条件不按预期工作

时间:2013-07-21 03:16:30

标签: php mysql conditional-statements

我一直在为我的在线游戏服务器编写脚本,从数据库中获取用户名并检查其级别。

问题是代码没有检查级别,因此任何级别的任何人都可以投票和滥用我的投票系统。

注意:该投票系统基于时间/日期,因此您每12小时只能投票一次。

表格代码:

<html>
<body>
<center>
Please Enter Your Character Name Below, <br /><br />
After You Vote Please Relogin And Your Cps Will be Added<br /><br />
<FORM action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
  Character Name: <br /><br /> <input type="text" name='CharName'><br>
<br />
  <input type="submit" name="button" value="Vote">
</form>
</center>
</body>
</html>

投票代码:

<html><center>
<?php
$user = 'test'; //dbuser
$pass = 'test'; //dbpass
$host = 'localhost';    //dbhost
$name = 'zf'; //dbname

$con = mysql_connect($host, $user, $pass);
mysql_select_db($name, $con);

$datetime = date('Y-m-d');
$ip = $_SERVER['REMOTE_ADDR'];

if (isset($_POST['button']))
{
    $result1 = mysql_query("SELECT `level` FROM `cq_user` WHERE `name` = '$char_name'") or die(mysql_error());
    while($row = mysql_fetch_array($result1))
    {
    }

    error_reporting(E_ALL);
    ini_set('display_errors', '1');

    $char_name = $_POST['CharName'];

    $result = mysql_query("SELECT name FROM cq_user WHERE name = '" . $char_name . "' AND UNIX_TIMESTAMP(lastvoted) <= UNIX_TIMESTAMP('" . date('Y-m-d H:i:s', strtotime('-12 Hours')) . "')") or die(mysql_error());
    $result1 = mysql_query("SELECT `level` FROM `cq_user` WHERE `name` = '" . $char_name. "'") or die(mysql_error());
    while($row = mysql_fetch_array($result1))
    {
    }

    if (mysql_num_rows($result) == 0 && $row <= 119)
        echo "This character does not exist, or you have entered the wrong name. Or you could be trying to cheat and have already voted. Or you are not level 120+.";
    else
    {
        mysql_query("UPDATE `cq_user` SET `emoney` = `emoney` + 100000, `lastvoted`='" . date('Y-m-d H:i:s') . "' WHERE `name` = '" . $char_name . "'") or die(mysql_error());
        mysql_query("UPDATE `cq_user` SET `ip` = '$ip' WHERE `name` = '$char_name'");
?>
        <meta http-equiv="REFRESH" content="0;url=http://www.xtremetop100.com/in.php?site=1132303596"></HEAD>
<?php
    }
}
?>
</html></center>

这是我的检查员

if (mysql_num_rows($result) == 0 && $row <= 119)

这是我的等级检查员应该使用&lt; = 119!

的部分

2 个答案:

答案 0 :(得分:1)

这里有一些要检查的内容。我假设字符名称是唯一的。如果是这样,我猜你期待mysql_fetch_array()返回

的一个结果 
mysql_query("SELECT `level` FROM `cq_user` WHERE `name` = '" . $char_name. "'")

您有$row = mysql_fetch_array($result1),并且正如函数名所暗示的那样,mysql_fetch_array()返回一个数组,因此$row是所请求列值的数组。每次调用它时,它会在结果上进一步迭代。如果你只想要返回一行,你可以只调用一次(不需要while循环)。由于您只选择了一列(level),因此该级别应为$row[0]

此外,if声明中的条件是互斥的:

if (mysql_num_rows($result) == 0 && $row <= 119)

我猜你打算在这里使用或(||),因为你想检查是否有0结果或者水平低于119。

因此,应该是:

if (mysql_num_rows($result) == 0 || $row[0] <= 119)

此外,mysql_功能现在是deprecated。建议您使用mysqli_功能或PDO_MySQL扩展程序。您的代码也可能容易受到SQL注入攻击,因为在将其与查询字符串连接之前,您不会转义用户输入。考虑使用prepared/parameterized queries

答案 1 :(得分:1)

将其更改为此,它是一个关联数组。 

  if (mysql_num_rows($result) == 0 || $row['level'] <= 119)

如果$ result1查询返回1行,则此处不需要while循环。

while($row = mysql_fetch_array($result1))
    {
    }

改变它

list($row) = mysql_fetch_array($result1);

<强> EDITED 

<?php
$user = 'test'; //dbuser
$pass = 'test'; //dbpass
$host = 'localhost';    //dbhost
$name = 'zf'; //dbname

$con = mysql_connect($host, $user, $pass);
mysql_select_db($name, $con);

$datetime = date('Y-m-d');
$ip = $_SERVER['REMOTE_ADDR'];

if (isset($_POST['button']))
{
    $char_name = $_POST['CharName'];
    $result = mysql_query("SELECT `name`, `level` FROM `cq_user` WHERE `name` = '".$char_name."' AND UNIX_TIMESTAMP(lastvoted) <= UNIX_TIMESTAMP('" . date('Y-m-d H:i:s', strtotime('-12 Hours')) . "')") or die(mysql_error());

    list($name, $level) = mysql_fetch_array($result1);

    error_reporting(E_ALL);
    ini_set('display_errors', '1');

if (mysql_num_rows($result) == 0 || $level <= 119)
        echo "This character does not exist, or you have entered the wrong name. Or you could be trying to cheat and have already voted. Or you are not level 120+.";
    else
    {
        mysql_query("UPDATE `cq_user` SET `emoney` = `emoney` + 100000, `lastvoted`='" . date('Y-m-d H:i:s') . "', `ip` = '".$ip."' WHERE `name` = '" . $char_name . "'") or die(mysql_error());
?>
        <meta http-equiv="REFRESH" content="0;url=http://www.xtremetop100.com/in.php?site=1132303596"></HEAD>
<?php
    }
}
?>

你的HTML 

<form name="FORMNAME" action="submit.php" method="post">
    <input type="text" name="CharName"  />
    <input type="submit" name="button" value="Submit" />
</form>
相关问题
最新问题