Fixed a lot of bugs/security issues in the market

+Fixed a bug that permitted to send resourcers to himself
+Fixed a bug that permitted to send resources to invalid villages
+Fixed a bug that permitted to create offerings with 0 resources or
invalid resources type
+Fixed a bug that permitted to accept offerings of other allies
+Fixed a bug that permitted to accept offerings with a too high maxtime
+Fixed a bug that permitted to accept offering from the same village
+Fixed a bug that permitted to accept offering with too few merchants
+Fixed a bug that permitted to accept offerings without the requested
resources
+Fixed a bug that hid offerings with a valid maxtime
+Fixed some bugs relative to errors diplaying
+Added some error
+Some clean-up
This commit is contained in:
iopietro
2018-04-16 23:45:21 +02:00
parent de8859da03
commit e116511c73
7 changed files with 114 additions and 71 deletions
+10 -7
View File
@@ -860,6 +860,9 @@ define("OFFERING","Offering");
define("MAX_TIME_TRANSPORT","max. time of transport");
define("OWN_ALLIANCE_ONLY","own alliance only");
define("INVALID_OFFER","Invalid offer");
define("INVALID_MERCHANTS_REPETITION","Invalid merchants repetition rate");
define("USER_ON_VACATION","User is on vacation mode");
define("NOT_ENOUGH_RESOURCES","Not enough resources");
define("OFFER","Offer");
define("SEARCH","Search");
define("OWN_OFFERS","Own offers");
@@ -876,24 +879,24 @@ define("YOU_CAN_NAT_NPC_WW","You can't use NPC trade in WW village.");
define("NPC_TRADING","NPC trading");
define("SEND_RESOURCES","Send Resources");
define("BUY","Buy");
define("TRADE_ROUTES","trade routes");
define("TRADE_ROUTES","Trade routes");
define("DESCRIPTION","Description");
define("TIME_LEFT","Time left");
define("START","Start");
define("NO_TRADE_ROUTES","No active trade routes");
define("TRADE_ROUTE_TO","Trade route to");
define("CHECKED","checked");
define("DAYS","days");
define("EXTEND","extend");
define("EDIT","edit");
define("EXTEND_TRADE_ROUTES","Extend the trade route by 7 days for");
define("DAYS","Days");
define("EXTEND","Extend");
define("EDIT","Edit");
define("EXTEND_TRADE_ROUTES","Extend the trade route by <b>7</b> days for");
define("CREATE_TRADE_ROUTES","Create new trade route");
define("DELIVERIES","deliveries");
define("START_TIME_TRADE","start time");
define("CREATE_TRADE_ROUTE","Create trade route");
define("TARGET_VILLAGE","target village");
define("EDIT_TRADE_ROUTES","Edit trade route");
define("TRADE_ROUTES_DESC","Trade route allows you to set up routes for your merchant that he will walk every day at a certain hour. <br /><br /> Standard this holds on for 7 days, but you can extend it with 7 days for the cost of");
define("TRADE_ROUTES_DESC","Trade route allows you to set up routes for your merchant that he will walk every day at a certain hour. <br /><br /> Standard this holds on for <b>7</b> days, but you can extend it with <b>7</b> days for the cost of");
define("NPC_TRADE_DESC","With the NPC merchant you can distribute the resources in your warehouse as you desire. <br /><br /> The first line shows the current stock. In the second line you can choose another distribution. The third line shows the difference between the old and new stock.");
define("MARKETPLACE_DESC","At the Marketplace you can trade resources with other players. The higher its level, the more resources can be transported at the same time.");
@@ -1067,7 +1070,7 @@ define("NOT","Not ");
define("TRAIN_HERO","Train New Hero");
define("REVIVE","Revive");
define("OASES","Oases");
define("DELETE","delete");
define("DELETE","Delete");
define("RESOURCES","Resources");
define("OFFENCE","Offence");
define("DEFENCE","Defence");
+65 -40
View File
@@ -36,27 +36,26 @@ class Market
public function procRemove($get)
{
global $database,$village,$session;
global $database, $village, $session;
if(isset($get['t']) && $get['t'] == 1)
{
$this->filterNeed($get);
}
else if(isset($get['t']) && $get['t'] ==2 && isset($get['a']) && $get['a'] == 5 && isset($get['del']))
else if(isset($get['t']) && $get['t'] == 2 && isset($get['a']) && $get['a'] == 5 && isset($get['del']))
{
//GET ALL FIELDS FROM MARKET
$type = $database->getMarketField($village->wid,"gtype");
$amt = $database->getMarketField($village->wid,"gamt");
$vref = $village->wid;
$database->getResourcesBack($vref,$type,$amt);
$database->addMarket($village->wid,$get['del'],0,0,0,0,0,0,1);
$type = $database->getMarketField($village->wid, "gtype");
$amt = $database->getMarketField($village->wid, "gamt");
$database->getResourcesBack($village->wid, $type, $amt);
$database->addMarket($village->wid, $get['del'], 0, 0, 0, 0, 0, 0, 1);
header("Location: build.php?id=".$get['id']."&t=2");
exit;
}
if(isset($get['t']) && $get['t'] == 1 && isset($get['a']) && $get['a'] == $session->mchecker && !isset($get['del']))
{
$session->changeChecker();
$this->acceptOffer($get);
$this->acceptOffer($get);
}
}
@@ -85,12 +84,12 @@ class Market
private function sendResource($post)
{
global $database,$village,$session,$generator,$logging,$form;
global $database, $village, $session, $generator, $logging, $form;
$wtrans = (isset($post['r1']) && $post['r1'] != "")? $post['r1'] : 0;
$ctrans = (isset($post['r2']) && $post['r2'] != "")? $post['r2'] : 0;
$itrans = (isset($post['r3']) && $post['r3'] != "")? $post['r3'] : 0;
$crtrans = (isset($post['r4']) && $post['r4'] != "")? $post['r4'] : 0;
$wtrans = (isset($post['r1']) && !empty($post['r1']))? $post['r1'] : 0;
$ctrans = (isset($post['r2']) && !empty($post['r2']))? $post['r2'] : 0;
$itrans = (isset($post['r3']) && !empty($post['r3']))? $post['r3'] : 0;
$crtrans = (isset($post['r4']) && !empty($post['r4']))? $post['r4'] : 0;
$wtrans = str_replace("-", "", $wtrans);
$ctrans = str_replace("-", "", $ctrans);
$itrans = str_replace("-", "", $itrans);
@@ -103,20 +102,22 @@ class Market
$availableIron = $database->getIronAvailable($village->wid);
$availableCrop = $database->getCropAvailable($village->wid);
//check if vacation mode:
if($database->getvacmodexy($id)){
$form->addError("error","User is on vacation mode");
}
if($database->getvacmodexy($id)) $form->addError("error", USER_ON_VACATION);
if($session->access == BANNED)
{
header("Location: banned.php");
exit;
}
else if($availableWood >= $post['r1'] AND $availableClay >= $post['r2'] AND $availableIron >= $post['r3'] AND $availableCrop >= $post['r4'])
elseif(!$database->checkVilExist($getwref)) $form->addError("error", NO_COORDINATES_SELECTED);
elseif($post['getwref'] == $village->wid) $form->addError("error", CANNOT_SEND_RESOURCES);
elseif($post['send3'] < 1 || $post['send3'] > 3 || ($post['send3'] > 1 && !$session->goldclub)) $form->addError("error", INVALID_MERCHANTS_REPETITION);
elseif($availableWood >= $post['r1'] && $availableClay >= $post['r2'] && $availableIron >= $post['r3'] && $availableCrop >= $post['r4'])
{
$resource = array($wtrans,$ctrans,$itrans,$crtrans);
$reqMerc = ceil((array_sum($resource)-0.1)/$this->maxcarry);
if($this->merchantAvail() != 0 && $reqMerc <= $this->merchantAvail())
if($this->merchantAvail() > 0 && $reqMerc <= $this->merchantAvail())
{
$id = $post['getwref'];
$coor = $database->getCoor($id);
@@ -132,15 +133,12 @@ class Market
$logging->addMarketLog($village->wid,1,array($resource[0],$resource[1],$resource[2],$resource[3],$id));
}
}
header("Location: build.php?id=".$post['id']);
exit;
}
header("Location: build.php?id=".$post['id']);
exit;
}
else
{
// TODO: WTF??? :D
// something
else $form->addError("error", TOO_FEW_MERCHANTS);
}
else $form->addError("error","You cannot send more resources than you have");
}
private function addOffer($post)
@@ -154,6 +152,12 @@ class Market
header("Location: build.php?id=".$post['id']."&t=2&e2");
exit;
}
elseif(!isset($post['m1']) || !isset($post['m2']) || $post['m1'] <= 0 || $post['m2'] <= 0)
{
// No resources selected (invalid)
header("Location: build.php?id=".$post['id']."&t=2&e2");
exit;
}
elseif($post['m1'] > (2 * $post['m2']))
{
// Trade is for more than 2x (invalid)
@@ -166,6 +170,12 @@ class Market
header("Location: build.php?id=".$post['id']."&t=2&e2");
exit;
}
elseif($post['rid1'] < 1 || $post['rid1'] > 4 || $post['rid2'] < 1 || $post['rid2'] > 4)
{
// Inexistent resources type (invalid)
header("Location: build.php?id=".$post['id']."&t=2&e2");
exit;
}
else
{
$wood = ($post['rid1'] == 1)? $post['m1'] : 0;
@@ -187,7 +197,7 @@ class Market
exit;
}
elseif($availableWood >= $wood AND $availableClay >= $clay AND $availableIron >= $iron AND $availableCrop >= $crop)
elseif($availableWood >= $wood && $availableClay >= $clay && $availableIron >= $iron && $availableCrop >= $crop)
{
$reqMerc = 1;
@@ -195,20 +205,14 @@ class Market
{
$reqMerc = round(($wood+$clay+$iron+$crop)/$this->maxcarry);
if(($wood+$clay+$iron+$crop) > $this->maxcarry*$reqMerc)
{
$reqMerc += 1;
}
if(($wood+$clay+$iron+$crop) > $this->maxcarry*$reqMerc) $reqMerc += 1;
}
if($this->merchantAvail() != 0 && $reqMerc <= $this->merchantAvail())
if($this->merchantAvail() > 0 && $reqMerc <= $this->merchantAvail())
{
if($database->modifyResource($village->wid,$wood,$clay,$iron,$crop,0))
{
$time = 0;
if(isset($_POST['d1']))
{
$time = $_POST['d2'] * 3600;
}
if(isset($_POST['d1'])) $time = $_POST['d2'] * 3600;
$alliance = (isset($post['ally']) && $post['ally'] == 1)? $session->userinfo['alliance'] : 0;
$database->addMarket($village->wid,$post['rid1'],$post['m1'],$post['rid2'],$post['m2'],$time,$alliance,$reqMerc,0);
}
@@ -246,6 +250,27 @@ class Market
$reqMerc += 1;
}
}
// We don't have enough resources
if($infoarray['wamt'] > ([$village->awood, $village->aclay, $village->airon, $village->acrop])[$infoarray['wtype']])
{
header("Location: build.php?id=".$get['id']."&t=1&e1");
exit;
} // We're accepting the offering from the same village/of another alliance/with a too high maxtime
elseif
(($infoarray['vref'] == $village->wid) ||
($infoarray['alliance'] > 0 && $infoarray['alliance'] != $session->alliance) ||
($infoarray['maxtime'] > 0 && ($infoarray['maxtime'] * 3600) < $generator->procDistanceTime($database->getCoor($infoarray['vref']), $village->coor, $session->tribe, 0)))
{
header("Location: build.php?id=".$get['id']."&t=1&e2");
exit;
} // We don't have enough merchants
elseif($reqMerc > $this->merchantAvail()){
header("Location: build.php?id=".$get['id']."&t=1&e3");
exit;
}
$myresource = $hisresource = array(1=>0,0,0,0);
$myresource[$infoarray['wtype']] = $infoarray['wamt'];
$mysendid = $database->sendResource($myresource[1],$myresource[2],$myresource[3],$myresource[4],$reqMerc,0);
@@ -266,7 +291,7 @@ class Market
);
$resource = array(1=>0,0,0,0);
$resource[$infoarray['wtype']] = $infoarray['wamt'];
$database->modifyResource($village->wid,$resource[1],$resource[2],$resource[3],$resource[4],0);
$database->modifyResource($village->wid, $resource[1], $resource[2], $resource[3], $resource[4] , 0);
$database->setMarketAcc($get['g']);
$database->removeAcceptedOffer($get['g']);
$logging->addMarketLog($village->wid,2,array($infoarray['vref'],$get['g']));
@@ -284,7 +309,7 @@ class Market
{
$targetcoor = $database->getCoor($value['vref']);
$duration = $generator->procDistanceTime($targetcoor,$village->coor,$session->tribe,0);
if($duration <= $value['maxtime'] || $value['maxtime'] == 0)
if($duration <= ($value['maxtime'] * 3600) || $value['maxtime'] == 0)
{
$value['duration'] = $duration;
array_push($holderarray,$value);
@@ -353,11 +378,11 @@ class Market
global $session,$database,$village;
$wwvillage = $database->getResourceLevel($village->wid);
if($wwvillage['f99t']!=40)
if($wwvillage['f99t'] != 40)
{
if($session->userinfo['gold'] >= 3)
{
//kijken of ze niet meer gs invoeren dan ze hebben
//check if there are too many resources
if($session->access == BANNED)
{
header("Location: banned.php");
@@ -370,7 +395,7 @@ class Market
["wood", "clay", "iron", "crop"],
[$post['m2'][0], $post['m2'][1], $post['m2'][2], $post['m2'][3]]
);
$database->modifyGold($session->uid,3,0);
$database->modifyGold($session->uid, 3, 0);
header("Location: build.php?id=".$post['id']."&t=3&c");;
exit;
}
+1 -1
View File
@@ -63,7 +63,7 @@ class Session {
private $time;
var $logged_in = false;
var $referrer, $url;
var $username, $uid, $access, $plus, $tribe, $isAdmin, $alliance, $gold, $oldrank, $gpack;
var $username, $uid, $access, $plus, $tribe, $isAdmin, $alliance, $gold, $oldrank, $gpack, $goldclub;
var $bonus = 0;
var $bonus1 = 0;
var $bonus2 = 0;
+19 -16
View File
@@ -35,7 +35,7 @@ $userID = $database->getUserField($villageOwner,'id',0);
}
$maxcarry = $market->maxcarry;
$maxcarry *= $market->merchantAvail();
if(isset($_POST['ft'])=='check' && $allres!=0 && $allres <= $maxcarry && ($_POST['x']!="" && $_POST['y']!="" or $_POST['dname']!="") && $checkexist && ($userAccess == 2 || $userAccess == MULTIHUNTER || (ADMIN_ALLOW_INCOMING_RAIDS && $userAccess == ADMIN))){
if(isset($_POST['ft'])=='check' && (($_POST['send3'] > 1 && $_POST['send3'] < 3 && $session->goldclub) || $_POST['send3'] == 1) && $getwref != $village->wid && $allres!=0 && $allres <= $maxcarry && ($_POST['x']!="" && $_POST['y']!="" or $_POST['dname']!="") && $checkexist && ($userAccess == 2 || $userAccess == MULTIHUNTER || (ADMIN_ALLOW_INCOMING_RAIDS && $userAccess == ADMIN))){
?>
<form method="POST" name="snd" action="build.php">
<input type="hidden" name="ft" value="mk1">
@@ -72,20 +72,20 @@ if(isset($_POST['ft'])=='check' && $allres!=0 && $allres <= $maxcarry && ($_POST
<tbody><tr>
<th><?php echo COORDINATES;?>:</th>
<?php
if($_POST['x']!="" && $_POST['y']!="" && is_numeric($_POST['x']) && is_numeric($_POST['y'])){
$getwref = $database->getVilWref($_POST['x'],$_POST['y']);
$getvilname = $database->getVillageField($getwref, "name");
$getvilowner = $database->getVillageField($getwref, "owner");
$getvilcoor['y'] = $_POST['y'];
$getvilcoor['x'] = $_POST['x'];
$time = $generator->procDistanceTime($getvilcoor,$village->coor,$session->tribe,0);
if(!empty($_POST['x']) && !empty($_POST['y']) && is_numeric($_POST['x']) && is_numeric($_POST['y'])){
$getwref = $database->getVilWref($_POST['x'],$_POST['y']);
$getvilname = $database->getVillageField($getwref, "name");
$getvilowner = $database->getVillageField($getwref, "owner");
$getvilcoor['y'] = $_POST['y'];
$getvilcoor['x'] = $_POST['x'];
$time = $generator->procDistanceTime($getvilcoor,$village->coor,$session->tribe,0);
}
else if($_POST['dname']!=""){
$getwref = $database->getVillageByName($_POST['dname']);
$getvilcoor = $database->getCoor($getwref);
$getvilname = $database->getVillageField($getwref, "name");
$getvilowner = $database->getVillageField($getwref, "owner");
$time = $generator->procDistanceTime($getvilcoor,$village->coor,$session->tribe,0);
else if(!empty($_POST['dname'])){
$getwref = $database->getVillageByName($_POST['dname']);
$getvilcoor = $database->getCoor($getwref);
$getvilname = $database->getVillageField($getwref, "name");
$getvilowner = $database->getVillageField($getwref, "owner");
$time = $generator->procDistanceTime($getvilcoor,$village->coor,$session->tribe,0);
}
?>
<td><a href="karte.php?d=<?php echo $getwref; ?>&c=<?php echo $generator->getMapCheck($getwref); ?>"><?php echo $getvilname; ?>(<?php echo $getvilcoor['x']; ?>|<?php echo $getvilcoor['y']; ?>)<span class="clear"></span></a></td>
@@ -202,7 +202,7 @@ $coor['y'] = "";
</table>
<div class="clear"></div>
<?php if($session->goldclub == 1){?>
<p><select name="send3"><option value="1" selected="selected">1x</option><option value="2">2x</option><option value="3">3x</option></select><?php echo GO;?></p>
<p><select name="send3"><option value="1" selected="selected">1x</option><option value="2">2x</option><option value="3">3x</option></select> <?php echo GO;?></p>
<?php
}else{
?>
@@ -215,10 +215,13 @@ $coor['y'] = "";
$error = '';
if(isset($_POST['ft'])=='check'){
if(!$checkexist){
if($form->returnErrors() > 0) $error = '<span class="error"><b>'.$form->getError("error").'</b></span>';
elseif(!$checkexist){
$error = '<span class="error"><b>'.NO_COORDINATES_SELECTED.'</b></span>';
}elseif($getwref == $village->wid){
$error = '<span class="error"><b>'.CANNOT_SEND_RESOURCES.'</b></span>';
}elseif($_POST['send3'] < 1 || $_POST['send3'] > 3 || ($_POST['send3'] > 1 && !$session->goldclub)){
$error = '<span class="error"><b>'.INVALID_MERCHANTS_REPETITION.'</b></span>';
}elseif($userAccess == '0' or ($userAccess == MULTIHUNTER && $userID == 5) or (!ADMIN_ALLOW_INCOMING_RAIDS && $userAccess == ADMIN)){
$error = '<span class="error"><b>'.BANNED_CANNOT_SEND_RESOURCES.'.</b></span>';
}elseif($_POST['r1']==0 && $_POST['r2']==0 && $_POST['r3']==0 && $_POST['r4']==0){
+15 -1
View File
@@ -47,6 +47,20 @@ if($session->plus) {
}
?>
<div class="clear"></div><table id="range" cellpadding="1" cellspacing="1">
<?php
if(isset($_GET['e1']))
{
echo "<p class=\"error2\">".NOT_ENOUGH_RESOURCES."</p>";
}
elseif(isset($_GET['e2']))
{
echo "<p class=\"error2\">".INVALID_OFFER."</p>";
}
elseif(isset($_GET['e3']))
{
echo "<p class=\"error2\">".NOT_ENOUGH_MERCHANTS."</p>";
}
?>
<thead><tr>
<th colspan="5"><a name="h2"></a><?php echo OFFERS_MARKETPLACE;?></th>
</tr>
@@ -95,7 +109,7 @@ switch($market->onsale[$i]['gtype']) {
echo "<td class=\"act none\">".NOT_ENOUGH_MERCHANTS."</td></tr>";
}
else if($session->access != BANNED){
echo "<td class=\"act\"><a href=\"build.php?id=$id&t=1&a=".$session->mchecker."&g=".$market->onsale[$i]['id']."\">".LUMBER."Accept offer</a></td>";
echo "<td class=\"act\"><a href=\"build.php?id=$id&t=1&a=".$session->mchecker."&g=".$market->onsale[$i]['id']."\">Accept offer</a></td>";
}else{
echo "<td class=\"act\"><a href=\"banned.php\">".ACCEP_OFFER."</a></td>";
}
+2 -4
View File
@@ -58,10 +58,8 @@
{
echo "<p class=\"error2\">".NOT_ENOUGH_MERCHANTS."</p>";
}
else
{
echo "<p>Merchants: ".$market->merchantAvail()."/".$market->merchant."</p>";
}
echo "<br /><p>Merchants: ".$market->merchantAvail()."/".$market->merchant."</p>";
?>
<input type="image" tabindex="8" value="ok" name="s1" id="btn_ok" class="dynamic_img" src="img/x.gif" alt="OK" <?php //if(!$market->merchantAvail()) { echo "DISABLED"; }?>/></p>
</form>
+2 -2
View File
@@ -22,7 +22,7 @@ include("17_edit.tpl");
}else{
?>
<p><?php echo TRADE_ROUTES_DESC;?> <img src="../../<?php echo GP_LOCATE; ?>img/a/gold.gif" alt="Gold" title="<?php echo GOLD;?>">2.</p>
<p><?php echo TRADE_ROUTES_DESC;?> <img src="../../<?php echo GP_LOCATE; ?>img/a/gold.gif" alt="Gold" title="<?php echo GOLD;?>"><b>2</b>.</p>
<table id="npc" cellpadding="1" cellspacing="1">
<thead>
@@ -61,7 +61,7 @@ echo "".TRADE_ROUTE_TO." <a href=karte.php?d=".$route['wid']."&c=".$generator->g
| <a href="build.php?id=<?php echo $id; ?>&t=4&action=editRoute&routeid=<?php echo $routeid; ?>"><?php echo EDIT;?></a>
| <a href="build.php?action=delRoute&routeid=<?php echo $routeid; ?>"><?php echo DELETE;?></a>
</th></tr></tfoot></table>
* <?php echo EXTEND_TRADE_ROUTES;?> <img src="../../<?php echo GP_LOCATE; ?>img/a/gold.gif" alt="Gold" title="<?php echo GOLD;?>">2
* <?php echo EXTEND_TRADE_ROUTES;?> <img src="../../<?php echo GP_LOCATE; ?>img/a/gold.gif" alt="Gold" title="<?php echo GOLD;?>"><b>2</b>
<br>
<div class="options">
<a class="arrow" href="build.php?gid=17&t=4&create">» <?php echo CREATE_TRADE_ROUTES;?></a>