I'm building a part of a text game where you can sell and buy your cars. On the sell part I experience this problem. This is the part the user can choose:
$sql = "
SELECT garage.id
, car_id
, schade
, naam
, prijs
FROM garage
LEFT
JOIN cars
ON garage.car_id = cars.id
WHERE user_id = ".ID."
ORDER
BY id ASC
LIMIT ".($page * 10).", 10
";
$sql = mysql_query($sql) or die(mysql_error());
$i = 1;
while($res = mysql_fetch_assoc($sql)){
echo"
<option value='".$res['car_id']."'>".$res['naam']."</option><br>
So a dropdown box shows the cars you have based on their 'global' car id's. This happens when you click 'sell'
if(isset($_POST['start'])){
$prijs = $_POST['prijs'];
$carr = $_POST['autos'];
$sql = mysql_query("SELECT `id` FROM `automarkt` WHERE `seller_id`=".ID." LIMIT 1") or die(mysql_error());
So I discovered you can use Tamper data or just edit the sending parameter even before clicking the button... For example you choose a car from the dropdown box, the car holds id 39, you tamper it, change it to 41 and you actually manage to post 41 and so spawn other cars into the game.
I tried this as a solution but it doesn't really do anything: (Tried to make it check if the 'garage' input exists by matching the sent car id and user id.
$result = mysql_query("SELECT `id` FROM `garage` WHERE `user_id`=".ID." AND `car_id`=".$carr) or die(mysql_error());
} elseif(!$result) {
$msgs = bad("x");
This however didn't do anything really and still leaves it possible for you to tamper the sent car id.
I though you could maybe check the 'id' in the 'garage' table, because it's unique. (So also like sending the unique row id and comparing it to the car id, but if that's open you can also Tamper that...)
I need something that checks if the USER actually HAS the CAR in the GARAGE. I ran out of ideas.
Aucun commentaire:
Enregistrer un commentaire