xinyin025/TravianZ
1
0
Fork 0
mirror of https://github.com/Shadowss/TravianZ.git synced 2026-06-28 08:34:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
9a3cb7dc5cddaff2537e5dbe3461ff6f060ccf21
TravianZ/GameEngine/Admin/Mods/givePlus.php
T
Martin Ambrus 331885a110 fix: remove SQL injections in Admin
2017-10-19 21:17:11 +02:00

51 lines
2.1 KiB
PHP
Executable File
Raw Blame History

<?php
#################################################################################
## -= YOU MAY NOT REMOVE OR CHANGE THIS NOTICE =- ##
## --------------------------------------------------------------------------- ##
## Filename mainteneceBan.php ##
## Developed by: aggenkeech ##
## License: TravianX Project ##
## Copyright: TravianX (c) 2010-2012. All rights reserved. ##
## ##
#################################################################################
if (!isset($_SESSION)) session_start();
if($_SESSION['access'] < 9) die("Access Denied: You are not Admin!");
include_once("../../config.php");
function mysqli_result($res, $row, $field=0) {
$res->data_seek($row);
$datarow = $res->fetch_array();
return $datarow[$field];
}
$GLOBALS["link"] = mysqli_connect(SQL_SERVER, SQL_USER, SQL_PASS);
mysqli_select_db($GLOBALS["link"], SQL_DB);
$session = (int) $_POST['admid'];
$sql = mysqli_query($GLOBALS["link"], "SELECT * FROM ".TB_PREFIX."users WHERE id = ".$session."");
$access = mysqli_fetch_array($sql);
$sessionaccess = $access['access'];
if($sessionaccess != 9) die("<h1><font color=\"red\">Access Denied: You are not Admin!</font></h1>");
$sql = "SELECT id FROM ".TB_PREFIX."users ORDER BY ID DESC LIMIT 1";
$loops = mysqli_result(mysqli_query($GLOBALS["link"], $sql), 0);
$plusdur = $_POST['plus'] * 86400;
for($i = 0; $i < $loops + 1; $i++)
{
$query = "SELECT * FROM ".TB_PREFIX."users WHERE id = ".$i."";
$result = mysqli_query($GLOBALS["link"], $query);
while($row = mysqli_fetch_assoc($result))
{
if($row['plus'] < time()) { $plusbefore = time(); $addplus = $plusbefore + $plusdur; } elseif($row['plus'] > time()) { $plusbefore = $row['plus']; $addplus = $plusbefore + $plusdur; }
mysqli_query($GLOBALS["link"], "UPDATE ".TB_PREFIX."users SET
plus = '".$addplus."'
WHERE id = '".$row['id']."'");
}
}
header("Location: ../../../Admin/admin.php?p=givePlus&g");
?>
Reference in New Issue View Git Blame Copy Permalink