我有一个socket.io服务器,我用它来聊天,并在我的网站上显示一些实时信息。用户可以在网站上使用点数 我想给他们一个/ send命令给朋友一些分数。我这样做了:
if (msg.substr(0,6) === '/send ') {
msg = msg.substr(6);
var ind = msg.indexOf(' ');
if (ind !== -1) {
var receiverID = msg.substr(0, ind);
var amount = msg.substr(ind + 1);
if (amount <= 0) {
socket.emit('chat error', 'Error! The amount should be greater than 0!');
return;
}
if (row[0].pontos < amount) {
socket.emit('chat error', 'Error! You don\'t have this amount of points');
return;
}
if (isNaN(amount)){
socket.emit('chat error', 'Error! Syntax: /send userid amount');
return;
}
connection.query('SELECT * FROM `users` WHERE `steamid`=\'' + receiverID + '\'', function(err35, row35, fields35) {
if (err35) throw err35;
if (row35.length == 0) {
socket.emit('chat error', 'Error! You are trying to send coins to an unregistered user!');
return;
}
var receiverSecret = row35[0].secret;
if (receiverSecret == row[0].secret) {
socket.emit('chat error', 'Error! What\'s the point of sending points to yourself?');
return;
}
connection.query('UPDATE `users` SET `pontos`=`pontos`-\'' + amount + '\' WHERE `secret`=\''+row[0].secret+'\'', function(err350, row350, fields350) {
if (err350) throw err350;
connection.query('UPDATE `users` SET `pontos`=`pontos`+\'' + amount + '\' WHERE `secret`=\''+receiverSecret+'\'', function( err3500, row3500, fields3500) {
if (err3500) throw err3500;
updatePoints();
});
});
clients[row[0].secret].emit('chat success', 'You\'ve sent '+amount+' points to '+row35[0].nome);
if (receiverSecret in clients) {
clients[receiverSecret].emit('chat success', 'You\'ve received '+amount+' points from '+row[0].nome);
}
});
}else{
socket.emit('chat error', 'Invalid user id! Format: \'/send <userid> <amount>\'');
}
}
如何避免用户发送此命令,从而阻止他们通过粘贴和发送多次/秒来利用该网站?我已经测试了它,我设法发送了比我更多的东西并且处于负面点。