POST DATA

Beffic

[FONT="Comic Sans MS"]Ok, I have a little RPG game out and I have been trying to fix bugs that people exploit. One of them for example is the POST DATA bug. Someone could be fighting a monster and as soon as they kill it they can hit backspace or alt + left key and it will send them back to the part where they were about to kill it and then kill it again for another level. So really it's not PHP scripting i need but it has to do with my PHP scripts and I don't know where else to go. I want to keep people from pressing the ALT button and the Backspace button to keep them from using this bug to their advantage.

Thanks,
-Beffic[/FONT]

PartDigital

well it seems to me that I would either use a database or session variables.

The easiest is probably with session variables (though not the most typical)

So for instance, at the beginning of the game, you set a session variable for the first monster ($SESSION['monster1'])
and give that a value of 0. So $SESSION['monster1'] = 0;

when they kill the monster you set that to 1, so $_SESSION['monster1'] = 1.

Then do some checks to verify this variable.

That way when they load the page it will check to see if $SESSION['monster1'] is 0 or 1. If it's 1 the page will be forwarded to the next page, otherwise it will stay and let them kill it.
$SESSION['monster1'] = 1;

if you're new to sessions check out http://us.php.net/session

hope this was helpful

Beffic

How would the session set back to 0 or does it not need to be set to 0?

PartDigital

you would want to set it to 0 at the beginning of the program. So for instance if you have three bosses you would want to do.

$_SESSION['boss1'] = 0; 
$_SESSION['boss2'] = 0; 
$_SESSION['boss3'] = 0;

This of course is just one way to do it.

you could also do it like this

//this would probably be my preferred way as it lets me loop through them
$_SESSION['bosses']['1'] = 0; 
$_SESSION['bosses']['2'] = 0; 
$_SESSION['bosses']['3'] = 0;

Beffic

Isn't there other ways of identifying sessions like "COOKIE"? Or something like this...

    setcookie('Monstername',$Monster['Name'],time()+60*60*24);

matto

you can set a cookie as well, but the use of a session is more handy, and [typically] it relies on cookies as well, only that this part is handled in the background.

insert this at the top of your script:
session_start();

then if you want to remember something:
$_SESSION['name'] = $value;

and if you want to recall something:
$value = $_SESSION['name'];

since the session variable stays available as long as the user has its browser open, you don't need to bother setting cookie time limits etc.

PartDigital

matto is correct, with cookies you have to worry about expiration times. With sessions they are automatically cleared once the browser is closed.

Beffic

Hmm.... ok so is this how I would do it?

Fight.php
//----------------------------------

<?php
include 'connect.php';
include 'header.php';
//Just added------
SESSION_START();
//--------------------
if(!isset($_COOKIE['member_id']))
  die('<p>You\'re not logged in, please <a href=main.php>login</a></p>');
$Player=$_COOKIE['member_id'];
$Teleport=$_POST['Teleport'];
$Thespell=$_COOKIE['Spellname'];
$Beast = mysql_fetch_array(mysql_query("Select * From Beasts where Spawner='$Player'"));
$time=date('U');
      $offtime=$time-180;
$online="update Users set online='$time' where ID='$Player'";
  mysql_query($online) or die("Died");
if(isset($_POST['Attack']))
  $Action="attack";
else if(isset($_POST['Cast']))
  $Action="magic";
else if(isset($_POST['Run']))
  $Action="run";
else if(isset($_POST['Use']))
  $Action="use";
else if(isset($_POST['Fight']))
  $Fight=$_POST['Fight'];
$Query="SELECT * from Users where ID='$Player'";
$Query2=mysql_query($Query) or die("Could not get user stats");
$User=mysql_fetch_array($Query2);


if(isset($User['Weapon']))
{
  $Query="SELECT * from Items where ID='$User[Weapon]'";
  $Query2=mysql_query($Query) or die("Could not get user stats");
  $Item=mysql_fetch_array($Query2);
  $User['WeaponClass']=$Item['ItemClass'];
}
include 'functions.php';
if($User['HP']<=0)
  die("<p>You are dead, you cannot fight.Go revive.</p>");
if(isset($Fight)&&!isset($Action))
{
  $Name=$_POST['Name'];
  $Query="SELECT * from Monsters where Name='$Name'";
  $Query2=mysql_query($Query) or die ("Cannot select Monster");
  $Monster=mysql_fetch_array($Query2);
  if (!$Monster)
    echo "There is no monster of that name";
  else
  {
//Just added--------
  $_SESSION['Monstername'] = 0;
//----------------------
    setcookie('Monstername',$Monster['Name'],time()+60*60*24);
    $Rand=rand(1,100);
    if($Rand>=10&&$Rand<=15)
      $Special="Enraged";
    elseif($Rand>=20&&$Rand<=25)
      $Special="Intelligent";
    elseif($Rand>=30&&$Rand<=35)
      $Special="Extreme";
    elseif($Rand>=40&&$Rand<=45)
      $Special="Clumsy";
    else
      $Special="";

$Max=50*$Monster['Level'];
if($Monster['Type']==0)
{
  $Monster['HP']=rand(20*$Monster['Level'],35*$Monster['Level']);
  $Monster['MP']=0;
  $Monster['Strength']=rand($Max/4-$Monster['Level'],$Max/4+$Monster['Level']);
  $Monster['Constitution']=rand($Max/4-$Monster['Level'],$Max/4+$Monster['Level']);
  $Monster['Dexterity']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Concentration']=rand($Max/6-$Monster['Level'],$Max/6+$Monster['Level']);
  $Monster['Intelligence']=rand($Max/6-$Monster['Level'],$Max/6+$Monster['Level']);
}
elseif($Monster['Type']==1)
{
  $Monster['HP']=rand(15*$Monster['Level'],20*$Monster['Level']);
  $Monster['MP']=rand(15*$Monster['Level'],20*$Monster['Level']);
  $Monster['Strength']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Constitution']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Dexterity']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Concentration']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Intelligence']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
}
else
{
  $Monster['HP']=rand(10*$Monster['Level'],20*$Monster['Level']);
  $Monster['MP']=rand(15*$Monster['Level'],25*$Monster['Level']);
  $Monster['Strength']=rand($Max/6-$Monster['Level'],$Max/6+$Monster['Level']);
  $Monster['Constitution']=rand($Max/6-$Monster['Level'],$Max/6+$Monster['Level']);
  $Monster['Dexterity']=rand($Max/5-$Monster['Level'],$Max/5+$Monster['Level']);
  $Monster['Concentration']=rand($Max/4-$Monster['Level'],$Max/4+$Monster['Level']);
  $Monster['Intelligence']=rand($Max/4-$Monster['Level'],$Max/4+$Monster['Level']);
}
$Monster['MaxHP']=$Monster['HP'];
$Monster['MaxMP']=$Monster['MP'];
$Monster=Special($Monster,$Special);
mysql_query("Update Users set Fighting='1' where ID='$Player'") or die("Failed");
echo "<p>You startle the $Special $Name<br /></p>";
Table($Monster, $User, $Special);
  }
}
elseif(isset($Action) && $User['Fighting'] != 0)
{
  $Special=$_POST['Special'];
  $Special=str_replace("%20"," ",$Special);
  $Monster['Name']=$_POST['Name'];
  $Monster['HP']=$_POST['HP'];
  $Monster['Type']=$_POST['Type'];
  $Monster['Level']=$_POST['Level'];
  $Monster['Spell']=$_POST['Spell'];
  $Monster['MP']=$_POST['MP'];
  $Monster['MaxHP']=$_POST['MaxHP'];
  $Monster['MaxMP']=$_POST['MaxMP'];
  $Monster['Strength']=$_POST['Strength'];
  $Monster['Constitution']=$_POST['Constitution'];
  $Monster['Dexterity']=$_POST['Dexterity'];
  $Monster['Concentration']=$_POST['Concentration'];
  $Monster['Intelligence']=$_POST['Intelligence'];
  $RandDexUser=rand($User['Dexterity']-20,$User['Dexterity']+20);
  $RandDexMonster=rand($Monster['Dexterity']-20,$Monster['Dexterity']+20);
  if(isset($_POST['UserSpell']))
    $SpellID = $_POST['UserSpell'];

  if($Action=="attack")
  {
    $type = "Melee";
    $hit = "You attack the $Special $Monster[Name]";
    $miss = "You attack the $Special $Monster[Name], but it dodges your attack!";
    $block = "You attack the $Special $Monster[Name], but you fail to hurt it!";
  }
  elseif($Action=="magic")
  {
    $Query="Select * from UserSpells where ID='$SpellID'";
    $Query2=mysql_query($Query) or die("Could not get spells for user");
    $Spell=mysql_fetch_array($Query2);
    $type = "Magic";
    $hit = "You blast the $Special $Monster[Name] with $Spell[Name]";
    setcookie('Spellname',$Spell['Name'],time()+60*60*24);
    setcookie('Spelllevel',$Spell['Level'],time()+60*60*24);
    $miss = "You blast the $Special $Monster[Name] with $Spell[Name], but it dodges your attack!";
    $block = "You attack the $Special $Monster[Name] with $Spell[Name], but it has no effect!";
  }
  elseif($Action=="run")
  { 
    $Randomrun=rand(1,2);
    if($Randomrun == 1){
    echo "You failed to run";
    }
    else{
    mysql_query("Update Users set Fighting='0' where ID='$Player'") or die("Failed");
    echo "<p>You escape the clutches of the $Monster[Name]</p>";
    die();
    }
  }

else
  echo $miss;
echo "</p>";
mysql_query("Update Users set HP='$User[HP]', MP='$User[MP]' where ID='$Player'") or die("Could not update player stats");
Table($Monster, $User, $Special);
  }
  else
  {
    $Chance=$Monster['Level']-$User['Level'];
    $Rand=rand(1,100);
    echo "<p>";
    if($Rand>=$Chance&&$Action!="use")
    {
      if($type == "Melee")
        $Damage = CalcDamage($User, $Monster, "Melee");
      elseif($type == "Magic")
      {
        if($User['MP']<$Spell['Level'])
          echo "You do not have enough MP to cast the spell.<br>";
        else
          $Damage = Spell($Monster, $User, $Spell);
      }
      $Monster['HP']-=$Damage;

  if($Monster['HP']<=0)
    win($Monster,$User,$Special);
  if($Damage == 0)
    echo $block;
  else
    echo $hit." for $Damage damage!";
}
elseif($Action=="use")
{
  $User=Potion($User,$ItemUsed);
  mysql_query("Update Items set Amount=Amount-'1' where ID='$ItemUsed'");
}
else
  echo $miss;
$User['HP'] = Turn($Monster, $User, $Special);
if($User['HP']<=0)
{
  mysql_query("Update Users set Fighting='0', HP='".$User['HP']."' where ID='$Player'") or die("Failed");
  echo "<p>The $Special $Monster[Name] killed you!<br />Please revive</p>";
  die();
}
echo "</p>";
mysql_query("Update Users set HP='$User[HP]', MP='$User[MP]' where ID='$Player'") or die("Could not update player stats");
Table($Monster, $User, $Special);
  }
}
else
{
  $Coord=explode(",",$User['coord']);
  if(isset($_POST['up'])){
    $Coord[1]+=1;
print "<script type=\"text/javascript\">window.location=\"fight.php\"</script>";
}


  echo "<p>Name - Level<br /></p>";
  echo "<form action='fight.php' method='post'>";
  echo "<p><select class=\"select\" name='Name'>";
  if($_COOKIE['Monstername'])
  {
    $Name = $_COOKIE['Monstername'];
    $Query = mysql_query("SELECT * from Monsters where Name='$Name' limit 1") or die("ZOMG no cookie monster");
    $QMonster = mysql_fetch_array($Query);


}


?>
</body>
</html>
//------------------------------------
Functions.php (When the monster dies)
//------------------------------------
$_SESSION['Monstername']=1;
           echo "<table border=\"0\" align=\"center\"><tr>
          <td align=\"center\">$Item $Str $Cons $Int $Conc $Dex $Button</td>
          <td align=\"center\">Congratulations! You killed the $Special $Monster[Name]!<br />
          You gain $Exp experience, and $Gold2 gold<font style=color:yellow>";

PartDigital

it's hard to read through all that, could you comment your code a little more?

Beffic

Just added parts are the //-----just added where the sessions are located. One all the way at the top, one all the way at the bottom and one not too far from the top...

PartDigital

As far as I can tell you didn't do any checks, you only added $_SESSION['Monstername'] by itself it doesn't do anything.

try something like this

if($_SESSION['Monsername']==0)
{
   //continue to fight the boss
}else{
   //forward to the next page because $_SESSION['Monstername']==1 and they have already beaten the boss. 
}

Beffic

Oh ok

zabmilenko

Sessions won't work when dealing with PVP (only player-vs-computer). I will tell you why!

Player A: Kills Player B
Player A: Sets session that kill occurs
Player B: Kills Player A
Player B: Sets session that kill occurs

If you want to use sessions, each player either has to load every session in the game, or you need a battle table to track who is fighting. Why not just use a such a battle table by itself?

How many players you have online at one time? 200? 100? Consider three fields in a memory/heap table:

table recent_kills
int a_id // attacker_id
int d_id // defender_id
float ts // timestamp

The field names are short to speed up communication between web and db server.

Anyways.. here is a better sequence of events:

1 Player A: About to kill player B
2 Player A: Check to see if record in recent_kills with a_id = player_a OR d_id = player_a -- stop if it is.
3 Player A: insert record in DB for recent kills
4 Player A: Select records from DB for a_id = player_a OR d_id = player_a, order by timestamp
5 Player A: Check first row only. If a_id is not player_a, quit
5 Player A: Credit experience, score, etc

Player B can jump in almost any time. If they are ever so close together on time as to create a race condition on line 3, using internal locking assures that only one of them will be able to insert the record.

// Return a quasi-unique battle ID for the fight
$battle_id = min($p1_id, $p2_id) * 1000000 + max($p1_id, $p2_id);
$ts = round(microtime(true), 3);

$query = "IF SELECT GET_LOCK($battle_id, 5); THEN
INSERT INTO `recent_battles` (`a_id`, `d_id`, `ts`) values ('$p1_id', '$p2_id', '$ts');
SELECT RELEASE_LOCK($battle_id);
END IF"

Just make sure you delete one or two rows once you know a double-submit kill won't occur.

By my guestimate, 100 players killing each other at the same time will take about 20 kilobytes of memory (in MySQL). You may have to adjust to fit your own schemas.

Alright, I pulled all of this from memory, so go easy. I hope I didn't forget anything...