xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: remove SQL injections in Admin

Browse Source
This commit is contained in:
Martin Ambrus
2017-10-19 21:17:11 +02:00
parent 529bb2209c
commit 331885a110
74 changed files with 327 additions and 221 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/function.php
+5 -5
View File
@@ -92,10 +92,10 @@ class funct {
header("Location: admin.php?p=player&uid=".$get['uid'].$error);
exit;
case "reviveHero":
$result=$database->query("SELECT * FROM ".TB_PREFIX."hero WHERE uid='".$get['uid']."'");
$result=$database->query("SELECT * FROM ".TB_PREFIX."hero WHERE uid=".(int) $get['uid']);
$hdata=mysqli_fetch_array($result);
$database->query("UPDATE ".TB_PREFIX."units SET hero = 1 WHERE vref = ".$hdata['wref']);
$database->query("UPDATE ".TB_PREFIX."hero SET `dead` = '0', `inrevive` = '0', `health` = '100', `lastupdate` = ".time()." WHERE `uid` = '".$get['uid']."'");
$database->query("UPDATE ".TB_PREFIX."units SET hero = 1 WHERE vref = ".(int) $hdata['wref']);
$database->query("UPDATE ".TB_PREFIX."hero SET `dead` = '0', `inrevive` = '0', `health` = '100', `lastupdate` = ".time()." WHERE `uid` = ".(int) $get['uid']);
header("Location: admin.php?p=player&uid=".$get['uid']."&rc=1");
exit;
case "addHero":
@@ -104,10 +104,10 @@ class funct {
$database->query("INSERT INTO ".TB_PREFIX."hero (`uid`, `wref`, `regeneration`, `unit`, `name`, `level`, `points`,
`experience`, `dead`, `health`, `attack`, `defence`, `attackbonus`, `defencebonus`, `trainingtime`, `autoregen`,
`intraining`) VALUES ('".$get['uid']."', '" . $vilarray['wref'] . "', '0', '".$get['u']."', '".addslashes($user['username'])."',
`intraining`) VALUES (".(int) $get['uid'].", " . (int) $vilarray['wref'] . ", '0', ".(int) $get['u'].", '".addslashes($user['username'])."',
'0', '5', '0', '0', '100', '0', '0', '0', '0', '".time()."', '50', '0')");
$database->query("UPDATE ".TB_PREFIX."units SET hero = 1 WHERE vref = ".$vilarray['wref']);
$database->query("UPDATE ".TB_PREFIX."units SET hero = 1 WHERE vref = ".(int) $vilarray['wref']);
header("Location: admin.php?p=player&uid=".$get['uid']."&ac=1");
exit;