int) $village->wid; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); if(!empty($row)) { @@ -3790,7 +3791,7 @@ class MYSQLi_DB { $settlers += $reinf[0]; } } - $q = "SELECT (u9+u19+u29) FROM " . TB_PREFIX . "enforcement WHERE `from` = $village->wid"; + $q = "SELECT (u9+u19+u29) FROM " . TB_PREFIX . "enforcement WHERE `from` = ".(int) $village->wid; $result = mysqli_query($this->dblink,$q); $row = mysqli_fetch_row($result); if(!empty($row)) { @@ -3829,7 +3830,7 @@ class MYSQLi_DB { } function getOwnArtefactInfo($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE vref = $vref"; $result = mysqli_query($this->dblink,$q); @@ -3837,7 +3838,7 @@ class MYSQLi_DB { } function getOwnArtefactInfo2($vref) { - list($vref) = $this->escape_input($vref); + list($vref) = $this->escape_input((int) $vref); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE vref = $vref"; $result = mysqli_query($this->dblink,$q); @@ -3845,7 +3846,7 @@ class MYSQLi_DB { } function getOwnArtefactInfo3($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE owner = $uid"; $result = mysqli_query($this->dblink,$q); @@ -3861,7 +3862,7 @@ class MYSQLi_DB { } function getOwnArtefactInfoByType2($vref, $type) { - list($vref, $type) = $this->escape_input($vref, $type); + list($vref, $type) = $this->escape_input((int) $vref, (int) $type); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE vref = $vref AND type = $type"; $result = mysqli_query($this->dblink,$q); @@ -3869,7 +3870,7 @@ class MYSQLi_DB { } function getOwnUniqueArtefactInfo($id, $type, $size) { - list($id, $type, $size) = $this->escape_input($id, $type, $size); + list($id, $type, $size) = $this->escape_input((int) $id, (int) $type, (int) $size); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE owner = $id AND type = $type AND size=$size"; $result = mysqli_query($this->dblink,$q); @@ -3877,7 +3878,7 @@ class MYSQLi_DB { } function getOwnUniqueArtefactInfo2($id, $type, $size, $mode) { - list($id, $type, $size, $mode) = $this->escape_input($id, $type, $size, $mode); + list($id, $type, $size, $mode) = $this->escape_input((int) $id, (int) $type, (int) $size, $mode); if(!$mode){ $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE owner = $id AND active = 1 AND type = $type AND size=$size"; @@ -3889,7 +3890,7 @@ class MYSQLi_DB { } function getFoolArtefactInfo($type,$vid,$uid) { - list($type,$vid,$uid) = $this->escape_input($type,$vid,$uid); + list($type,$vid,$uid) = $this->escape_input((int) $type,(int) $vid,(int) $uid); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE vref = $vid AND type = 8 AND kind = $type OR owner = $uid AND size > 1 AND active = 1 AND type = 8 AND kind = $type"; $result = mysqli_query($this->dblink,$q); @@ -3897,7 +3898,7 @@ class MYSQLi_DB { } function claimArtefact($vref, $ovref, $id) { - list($vref, $ovref, $id) = $this->escape_input($vref, $ovref, $id); + list($vref, $ovref, $id) = $this->escape_input((int) $vref, (int) $ovref, (int) $id); $time = time(); $q = "UPDATE " . TB_PREFIX . "artefacts SET vref = $vref, owner = $id, conquered = $time, active = 1 WHERE vref = $ovref"; @@ -3905,7 +3906,7 @@ class MYSQLi_DB { } public function canClaimArtifact($from,$vref,$size,$type) { - list($from,$vref,$size,$type) = $this->escape_input($from,$vref,$size,$type); + list($size,$type) = $this->escape_input((int) $size,(int) $type); //fix by Ronix global $session, $form; @@ -3921,7 +3922,7 @@ class MYSQLi_DB { SUM(IF(size = '1',1,0)) small, SUM(IF(size = '2',1,0)) great, SUM(IF(size = '3',1,0)) `unique` - FROM ".TB_PREFIX."artefacts WHERE owner = ".$uid; + FROM ".TB_PREFIX."artefacts WHERE owner = ".(int) $uid; $result = mysqli_query($this->dblink,$q); $artifact= $this->mysqli_fetch_all($result); @@ -3981,7 +3982,7 @@ class MYSQLi_DB { } function getArtefactDetails($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "artefacts WHERE id = " . $id . ""; $result = mysqli_query($this->dblink,$q); @@ -3989,7 +3990,7 @@ class MYSQLi_DB { } function getMovementById($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM ".TB_PREFIX."movement WHERE moveid = ".$id.""; $result = mysqli_query($this->dblink,$q); $array = $this->mysqli_fetch_all($result); @@ -3997,19 +3998,19 @@ class MYSQLi_DB { } function getLinks($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = 'SELECT * FROM `' . TB_PREFIX . 'links` WHERE `userid` = ' . $id . ' ORDER BY `pos` ASC'; return mysqli_query($this->dblink,$q); } function removeLinks($id,$uid) { - list($id,$uid) = $this->escape_input($id,$uid); + list($id,$uid) = $this->escape_input((int) $id,(int) $uid); $q = "DELETE FROM " . TB_PREFIX . "links WHERE `id` = ".$id." and `userid` = ".$uid.""; return mysqli_query($this->dblink,$q); } function getVilFarmlist($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = 'SELECT * FROM ' . TB_PREFIX . 'farmlist WHERE wref = ' . $wref . ' ORDER BY wref ASC'; $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); @@ -4023,22 +4024,22 @@ class MYSQLi_DB { } function getRaidList($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); - $q = "SELECT * FROM " . TB_PREFIX . "raidlist WHERE id = ".$id.""; + $q = "SELECT * FROM " . TB_PREFIX . "raidlist WHERE id = ".$id; $result = mysqli_query($this->dblink,$q); return mysqli_fetch_array($result); } function delFarmList($id, $owner) { - list($id, $owner) = $this->escape_input($id, $owner); + list($id, $owner) = $this->escape_input((int) $id, (int) $owner); $q = "DELETE FROM " . TB_PREFIX . "farmlist where id = $id and owner = $owner"; return mysqli_query($this->dblink,$q); } function delSlotFarm($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "DELETE FROM " . TB_PREFIX . "raidlist where id = $id"; return mysqli_query($this->dblink,$q); @@ -4059,14 +4060,14 @@ class MYSQLi_DB { } function editSlotFarm($eid, $lid, $wref, $x, $y, $dist, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10) { - list($eid, $lid, $wref, $x, $y, $dist, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10) = $this->escape_input($eid, $lid, $wref, $x, $y, $dist, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10); + list($eid, $lid, $wref, $x, $y, $dist, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10) = $this->escape_input((int) $eid, $lid, $wref, $x, $y, $dist, $t1, $t2, $t3, $t4, $t5, $t6, $t7, $t8, $t9, $t10); $q = "UPDATE " . TB_PREFIX . "raidlist set lid = '$lid', towref = '$wref', x = '$x', y = '$y', t1 = '$t1', t2 = '$t2', t3 = '$t3', t4 = '$t4', t5 = '$t5', t6 = '$t6', t7 = '$t7', t8 = '$t8', t9 = '$t9', t10 = '$t10' WHERE id = $eid"; return mysqli_query($this->dblink,$q); } function getArrayMemberVillage($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q = 'SELECT a.wref, a.name, b.x, b.y from '.TB_PREFIX.'vdata AS a left join '.TB_PREFIX.'wdata AS b ON b.id = a.wref where owner = '.$uid.' order by capital DESC,pop DESC'; $result = mysqli_query($this->dblink,$q); $array = $this->mysqli_fetch_all($result); @@ -4074,13 +4075,13 @@ class MYSQLi_DB { } function addPassword($uid, $npw, $cpw) { - list($uid, $npw, $cpw) = $this->escape_input($uid, $npw, $cpw); + list($uid, $npw, $cpw) = $this->escape_input((int) $uid, $npw, $cpw); $q = "REPLACE INTO `" . TB_PREFIX . "password`(uid, npw, cpw) VALUES ($uid, '$npw', '$cpw')"; mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); } function resetPassword($uid, $cpw) { - list($uid, $cpw) = $this->escape_input($uid, $cpw); + list($uid, $cpw) = $this->escape_input((int) $uid, $cpw); $q = "SELECT npw FROM `" . TB_PREFIX . "password` WHERE uid = $uid AND cpw = '$cpw' AND used = 0"; $result = mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); $dbarray = mysqli_fetch_array($result); @@ -4096,9 +4097,7 @@ class MYSQLi_DB { } function getCropProdstarv($wref) { - list($wref) = $this->escape_input($wref); - - global $bid4,$bid8,$bid9,$sesion,$technology; + global $bid4,$bid8,$bid9,$sesion,$technology; $wood = 0; $cropo = 0; @@ -4121,7 +4120,7 @@ class MYSQLi_DB { $bakery = $buildarray['f'.$i]; } } - $q = "SELECT type FROM `" . TB_PREFIX . "odata` WHERE conqured = $wref"; + $q = "SELECT type FROM `" . TB_PREFIX . "odata` WHERE conqured = ".(int) $wref; $oasis = $this->query_return($q); foreach($oasis as $oa){ switch($oa['type']) { @@ -4211,14 +4210,14 @@ class MYSQLi_DB { //end general statistics function addFriend($uid, $column, $friend) { - list($uid, $column, $friend) = $this->escape_input($uid, $column, $friend); + list($uid, $column, $friend) = $this->escape_input((int) $uid, $column, (int) $friend); $q = "UPDATE " . TB_PREFIX . "users SET $column = $friend WHERE id = $uid"; return mysqli_query($this->dblink,$q); } function deleteFriend($uid, $column) { - list($uid, $column) = $this->escape_input($uid, $column); + list($uid, $column) = $this->escape_input((int) $uid, $column); $q = "UPDATE " . TB_PREFIX . "users SET $column = 0 WHERE id = $uid"; return mysqli_query($this->dblink,$q); @@ -4251,7 +4250,7 @@ class MYSQLi_DB { function setVillageEvasion($vid) { list($vid) = $this->escape_input($vid); - $village = $this->getVillage($vid); + $village = $this->getVillage((int) $vid); if($village['evasion'] == 0){ $q = "UPDATE " . TB_PREFIX . "vdata SET evasion = 1 WHERE wref = $vid"; }else{ @@ -4261,7 +4260,7 @@ class MYSQLi_DB { } function addPrisoners($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) { - list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11); + list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input((int) $wid,(int) $from,(int) $t1,(int) $t2,(int) $t3,(int) $t4,(int) $t5,(int) $t6,(int) $t7,(int) $t8,(int) $t9,(int) $t10,(int) $t11); $q = "INSERT INTO " . TB_PREFIX . "prisoners values (0,$wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11)"; mysqli_query($this->dblink,$q); @@ -4269,14 +4268,14 @@ class MYSQLi_DB { } function updatePrisoners($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) { - list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11); + list($wid,$from,$t1,$t2,$t3,$t4,$t5,$t6,$t7,$t8,$t9,$t10,$t11) = $this->escape_input((int) $wid,(int) $from,(int) $t1,(int) $t2,(int) $t3,(int) $t4,(int) $t5,(int) $t6,(int) $t7,(int) $t8,(int) $t9,(int) $t10,(int) $t11); $q = "UPDATE " . TB_PREFIX . "prisoners set t1 = t1 + $t1, t2 = t2 + $t2, t3 = t3 + $t3, t4 = t4 + $t4, t5 = t5 + $t5, t6 = t6 + $t6, t7 = t7 + $t7, t8 = t8 + $t8, t9 = t9 + $t9, t10 = t10 + $t10, t11 = t11 + $t11 where wref = $wid and ".TB_PREFIX."prisoners.from = $from"; return mysqli_query($this->dblink,$q) or die(mysqli_error($database->dblink)); } function getPrisoners($wid,$mode=0) { - list($wid,$mode) = $this->escape_input($wid,$mode); + list($wid,$mode) = $this->escape_input((int) $wid,$mode); if(!$mode) { $q = "SELECT * FROM " . TB_PREFIX . "prisoners where wref = $wid"; @@ -4288,7 +4287,7 @@ class MYSQLi_DB { } function getPrisoners2($wid,$from) { - list($wid,$from) = $this->escape_input($wid,$from); + list($wid,$from) = $this->escape_input((int) $wid,(int) $from); $q = "SELECT * FROM " . TB_PREFIX . "prisoners where wref = $wid and " . TB_PREFIX . "prisoners.from = $from"; $result = mysqli_query($this->dblink,$q); @@ -4296,7 +4295,7 @@ class MYSQLi_DB { } function getPrisonersByID($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT * FROM " . TB_PREFIX . "prisoners where id = $id"; $result = mysqli_query($this->dblink,$q); @@ -4304,7 +4303,7 @@ class MYSQLi_DB { } function getPrisoners3($from) { - list($from) = $this->escape_input($from); + list($from) = $this->escape_input((int) $from); $q = "SELECT * FROM " . TB_PREFIX . "prisoners where " . TB_PREFIX . "prisoners.from = $from"; $result = mysqli_query($this->dblink,$q); @@ -4324,7 +4323,7 @@ References: *****************************************/ function setvacmode($uid,$days) { - list($uid,$days) = $this->escape_input($uid,$days); + list($uid,$days) = $this->escape_input((int) $uid,(int) $days); $days1 =60*60*24*$days; $time =time()+$days1; $q ="UPDATE ".TB_PREFIX."users SET vac_mode = '1' , vac_time=".$time." WHERE id=".$uid.""; @@ -4332,22 +4331,22 @@ References: } function removevacationmode($uid) { - list($uid) = $this->escape_input($uid); + list($uid) = $this->escape_input((int) $uid); $q ="UPDATE ".TB_PREFIX."users SET vac_mode = '0' , vac_time='0' WHERE id=".$uid.""; $result =mysqli_query($this->dblink,$q); } function getvacmodexy($wref) { - list($wref) = $this->escape_input($wref); + list($wref) = $this->escape_input((int) $wref); $q = "SELECT id,oasistype,occupied FROM " . TB_PREFIX . "wdata where id = $wref"; $result = mysqli_query($this->dblink,$q); $dbarray = mysqli_fetch_array($result); if($dbarray['occupied'] != 0 && $dbarray['oasistype'] == 0) { - $q1 = "SELECT owner FROM " . TB_PREFIX . "vdata where wref = ".$dbarray['id'].""; + $q1 = "SELECT owner FROM " . TB_PREFIX . "vdata where wref = ".(int) $dbarray['id'].""; $result1 = mysqli_query($this->dblink,$q1); $dbarray1 = mysqli_fetch_array($result1); if($dbarray1['owner'] != 0){ - $q2 = "SELECT vac_mode,vac_time FROM " . TB_PREFIX . "users where id = ".$dbarray1['owner'].""; + $q2 = "SELECT vac_mode,vac_time FROM " . TB_PREFIX . "users where id = ".(int) $dbarray1['owner'].""; $result2 = mysqli_query($this->dblink,$q2); $dbarray2 = mysqli_fetch_array($result2); if($dbarray2['vac_mode'] ==1){ @@ -4372,7 +4371,7 @@ References: ***************************/ function getHeroDead($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT dead FROM " . TB_PREFIX . "hero WHERE `uid` = $id"; $result = mysqli_query($this->dblink,$q); @@ -4386,7 +4385,7 @@ References: ***************************/ function getHeroInRevive($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT inrevive FROM " . TB_PREFIX . "hero WHERE `uid` = $id"; $result = mysqli_query($this->dblink,$q); @@ -4400,7 +4399,7 @@ References: ***************************/ function getHeroInTraining($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "SELECT intraining FROM " . TB_PREFIX . "hero WHERE `uid` = $id"; $result = mysqli_query($this->dblink,$q); @@ -4440,7 +4439,7 @@ References: ***************************/ function KillMyHero($id) { - list($id) = $this->escape_input($id); + list($id) = $this->escape_input((int) $id); $q = "UPDATE " . TB_PREFIX . "hero set dead = 1 where uid = ".$id; return mysqli_query($this->dblink,$q); @@ -4542,7 +4541,7 @@ References: ***************************/ function checkAttack($wref, $toWref) { - list($wref, $toWref) = $this->escape_input($wref, $toWref); + list($wref, $toWref) = $this->escape_input((int) $wref, (int) $toWref); $q = "SELECT * FROM " . TB_PREFIX . "movement, " . TB_PREFIX . "attacks where " . TB_PREFIX . "movement.from = $wref and " . TB_PREFIX . "movement.to = $toWref and " . TB_PREFIX . "movement.ref = " . TB_PREFIX . "attacks.id and " . TB_PREFIX . "movement.proc = 0 and " . TB_PREFIX . "movement.sort_type = 3 and (" . TB_PREFIX . "attacks.attack_type = 3 or " . TB_PREFIX . "attacks.attack_type = 4) ORDER BY endtime ASC"; $result = mysqli_query($this->dblink,$q); if(mysqli_num_rows($result)) { @@ -4558,7 +4557,7 @@ References: ***************************/ function checkEnforce($wref, $toWref) { - list($wref, $toWref) = $this->escape_input($wref, $toWref); + list($wref, $toWref) = $this->escape_input((int) $wref, (int) $toWref); $q = "SELECT * FROM " . TB_PREFIX . "movement, " . TB_PREFIX . "attacks where " . TB_PREFIX . "movement.from = $wref and " . TB_PREFIX . "movement.to = $toWref and " . TB_PREFIX . "movement.ref = " . TB_PREFIX . "attacks.id and " . TB_PREFIX . "movement.proc = 0 and " . TB_PREFIX . "movement.sort_type = 3 and " . TB_PREFIX . "attacks.attack_type = 2 ORDER BY endtime ASC"; $result = mysqli_query($this->dblink,$q); @@ -4575,7 +4574,7 @@ References: ***************************/ function checkScout($wref, $toWref) { - list($wref, $toWref) = $this->escape_input($wref, $toWref); + list($wref, $toWref) = $this->escape_input((int) $wref, (int) $toWref); $q = "SELECT * FROM " . TB_PREFIX . "movement, " . TB_PREFIX . "attacks where " . TB_PREFIX . "movement.from = $wref and " . TB_PREFIX . "movement.to = $toWref and " . TB_PREFIX . "movement.ref = " . TB_PREFIX . "attacks.id and " . TB_PREFIX . "movement.proc = 0 and " . TB_PREFIX . "movement.sort_type = 3 and " . TB_PREFIX . "attacks.attack_type = 1 ORDER BY endtime ASC"; $result = mysqli_query($this->dblink,$q); diff --git a/dorf1.php b/dorf1.php index b8543439..b5c3f1c1 100644 --- a/dorf1.php +++ b/dorf1.php @@ -16,7 +16,7 @@ if(isset($_GET['ok'])){ } if(isset($_GET['newdid'])) { $_SESSION['wid'] = $_GET['newdid']; - $database->query("UPDATE ".TB_PREFIX."users SET village_select=".$database->escape($_GET['newdid'])." WHERE id=".$session->uid); + $database->query("UPDATE ".TB_PREFIX."users SET village_select=".$database->escape((int) $_GET['newdid'])." WHERE id=".$session->uid); header("Location: ".$_SERVER['PHP_SELF']); } else { $building->procBuild($_GET);