From c7e6faebc4cfe7329f5bd9ee910efcb47e142382 Mon Sep 17 00:00:00 2001 From: unknown Date: Wed, 13 Jun 2012 17:16:58 +0300 Subject: [PATCH] improves by songeriux + minor changes by me --- GameEngine/Account.php | 4 ++-- GameEngine/Database.php | 8 ++++++- GameEngine/Database/db_MYSQL.php | 2 ++ GameEngine/Lang/en.php | 2 +- GameEngine/Mailer.php | 14 ++++++------- GameEngine/Protection2.php | 22 +++++++++++++++++++ GameEngine/Session.php | 9 +++++--- Templates/Profile/notfound.tpl | 4 ++-- Templates/Profile/overview.tpl | 3 ++- a2b.php | 10 ++++----- ajax.php | 16 +++++++------- allianz.php | 36 ++++++++++---------------------- berichte.php | 14 ++++++------- build.php | 12 +++++------ create_account.php | 2 +- crop_finder.php | 10 ++++----- karte.php | 4 ++-- manual.php | 6 +++--- nachrichten.php | 2 +- oasis_populate.php | 8 +++---- plus.php | 2 +- spieler.php | 8 +++---- warsim.php | 2 +- 23 files changed, 110 insertions(+), 90 deletions(-) create mode 100644 GameEngine/Protection2.php diff --git a/GameEngine/Account.php b/GameEngine/Account.php index 399c418b..c3c9e6b5 100644 --- a/GameEngine/Account.php +++ b/GameEngine/Account.php @@ -42,7 +42,7 @@ class Account { private function Signup() { global $database,$form,$mailer,$generator,$session; - if(!isset($_POST['name']) || $_POST['name'] == "") { + if(!isset($_POST['name']) || trim($_POST['name']) == "") { $form->addError("name",USRNM_EMPTY); } else { @@ -60,7 +60,7 @@ class Account { } } - if(!isset($_POST['pw']) || $_POST['pw'] == "") { + if(!isset($_POST['pw']) || trim($_POST['pw']) == "") { $form->addError("pw",PW_EMPTY); } else { diff --git a/GameEngine/Database.php b/GameEngine/Database.php index 1b1dd341..30c0147f 100644 --- a/GameEngine/Database.php +++ b/GameEngine/Database.php @@ -2,7 +2,7 @@ ################################################################################# ## -= YOU MAY NOT REMOVE OR CHANGE THIS NOTICE =- ## ## --------------------------------------------------------------------------- ## -## Edited by: ZZJHONS ## +## Edited by: ZZJHONS, songeriux ## ## Filename Database.php ## ## License: TravianX Project ## ## Copyright: TravianX (c) 2010-2011. All rights reserved. ## @@ -22,4 +22,10 @@ switch(DB_TYPE) { include("Database/db_MYSQL.php"); break; } +## Security +if($_GET['s'] == 6 && $_SERVER['PHP_SELF'] == "/allianz.php"){ +include("Protection.php"); +}else{ +include("Protection2.php"); +} ?> \ No newline at end of file diff --git a/GameEngine/Database/db_MYSQL.php b/GameEngine/Database/db_MYSQL.php index 37b0f2bf..527298c9 100644 --- a/GameEngine/Database/db_MYSQL.php +++ b/GameEngine/Database/db_MYSQL.php @@ -3095,10 +3095,12 @@ $q = "UPDATE " . TB_PREFIX . "users SET $column = $friend WHERE id = $uid"; return mysql_query($q, $this->connection); } + function deleteFriend($uid, $column) { $q = "UPDATE " . TB_PREFIX . "users SET $column = 0 WHERE id = $uid"; return mysql_query($q, $this->connection); } + } ; diff --git a/GameEngine/Lang/en.php b/GameEngine/Lang/en.php index 33b07774..ca60a3b6 100644 --- a/GameEngine/Lang/en.php +++ b/GameEngine/Lang/en.php @@ -71,7 +71,7 @@ define("NOT_OPENED_YET","Server not started yet."); define("REGISTER_CLOSED","The register is closed. You can't register to this server."); //COPYRIGHT -define("TRAVIAN_COPYRIGHT","TravianX 100% Open Source Travian Clone."); +define("TRAVIAN_COPYRIGHT","TravianZ 100% Open Source Travian Clone."); //BUILD.TPL define("CUR_PROD","Current production"); diff --git a/GameEngine/Mailer.php b/GameEngine/Mailer.php index ee8971b6..25d89db2 100644 --- a/GameEngine/Mailer.php +++ b/GameEngine/Mailer.php @@ -30,13 +30,13 @@ Click the following link in order to activate your account: ".SERVER."activate.php?code=".$act." Greetings, -TravianX"; +Travian adminision"; - $headers = "From: Mailer@".SERVER_NAME."\n"; + $headers = "From: ".ADMIN_EMAIL."\n"; mail($email, $subject, $message, $headers); } - + function sendInvite($email,$uid,$text) { $subject = "".SERVER_NAME." registeration"; @@ -52,9 +52,9 @@ Link: ".SERVER_NAME." Greetings, -TravianX"; +Travian"; - $headers = "From: Mailer@".SERVER_NAME."\n"; + $headers = "From: ".ADMIN_EMAIL."\n"; mail($email, $subject, $message, $headers); } @@ -82,10 +82,10 @@ on tab \"account\". In case you did not request a new password you may ignore this email. -TravianX +Travian "; - $headers = "From: Mailer@".SERVER_NAME."\n"; + $headers = "From: ".ADMIN_EMAIL."\n"; mail($email, $subject, $message, $headers); } diff --git a/GameEngine/Protection2.php b/GameEngine/Protection2.php new file mode 100644 index 00000000..733a94f1 --- /dev/null +++ b/GameEngine/Protection2.php @@ -0,0 +1,22 @@ +","{","}","[","]",",","'"); +$arr_kodu = array("#","$","!",""","%","^","?","_","-","+","|","<",">","{","}","[","]",",","'"); +return strip_tags(mysql_real_escape_string(str_replace($arr_simboliu,$arr_kodu,htmlspecialchars(trim($txt))))); +} // The script blocks out any dangorous simbols, and replaces them with an code. also protects mysql database. + + +## We need to put it on every GET, POST, COOKIE, SESSION and SERVER methods. +if(isset($_GET)){ foreach($_GET as $key=>$value) { $_GET[$key]=filter($value); } } +if(isset($_POST)){ foreach($_POST as $key=>$value) { $_POST[$key]=filter($value); } } +if(isset($_SESSION)){ foreach($_SESSION as $key=>$value){ $_SESSION[$key]=filter($value); } } +if(isset($_COOKIE)){ foreach($_COOKIE as $key=>$value){ $_COOKIE[$key]=filter($value); } } +if(isset($_SERVER)){ foreach($_SERVER as $key=>$value){ $_SERVER[$key]=filter($value); } } +?> \ No newline at end of file diff --git a/GameEngine/Session.php b/GameEngine/Session.php index 631501ab..3fbb0a2a 100644 --- a/GameEngine/Session.php +++ b/GameEngine/Session.php @@ -1,5 +1,7 @@ Player profile -

No player found

\ No newline at end of file +procRankReq($_GET); +$_GET['uid'] = preg_replace("/[^0-9]/","",$_GET['uid']); $displayarray = $database->getUserArray($_GET['uid'],1); @@ -124,7 +125,7 @@ include("menu2.tpl"); - uid) { + uid) { if($session->sit == 0){ echo " » Change profile"; }else{ diff --git a/a2b.php b/a2b.php index 1b8e25dc..7af28b82 100644 --- a/a2b.php +++ b/a2b.php @@ -36,17 +36,17 @@ $building->procBuild($_GET); } if(isset($_GET['id'])) { - $id = $_GET['id']; + $id = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']); } if(isset($_GET['w'])) { - $w = $_GET['w']; + $w = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['w']); } if(isset($_GET['r'])) { - $r = $_GET['r']; + $r = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['r']); } if(isset($_GET['o'])) { - $o = $_GET['o']; - $oid = $_GET['z']; + $o = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['o']); + $oid = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['z']); $too = $database->getOasisField($oid,"conqured"); if($too['conqured'] == 0){$disabledr ="disabled=disabled"; $disabled ="disabled=disabled";}else{ $disabledr =""; diff --git a/ajax.php b/ajax.php index 9bddd094..ebb0a8eb 100644 --- a/ajax.php +++ b/ajax.php @@ -11,10 +11,10 @@ switch($_GET['f']) { case 'k7': - $x = $_GET['x']; - $y = $_GET['y']; - $xx = $_GET['xx']; - $yy = $_GET['yy']; + $x = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['x']); + $y = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['y']); + $xx = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['xx']); + $yy = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['yy']); $howmany = $x - $xx; if($howmany == 12 || $howmany == -12) { include("Templates/Ajax/mapscroll2.tpl"); @@ -24,18 +24,18 @@ switch($_GET['f']) { } break; case 'kp': - $z = $_GET['z']; + $z = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['z']); //include("Templates/Ajax/plusmap.tpl"); break; case 'qst': - + if (isset($_GET['qact'])){ - $qact=$_GET['qact']; + $qact=preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['qact']); }else { $qact=null; } if (isset($_GET['qact2'])){ - $qact2=$_GET['qact2']; + $qact2=preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['qact2']); }else { $qact2=null; } diff --git a/allianz.php b/allianz.php index 8c0f3f59..ff14e7ea 100644 --- a/allianz.php +++ b/allianz.php @@ -1,19 +1,5 @@ -| -| This script is property of TravianX Project. You are allowed to change -| its source and release it under own name, not under name `TravianX`. -| You have no rights to remove copyright notices. -| -| TravianX All rights reserved -| -*/ if(isset($_GET['aid']) && !is_numeric($_GET['aid'])) header("Location: allianz.php");; include ("GameEngine/Village.php"); include ("GameEngine/Chat.php"); @@ -22,9 +8,9 @@ if(isset($_GET['aid']) && !is_numeric($_GET['aid'])) header("Location: allianz.p if(isset($_GET['newdid'])) { $_SESSION['wid'] = $_GET['newdid']; if(isset($_GET['s'])){ - header("Location: ".$_SERVER['PHP_SELF']."?s=".$_GET['s']); + header("Location: ".$_SERVER['PHP_SELF']."?s=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['s')); }else if(isset($_GET['aid'])){ - header("Location: ".$_SERVER['PHP_SELF']."?aid=".$_GET['aid']); + header("Location: ".$_SERVER['PHP_SELF']."?aid=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['aid'])); } else{ header("Location: ".$_SERVER['PHP_SELF']); @@ -35,7 +21,7 @@ if(isset($_GET['newdid'])) { } if(isset($_GET['fid'])){ -$fid = $_GET['fid']; +$fid = preg_replace("/[^0-9]/","",$_GET['fid']); $forum = mysql_query("SELECT * FROM " . TB_PREFIX . "forum_cat WHERE id = ".$fid.""); $forum_type = mysql_fetch_array($forum); if($forum_type['forum_name'] != "" && $forum_type['forum_area'] != 1){ @@ -54,7 +40,7 @@ if($forum_type['alliance'] != $session->alliance){ } } }else if(isset($_GET['fid2'])){ -$fid = $_GET['fid2']; +$fid = preg_replace("/[^0-9]/","",$_GET['fid2']); $forum = mysql_query("SELECT * FROM " . TB_PREFIX . "forum_cat WHERE id = ".$fid.""); $forum_type = mysql_fetch_array($forum); if($forum_type['forum_name'] != "" && $forum_type['forum_area'] != 1){ @@ -284,25 +270,25 @@ if($_GET['aid'] or $_GET['fid'] or $_GET['fid2'] or $session->alliance!=0){ } break; case 101: - $post = $_POST['id']; + $post = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['id']); $database->diplomacyCancelOffer($post); include ("Templates/Alliance/chgdiplo.tpl"); break; case 102: - $post = $_POST['id']; - $post2 = $_POST['alli2']; + $post = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['id']); + $post2 = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['alli2']); $database->diplomacyInviteDenied($post, $post2); include ("Templates/Alliance/chgdiplo.tpl"); break; case 103: - $post = $_POST['id']; - $post2 = $_POST['alli2']; + $post = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['id']); + $post2 = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['alli2']); $database->diplomacyInviteAccept($post, $post2); include ("Templates/Alliance/chgdiplo.tpl"); break; case 104: - $post = $_POST['id']; - $post2 = $_POST['alli2']; + $post = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['id']); + $post2 = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['alli2']); $database->diplomacyCancelExistingRelationship($post, $post2); include ("Templates/Alliance/chgdiplo.tpl"); } diff --git a/berichte.php b/berichte.php index 0dd77e0f..89b30965 100644 --- a/berichte.php +++ b/berichte.php @@ -87,11 +87,11 @@ if(isset($_GET['t'])) { if(isset($_GET['aid'])){ if($_GET['aid']!=0){ if($session->alliance==$_GET['aid']){ - + if(isset($_GET['id'])) { - $ally = $database->getNotice2($_GET['id'], 'ally'); + $ally = $database->getNotice2(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']), 'ally'); if($session->alliance==$ally){ - $type = $database->getNotice2($_GET['id'], 'ntype'); + $type = $database->getNotice2(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']), 'ntype'); if($type!=10 or $type!=11 or $type!=12 or $type!=13 or $type!=14 or $type!=15 or $type!=16 or $type!=17){ include("Templates/Notice/".$type."x.tpl"); } @@ -100,10 +100,10 @@ if($_GET['aid']!=0){ } } }else if(isset($_GET['vill'])){ - + if(isset($_GET['id'])) { $ally = $database->getNotice2($_GET['id'], 'ally'); - if($database->getNotice2($_GET['id'], 'uid') == $session->uid){ + if($database->getNotice2(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']), 'uid') == $session->uid){ $type = ($message->readingNotice['ntype'] == 9)? $message->readingNotice['archive'] : $message->readingNotice['ntype']; include("Templates/Notice/".$type.".tpl"); }else if($session->alliance==$ally){ @@ -113,9 +113,9 @@ if($_GET['aid']!=0){ } } } - + }else if(isset($_GET['id'])) { - if($database->getNotice2($_GET['id'], 'uid') == $session->uid){ + if($database->getNotice2(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']), 'uid') == $session->uid){ $type = ($message->readingNotice['ntype'] == 9)? $message->readingNotice['archive'] : $message->readingNotice['ntype']; include("Templates/Notice/".$type.".tpl"); } diff --git a/build.php b/build.php index 3c50364f..6cadfd6e 100644 --- a/build.php +++ b/build.php @@ -28,15 +28,15 @@ $alliance->procAlliForm($_POST); $technology->procTech($_POST); $market->procMarket($_POST); if(isset($_GET['gid'])) { - $_GET['id'] = strval($building->getTypeField($_GET['gid'])); + $_GET['id'] = strval($building->getTypeField(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['gid']))); } else if(isset($_POST['id'])) { - $_GET['id'] = $_POST['id']; + $_GET['id'] = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['id']); // WTF is this? } if(isset($_POST['t'])){ - $_GET['t'] = $_POST['t']; + $_GET['t'] = preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['t']); } if(isset($_GET['id'])) { - if (!ctype_digit($_GET['id'])){ + if (!ctype_digit(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']))){ $_GET['id'] = "1"; } if($village->resarray['f'.$_GET['id'].'t'] == 17) { @@ -62,7 +62,7 @@ if($routeaccess = 1){ $_POST['r'.$i] = 0; } } - $totalres = $_POST['r1']+$_POST['r2']+$_POST['r3']+$_POST['r4']; + $totalres = preg_replace("/[^0-9]/","",$_POST['r1'])+preg_replace("/[^0-9]/","",$_POST['r2'])+preg_replace("/[^0-9]/","",$_POST['r3'])+preg_replace("/[^0-9]/","",$_POST['r4']); $reqMerc = ceil(($totalres-0.1)/$market->maxcarry); $second = date("s"); $minute = date("i"); @@ -175,7 +175,7 @@ if($session->goldclub == 1 && $session->access != BANNED){ }else{ $create = 0; } - + if($_GET['slid']) { $FLData = $database->getFLData($_GET['slid']); if($FLData['owner'] == $session->uid){ diff --git a/create_account.php b/create_account.php index 01ff4e81..a0851805 100644 --- a/create_account.php +++ b/create_account.php @@ -96,7 +96,7 @@ if($_POST['password'] != ""){ */ $username = "Natars"; $password = md5($_POST['password']); - $email = "natars@travianx.com"; + $email = "natars@noreply.com"; $tribe = 5; $desc = "******************** [#natars] diff --git a/crop_finder.php b/crop_finder.php index b74272a1..dfdac77e 100644 --- a/crop_finder.php +++ b/crop_finder.php @@ -15,11 +15,11 @@ } if($_POST['type'] == 15) { - header("Location: ".$_SERVER['PHP_SELF']."?s=1&x=" . $_POST['x'] . '&y=' . $_POST['y']); + header("Location: ".$_SERVER['PHP_SELF']."?s=1&x=" . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['x']) . '&y=' . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['y'])); } elseif($_POST['type'] == 9) { - header("Location: ".$_SERVER['PHP_SELF']."?s=2&x=" . $_POST['x'] . '&y=' . $_POST['y']); + header("Location: ".$_SERVER['PHP_SELF']."?s=2&x=" . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['x']) . '&y=' . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['y'])); } elseif($_POST['type'] == 'both') { - header("Location: ".$_SERVER['PHP_SELF']."?s=3&x=" . $_POST['x'] . '&y=' . $_POST['y']); + header("Location: ".$_SERVER['PHP_SELF']."?s=3&x=" . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['x']) . '&y=' . preg_replace("/[^a-zA-Z0-9_-]/","",$_POST['y'])); } ?> @@ -87,8 +87,8 @@ include ("Templates/menu.tpl"); if(is_numeric($_GET['x']) AND is_numeric($_GET['y'])) { - $coor2['x'] = $_GET['x']; - $coor2['y'] = $_GET['y']; + $coor2['x'] = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['x']); + $coor2['y'] = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['y']); } else { $wref2 = $village->wid; $coor2 = $database->getCoor($wref2); diff --git a/karte.php b/karte.php index d57575d7..293db5e8 100644 --- a/karte.php +++ b/karte.php @@ -16,10 +16,10 @@ $start = $generator->pageLoadTimeStart(); if(isset($_GET['newdid'])) { $_SESSION['wid'] = $_GET['newdid']; if(isset($_GET['d']) && isset($_GET['c'])){ - header("Location: ".$_SERVER['PHP_SELF']."?d=".$_GET['d']."&c=".$_GET['c']); + header("Location: ".$_SERVER['PHP_SELF']."?d=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['d'])."&c=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['c'])); } else if(isset($_GET['d'])){ - header("Location: ".$_SERVER['PHP_SELF']."?d=".$_GET['d']); + header("Location: ".$_SERVER['PHP_SELF']."?d=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['d'])); } else{ header("Location: ".$_SERVER['PHP_SELF']); diff --git a/manual.php b/manual.php index 807847ee..25555037 100644 --- a/manual.php +++ b/manual.php @@ -54,16 +54,16 @@ else if (isset($_GET['typ']) && $_GET['typ'] == 5 && $_GET['s'] == 3) { } else { if(isset($_GET['gid'])) { - include("Templates/Manual/".$_GET['typ'].($_GET['gid']).".tpl"); + include("Templates/Manual/".$_GET['typ'].(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['gid'])).".tpl"); } else { if($_GET['typ'] == 4 && $_GET['s'] == 0) { $_GET['s'] = 1; } - include("Templates/Manual/".$_GET['typ'].$_GET['s'].".tpl"); + include("Templates/Manual/".$_GET['typ'].preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['s']).".tpl"); } } ?> - + \ No newline at end of file diff --git a/nachrichten.php b/nachrichten.php index c4fc9f52..b3cb3cf6 100644 --- a/nachrichten.php +++ b/nachrichten.php @@ -83,7 +83,7 @@ else if(isset($_GET['t'])) { switch($_GET['t']) { case 1: if(isset($_GET['id'])) { - $id = $_GET['id']; + $id = preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['id']); } include("Templates/Message/write.tpl"); break; diff --git a/oasis_populate.php b/oasis_populate.php index 9a0f89ee..8aaa5ff5 100644 --- a/oasis_populate.php +++ b/oasis_populate.php @@ -17,12 +17,12 @@ mysql_select_db(SQL_DB); if($session->access==ADMIN){ - + //controllo if(isset($_GET['giveout'])){ $database->populateOasisUnitsLow(); - + } @@ -94,7 +94,7 @@ Click here, to populate oasis
WARNING: Loading next
- +}?> \ No newline at end of file diff --git a/plus.php b/plus.php index f5a9c32e..648ddc02 100644 --- a/plus.php +++ b/plus.php @@ -65,7 +65,7 @@ $automation->isWinner(); procSpecial($_GET); if(isset($_GET['newdid'])) { $_SESSION['wid'] = $_GET['newdid']; if(isset($_GET['s'])){ - header("Location: ".$_SERVER['PHP_SELF']."?s=".$_GET['s']); + header("Location: ".$_SERVER['PHP_SELF']."?s=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['s'])); }else if(isset($_GET['uid'])){ - header("Location: ".$_SERVER['PHP_SELF']."?uid=".$_GET['uid']); + header("Location: ".$_SERVER['PHP_SELF']."?uid=".preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['uid'])); }else{ header("Location: ".$_SERVER['PHP_SELF']); } @@ -122,7 +122,7 @@ $automation->isWinner(); = 2) { - $user = $database->getUserArray($_GET['uid'],1); + $user = $database->getUserArray(preg_replace("/[^a-zA-Z0-9_-]/","",$_GET['uid']),1); if(isset($user['id'])){ include("Templates/Profile/overview.tpl"); } else { @@ -147,7 +147,7 @@ else if (isset($_GET['s'])) { include("Templates/Profile/graphic.tpl"); } if($_GET['s'] > 4 or $session->sit == 1) { - header("Location: ".$_SERVER['PHP_SELF']."?uid=".$session->uid); + header("Location: ".$_SERVER['PHP_SELF']."?uid=".preg_replace("/[^a-zA-Z0-9_-]/","",$session->uid)); } } ?> diff --git a/warsim.php b/warsim.php index bd3fda4c..12924f12 100644 --- a/warsim.php +++ b/warsim.php @@ -87,7 +87,7 @@ if(isset($_POST['result'])) { $target = isset($_POST['target'])? $_POST['target'] : array(); $tribe = isset($_POST['mytribe'])? $_POST['mytribe'] : $session->tribe; if(count($target) > 0) { - include("Templates/Simulator/att_".$tribe.".tpl"); + include("Templates/Simulator/att_".preg_replace("/[^a-zA-Z0-9_-]/","",$tribe).".tpl"); echo "