lopar/battles
lopar/battles
0
0
Fork 0
Code Issues 21 Pull Requests Releases Wiki Activity

Запрет на запуск админского кода пользователем.

Browse Source
This commit is contained in:
lopar 2018-02-27 08:07:27 +02:00
parent 73a26f4241
commit fae934f0ad
1 changed files with 43 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
bank.php
View File

@ -157,25 +157,7 @@ if (!$_SESSION['bankid']) {
}
$_POST['change'] = 0;
}
if ($_POST['changeback'] && $_POST['ok']) {
$_POST['ok'] = round($_POST['ok'], 2);
if (is_numeric($_POST['ok']) && ($_POST['ok'] > 0) && ($_POST['ok'] <= $bank['cr'])) {
$bank['cr'] -= $_POST['ok'];
$bank['ekr'] += $_POST['ok'] / 500;
$add_ekr = $_POST['ok'] / 500;
if (mysql_query("UPDATE `bank` SET `cr`=`cr`-'" . $_POST['ok'] . "' WHERE `id`='" . $bank['id'] . "' LIMIT 1;")) {
$mywarn = "Обмен произведен успешно";
mysql_query("UPDATE `bank` SET `ekr`=`ekr`+'$add_ekr' WHERE `id`='" . $_SESSION['bankid'] . "' LIMIT 1;");
$bank = mysql_fetch_array(mysql_query("SELECT * FROM `bank` WHERE `id`='" . $_SESSION['bankid'] . "';"));
mysql_query("INSERT INTO `delo` (`id`,`author`,`pers`,`text`,`type`,`date`) VALUES ('','0','" . $_SESSION['uid'] . "','Персонаж " . $user['login'] . " обменял " . $_POST['ok'] . " кр. на " . $add_ekr . " екр. на счету №" . $_SESSION['bankid'] . " в банке. ',1,'" . time() . "');");
} else {
$mywarn = "Произошла ошибка!";
}
} else {
$mywarn = "У вас недостаточно денег для выполнения операции";
}
$_POST['changeback'] = 0;
}
if ($_GET['dropm']) {
if (2 <= $bank['ekr']) {
undressall($user['id']);
@ -320,9 +302,6 @@ if (!$_SESSION['bankid']) {
}
if ($_POST['wu'] && $_POST['sum'] && $_POST['number']) {
if ($user['align'] == 4) {
$mywarn = "Хаосникам переводы запрещены!";
} else {
$bank2 = mysql_fetch_array(mysql_query("SELECT * FROM `bank` WHERE `id`='" . $_POST['number'] . "';"));
$to = mysql_fetch_array(mysql_query("SELECT login FROM `users` WHERE `id`='" . $bank2['owner'] . "';"));
if ($bank2[0]) {
@ -354,7 +333,6 @@ if (!$_SESSION['bankid']) {
} else {
$mywarn = "Данные о счете получателя не найдены.";
}
}
$_POST['wu'] = 0;
}
@ -413,6 +391,25 @@ if (!$_SESSION['bankid']) {
}
}
###
if ($_POST['changeback'] && $_POST['ok'] && (!empty($user['admin']))) {
$_POST['ok'] = round($_POST['ok'], 2);
if (is_numeric($_POST['ok']) && ($_POST['ok'] > 0) && ($_POST['ok'] <= $bank['cr'])) {
$bank['cr'] -= $_POST['ok'];
$bank['ekr'] += $_POST['ok'] / 500;
$add_ekr = $_POST['ok'] / 500;
if (mysql_query("UPDATE `bank` SET `cr`=`cr`-'" . $_POST['ok'] . "' WHERE `id`='" . $bank['id'] . "' LIMIT 1;")) {
$mywarn = "Обмен произведен успешно";
mysql_query("UPDATE `bank` SET `ekr`=`ekr`+'$add_ekr' WHERE `id`='" . $_SESSION['bankid'] . "' LIMIT 1;");
$bank = mysql_fetch_array(mysql_query("SELECT * FROM `bank` WHERE `id`='" . $_SESSION['bankid'] . "';"));
mysql_query("INSERT INTO `delo` (`id`,`author`,`pers`,`text`,`type`,`date`) VALUES ('','0','" . $_SESSION['uid'] . "','Персонаж " . $user['login'] . " обменял " . $_POST['ok'] . " кр. на " . $add_ekr . " екр. на счету №" . $_SESSION['bankid'] . " в банке. ',1,'" . time() . "');");
} else {
$mywarn = "Произошла ошибка!";
}
} else {
$mywarn = "У вас недостаточно денег для выполнения операции";
}
$_POST['changeback'] = 0;
}
err($mywarn);
?>