mirror of
https://github.com/Shadowss/TravianZ.git
synced 2026-06-28 00:24:23 +00:00
fix: more sql injection escapes...
This commit is contained in:
Martin Ambrus
@@ -454,6 +454,7 @@
|
||||
|
||||
private function updateMax($leader) {
|
||||
global $bid18, $database;
|
||||
$leader = $database->escape($leader);
|
||||
$q = mysqli_query($GLOBALS['link'],"SELECT * FROM " . TB_PREFIX . "alidata where leader = $leader");
|
||||
if(mysqli_num_rows($q) > 0){
|
||||
$villages = $database->getVillagesID2($leader);
|
||||
|
||||
@@ -13,6 +13,7 @@ class Logging {
|
||||
|
||||
public function addIllegal($uid,$ref,$type) {
|
||||
global $database;
|
||||
list($uid,$ref,$type) = $database->escape_input($uid,$ref,$type);
|
||||
if(LOG_ILLEGAL) {
|
||||
$log = "Attempted to ";
|
||||
switch($type) {
|
||||
@@ -27,6 +28,7 @@ class Logging {
|
||||
|
||||
public function addLoginLog($id,$ip) {
|
||||
global $database;
|
||||
list($id,$ip) = $database->escape_input($id,$ip);
|
||||
if(LOG_LOGIN) {
|
||||
$q = "Insert into ".TB_PREFIX."login_log values (0,$id,'$ip')";
|
||||
$database->query($q);
|
||||
@@ -35,6 +37,7 @@ class Logging {
|
||||
|
||||
public function addBuildLog($wid,$building,$level,$type) {
|
||||
global $database;
|
||||
list($wid,$building,$level,$type) = $database->escape_input($wid,$building,$level,$type);
|
||||
if(LOG_BUILD) {
|
||||
if($type) {
|
||||
$log = "Start Construction of ";
|
||||
@@ -50,6 +53,7 @@ class Logging {
|
||||
|
||||
public function addTechLog($wid,$tech,$level) {
|
||||
global $database;
|
||||
list($wid,$tech,$level) = $database->escape_input($wid,$tech,$level);
|
||||
if(LOG_TECH) {
|
||||
$log = "Upgrading of tech ".$tech." to level ".$level;
|
||||
$q = "Insert into ".TB_PREFIX."tech_log values (0,$wid,'$log')";
|
||||
@@ -59,6 +63,7 @@ class Logging {
|
||||
|
||||
public function goldFinLog($wid) {
|
||||
global $database;
|
||||
list($wid) = $database->escape_input($wid);
|
||||
if(LOG_GOLD_FIN) {
|
||||
$log = "Finish construction and research with gold";
|
||||
$q = "Insert into ".TB_PREFIX."gold_fin_log values (0,$wid,'$log')";
|
||||
@@ -72,6 +77,7 @@ class Logging {
|
||||
|
||||
public function addMarketLog($wid,$type,$data) {
|
||||
global $database;
|
||||
list($wid,$type,$data) = $database->escape_input($wid,$type,$data);
|
||||
if(LOG_MARKET) {
|
||||
if($type == 1) {
|
||||
$log = "Sent ".$data[0].",".$data[1].",".$data[2].",".$data[3]." to village ".$data[4];
|
||||
@@ -94,6 +100,7 @@ class Logging {
|
||||
|
||||
public function debug($time,$uid,$debug_info) {
|
||||
global $database;
|
||||
list($time,$uid,$debug_info) = $database->escape_input($time,$uid,$debug_info);
|
||||
|
||||
//$debugFile = "/tmp/debug";
|
||||
//$fh = fopen($debugFile, 'a') or die('No debug file');
|
||||
|
||||
@@ -4,7 +4,7 @@
|
||||
$lid = $_POST['lid'];
|
||||
$tribe = $_POST['tribe'];
|
||||
$getFLData = $database->getFLData($lid);
|
||||
$sql = "SELECT * FROM ".TB_PREFIX."raidlist WHERE lid = ".$lid." order by id asc";
|
||||
$sql = "SELECT * FROM ".TB_PREFIX."raidlist WHERE lid = ".$database->escape($lid)." order by id asc";
|
||||
$array = $database->query_return($sql);
|
||||
foreach($array as $row){
|
||||
$sql1 = mysqli_fetch_array(mysqli_query($GLOBALS['link'],"SELECT * FROM ".TB_PREFIX."units WHERE vref = ".$getFLData['wref']));
|
||||
|
||||
@@ -236,12 +236,12 @@ $oldmovement=$database->getMovementById($_GET['moveid']);
|
||||
$now=time();
|
||||
if(($now-$oldmovement[0]['starttime'])<90 && $oldmovement[0]['from'] == $village->wid){
|
||||
|
||||
$qc="SELECT * FROM " . TB_PREFIX . "movement where proc = 0 and moveid = ".$_GET['moveid'];
|
||||
$qc="SELECT * FROM " . TB_PREFIX . "movement where proc = 0 and moveid = ".$database->escape($_GET['moveid']);
|
||||
$resultc=$database->query($qc) or die(mysqli_error($database->dblink));
|
||||
|
||||
if (mysqli_num_rows($resultc)==1){
|
||||
|
||||
$q = "UPDATE " . TB_PREFIX . "movement set proc = 1 where proc = 0 and moveid = ".$_GET['moveid'];
|
||||
$q = "UPDATE " . TB_PREFIX . "movement set proc = 1 where proc = 0 and moveid = ".$database->escape($_GET['moveid']);
|
||||
$database->query($q);
|
||||
$end=$now+($now-$oldmovement[0]['starttime']);
|
||||
//echo "6,".$oldmovement[0]['to'].",".$oldmovement[0]['from'].",0,".$now.",".$end;
|
||||
|
||||
@@ -16,7 +16,7 @@ if(isset($_GET['ok'])){
|
||||
}
|
||||
if(isset($_GET['newdid'])) {
|
||||
$_SESSION['wid'] = $_GET['newdid'];
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$_GET['newdid']." WHERE id=".$session->uid);
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$database->escape($_GET['newdid'])." WHERE id=".$session->uid);
|
||||
header("Location: ".$_SERVER['PHP_SELF']);
|
||||
} else {
|
||||
$building->procBuild($_GET);
|
||||
|
||||
@@ -13,7 +13,7 @@ include("GameEngine/Village.php");
|
||||
$start = $generator->pageLoadTimeStart();
|
||||
if(isset($_GET['newdid'])) {
|
||||
$_SESSION['wid'] = $_GET['newdid'];
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$_GET['newdid']." WHERE id=".$session->uid);
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$database->escape($_GET['newdid'])." WHERE id=".$session->uid);
|
||||
header("Location: ".$_SERVER['PHP_SELF']);
|
||||
}else{
|
||||
$building->procBuild($_GET);
|
||||
|
||||
@@ -15,7 +15,7 @@ include("GameEngine/Village.php");
|
||||
$start = $generator->pageLoadTimeStart();
|
||||
if(isset($_GET['newdid'])) {
|
||||
$_SESSION['wid'] = $_GET['newdid'];
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$_GET['newdid']." WHERE id=".$session->uid);
|
||||
$database->query("UPDATE ".TB_PREFIX."users SET village_select=".$database->escape($_GET['newdid'])." WHERE id=".$session->uid);
|
||||
if(isset($_GET['s'])){
|
||||
header("Location: ".$_SERVER['PHP_SELF']."?s=".$_GET['s']);
|
||||
}else{
|
||||
|
||||
Reference in New Issue
Block a user