From aab10109061b693d8964a2c4ceccf09162eead82 Mon Sep 17 00:00:00 2001 From: Martin Ambrus Date: Tue, 24 Oct 2017 09:55:18 +0200 Subject: [PATCH] fix: super-strange id + 0 query that totally prevents the use of indexes --- GameEngine/Admin/Mods/natarbuildingplan.php | 2 +- GameEngine/Message.php | 4 ++-- create_account.php | 2 +- sysmsg.php | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/GameEngine/Admin/Mods/natarbuildingplan.php b/GameEngine/Admin/Mods/natarbuildingplan.php index 39110996..e1ce7d83 100755 --- a/GameEngine/Admin/Mods/natarbuildingplan.php +++ b/GameEngine/Admin/Mods/natarbuildingplan.php @@ -45,7 +45,7 @@ for($i=1;$i<=$amt;$i++) { $text = preg_replace("'%TEKST%'",PLAN_INFO ,$text); fwrite($fh, $text); - $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC"; + $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC"; $result=mysqli_query($GLOBALS["link"], $query) or die (mysqli_error($database->dblink)); for ($i=0; $row=mysqli_fetch_row($result); $i++) { $updateattquery = mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'") diff --git a/GameEngine/Message.php b/GameEngine/Message.php index 24ec6969..b01a3972 100755 --- a/GameEngine/Message.php +++ b/GameEngine/Message.php @@ -335,7 +335,7 @@ class Message { // Vulnerability closed by Shadow - $q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time()." - 60"; + $q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".(time() - 60); $res = mysqli_query($GLOBALS['link'],$q) or die(mysqli_error($database->dblink). " query ".$q); $flood = mysqli_num_rows($res); if($flood > 5) @@ -425,7 +425,7 @@ class Message { // Vulnerability closed by Shadow if ($security_check) { - $q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time()." - 60"; + $q = "SELECT * FROM ".TB_PREFIX."mdata WHERE owner='".$session->uid."' AND time > ".time() - 60; $res = mysqli_query($GLOBALS['link'],$q) or die(mysqli_error($database->dblink). " query ".$q); $flood = mysqli_num_rows($res); if($flood > 5) diff --git a/create_account.php b/create_account.php index beb204d7..7d38a559 100644 --- a/create_account.php +++ b/create_account.php @@ -485,7 +485,7 @@ if($_POST['password'] != ""){ $text = preg_replace("'%TEKST%'",ARTEFACT ,$text); fwrite($fh, $text); - $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC"; + $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC"; $result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink)); for ($i=0; $row=mysqli_fetch_row($result); $i++) { $updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'") diff --git a/sysmsg.php b/sysmsg.php index 51dd42a1..bbc2bf9b 100644 --- a/sysmsg.php +++ b/sysmsg.php @@ -14,7 +14,7 @@ $max_per_pass = 1000; if (mysqli_num_rows(mysqli_query($GLOBALS['link'],"SELECT id FROM ".TB_PREFIX."users WHERE access = 9 AND id = ".$session->uid)) != '1') die("Hacking attempt!"); if(isset($_GET['del'])){ - $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC"; + $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC"; $result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink)); for ($i=0; $row=mysqli_fetch_row($result); $i++) { $updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '0' WHERE id = '".$row[0]."'") @@ -46,7 +46,7 @@ if (@isset($_POST['confirm'])) // $text = utf8_encode($text); fwrite($fh, $text); - $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id + 0 DESC"; + $query="SELECT * FROM ".TB_PREFIX."users ORDER BY id DESC"; $result=mysqli_query($GLOBALS['link'],$query) or die (mysqli_error($database->dblink)); for ($i=0; $row=mysqli_fetch_row($result); $i++) { $updateattquery = mysqli_query($GLOBALS['link'],"UPDATE ".TB_PREFIX."users SET ok = '1' WHERE id = '".$row[0]."'")