xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 00:24:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: super-strange id + 0 query that totally prevents the use of indexes

Browse Source
This commit is contained in:
Martin Ambrus
2017-10-24 09:55:18 +02:00
parent d12be30634
commit aab1010906
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
GameEngine/Admin/Mods/natarbuildingplan.php
+1 -1
View File
@@ -45,7 +45,7 @@ for($i=1;$i<=$amt;$i++) {
$text = preg_replace("'%TEKST%'",PLAN_INFO ,$text);
fwrite($fh, $text);
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC";
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC";
$result=mysqli_query($GLOBALS["link"], $query) or die (mysqli_error($database->dblink));
for ($i=0; $row=mysqli_fetch_row($result); $i++) {
$updateattquery = mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'")
GameEngine/Message.php
+2 -2
View File
@@ -335,7 +335,7 @@ class Message {
// Vulnerability closed by Shadow
$q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time()." - 60";
$q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".(time() - 60);
$res = mysqli_query($GLOBALS['link'],$q) or die(mysqli_error($database->dblink). " query ".$q);
$flood = mysqli_num_rows($res);
if($flood > 5)
@@ -425,7 +425,7 @@ class Message {
// Vulnerability closed by Shadow
if ($security_check) {
$q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time()." - 60";
$q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time() - 60;
$res = mysqli_query($GLOBALS['link'],$q) or die(mysqli_error($database->dblink). " query ".$q);
$flood = mysqli_num_rows($res);
if($flood > 5)
create_account.php
+1 -1
View File
@@ -485,7 +485,7 @@ if($_POST['password'] != ""){
$text = preg_replace("'%TEKST%'",ARTEFACT ,$text);
fwrite($fh, $text);
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC";
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC";
$result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink));
for ($i=0; $row=mysqli_fetch_row($result); $i++) {
$updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'")
sysmsg.php
+2 -2
View File
@@ -14,7 +14,7 @@ $max_per_pass = 1000;
if (mysqli_num_rows(mysqli_query($GLOBALS['link'],"SELECT id FROM ".TB_PREFIX."users WHERE access = 9 AND id = ".$session->uid)) != '1') die("Hacking attempt!");
if(isset($_GET['del'])){
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC";
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC";
$result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink));
for ($i=0; $row=mysqli_fetch_row($result); $i++) {
$updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '0' WHERE id = '".$row[0]."'")
@@ -46,7 +46,7 @@ if (@isset($_POST['confirm']))
// $text = utf8_encode($text);
fwrite($fh, $text);
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC";
$query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC";
$result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink));
for ($i=0; $row=mysqli_fetch_row($result); $i++) {
$updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'")