I just finnished a combat script for an online game, but i just realised there maybe an exploit. Bascialy it goes. If player wins then updates SQL Database, If player loses, then they go back to main screen. Ok, my concern is, when the player wins, it will run the following script. echo "" . $playerstats2['username'] . "Won!!"; echo "<br>You have earned $gold_total gold"; echo "<br>You have earned $exp_earned EXP"; $update_exp = mysql_query("UPDATE members SET exp='$total_exp' WHERE username='$user'"); $update_gold = mysql_query("UPDATE members SET gold='$total_gold' WHERE username='$user'"); Is there any way of stopping the user from just simply pressing F5 and drawing in asmuch gold and exp as possible? I'm thinking of makeing the user spend X amount of turns when they attack a monster, so they can only do a certain amount of attacks. Also another idea is to give the user a set amount of HP (Health points) and every time they fight, they might or might not lose some HP, and then they are at 0 HP, they cant attack. Any ideas?
you can reset the values and run an if then...: if(!empty($gold_total) && !empty($exp_earned)){ //we have values lets update echo "" . $playerstats2['username'] . "Won!!"; echo "<br>You have earned $gold_total gold"; echo "<br>You have earned $exp_earned EXP"; $update_exp = mysql_query("UPDATE members SET exp='$total_exp' WHERE username='$user'"); $update_gold = mysql_query("UPDATE members SET gold='$total_gold' WHERE username='$user'"); //reset $gold_total = ""; $exp_earned = ""; }else{ //redirect no values header("Location: homepage.php"); exit(); } PHP: }
A little hard to help ya without seeing how a win is executed and when. I would do something similar to... When a win is detected the first thing you do is create a hash and save it both in a DB and in the users session. This should be the very first thing that happens before any messages or anything like that. Then, in the place where you are adding to users winning resources, you check if a hash exists in the session. If it does, you go and check the DB where you store the winner hash, if the hash in the session matches the one in the DB you know you can reward the user. At the same time you clear both, the hash thats in the session and the one in the DB. If the user refreshes the page now theres no matching hash in the session and the DB, no reward.
Won't work because those 2 vars are set from a source, either GET/POST vars or something, setting just the variable will be useless once the script is run again. I would use a flag in the database and set it to true before a fight and set it to false after the fight (and after exp/gold is added). Also, do the updating at the same time, and you do not need $update variables for the UPDATE queries. This would be the new code: mysql_query("UPDATE members SET exp='$total_exp', gold='$total_gold', in_attack = 0 WHERE username='$user' AND in_attack = 1"); Code (markup): Then set in_attack = 1 whenever a fight starts. A session flag might also do depending on how you trigger a win.
I've worked it out, thanks for the help everyone. What i've done is give the user X amount of turns to spend on combat each hour. Now, every time they want to attack, it costs 15 turns.. and if they dont have above those 15 turns, it wont let them attack. I've also added a HP bar, so when they fight, they have a chance of getting hurt, it discorages the user from pressing F5 if they are keeping an eye on there HP level.
I'd still use a flag. What if they press F5 thinking the page has not been submitted? I have that problem often with an ADSL line that temporarily drops out far too often.