2011-12-29 244 views
0

你好男孩和女孩我建立了一個戰鬥腳本,但現在我注意到,當我嘗試添加一個新的SQL更新到它,它不存儲會議變量中的健身房領導。 因此,用戶去battle.php?gymleader = nick會話變量未設置

然後,我抓住nick並將它存儲在一個會話變量後,我esape它爲SQL注入等。然後,我搜索數據庫找出什麼怪物「尼克「然後顯示怪物,然後主要戰鬥劇本進來。當他們去健身房,它會帶他們去battle.php?gymleader =尼克,但是一旦他們進入戰鬥,它只會帶他們去戰鬥。 PHP所以我認爲它存儲「尼克」,然後用戶選擇一個舉動,然後重定向他們只是battle.php然後它存儲可再次無可用嗎?

它的作戰完美的一面似乎不存儲$ _SESSION ['gymleader']我說過我認爲它存儲兩次。當用戶第一次來到他的頁面時,它設置正確,然後他們選擇一個移動並將他們重定向到battle.php而不是battle.php?gymleader = nick然後它設置了gymleader沒有任何IM猜測?

這裏是戰鬥腳本

<?php 
include 'config.php'; 

print_r ($_SESSION); 
/// Here we unset the win/lost status 
unset($_SESSION['battle_won']); 
unset($_SESSION['battle_lost']); 



$_SESSION['gymleader'] = mysql_escape_string($_GET['gymleader']); 


//// here we get the users first monster 
$sql = "SELECT * FROM user_pokemon WHERE belongsto='".$_SESSION['username']."' AND slot=1"; 
$result = mysql_query($sql) or die(mysql_error()); 
$battle_get = mysql_fetch_array($result); 

$sql23 = "SELECT * FROM gyms WHERE leader='".$_SESSION['gymleader']."'"; 
$result23 = mysql_query($sql23) or die(mysql_error()); 
$battle_get23 = mysql_fetch_array($result23); 




/// Here we get the image of the pokemon and any other info we need 
$sql2 = "SELECT * FROM `pokemon` WHERE `name` = '" . $battle_get['pokemon'] . "'"; 
    $result = mysql_query($sql2) or die(mysql_error()); 
    $values = mysql_fetch_array($result); 




////// Now we make there hp up from there level 
$a = $battle_get['level'] ; 
$b = 5; 
$hpofuserpokemon = ($a * $B) ; 
///// We make a random number up to take the hp down by 
srand ((double) microtime()*1000000); 
$random_number = rand(0,10); 

srand ((double) microtime()*1000000); 
$random_number2 = rand(0,13); 
?> 
    <?php 
unset($_SESSION['battle_won']); 
unset($_SESSION['battle_lost']); 
///// now we check to see if user is all ready in a battle we don't want to fill up database with fake battles 

$sql12 = "SELECT * FROM battle WHERE username='".$_SESSION['username']."'"; 
$result12 = mysql_query($sql12) or die(mysql_error()); 
$battle_get12 = mysql_fetch_array($result12); 

/// Here we do if there is a result we echo out nothing. Else if there is no battles stored we make one for them seen has were nice 
if ($battle_get12['win'] == 1) 
    echo " "; 
else 

mysql_query("INSERT INTO battle 
(username, hp, win, pokemon1name, pokemon_pic, gympokemon1, gympokemon1hp, gympokemon1pic, levelofgym) VALUES('".$_SESSION['username']."','".$hpofuserpokemon."', 1,'".$battle_get['pokemon']."','http://www.pokemontoxic.net/Geodude.png' ,'".$battle_get23['gympokemon1']."','".$battle_get23['gympokemon1hp']."','".$battle_get23['gympokemon1pic']."','".$battle_get23['level']."') 
") or die(mysql_error()); 

$_SESSION['gymlevel'] = mysql_escape_string($battle_get23['level']); 

?> 
    <?php 
//// Here we check if users hp is under 0 or 0 meaning there dead 
if ($battle_get12['hp'] < 0) 
{ 
    echo "You Lost the battle !!"; 


    mysql_query("DELETE FROM battle WHERE username='".$_SESSION['username']."'") 
or die(mysql_error()); 
$_SESSION["battle_lost"] = 1 ; 
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=battle_select.php?type=gym">'; 

    die(); 

} 
else { 
print (""); 
} 
?> 
    <?php 
/// Here is the most inport thing if the gyms pokemon has less than 0hp we give them the money etc.... 
if ($battle_get12['gympokemon1hp'] < 0) 
{ 
    $result3123123 = mysql_query("UPDATE users SET money=money+60 WHERE username = '".$_SESSION['username']."'") 
or die(mysql_error()); 

$result3132131321 = mysql_query("UPDATE user_pokemon SET level=level+1 WHERE belongsto = '".$_SESSION['username']."' AND slot=1 AND pokemon = '".$battle_get['pokemon']."'"); 

    $result31231236 = mysql_query("UPDATE battle SET onpokemon=onpokemon+1 WHERE username = '".$_SESSION['username']."'") 
or die(mysql_error()); 



$blah = mysql_query("UPDATE users SET '".$_SESSION['gymleader']."'='1'WHERE username = '".$_SESSION['username']."'") 
or die(mysql_error()); 



echo"You have won the battle. Please go back to the gym list to battle again."; 
$_SESSION["battle_won"] = 1 ; 
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=battle_select.php?type=gym">'; 

    exit;  


    die(); 

} 
else 
    echo ""; 
?> 
    <?php 
//// Now we wanna check to see if user has pressed the button to attack i wonder if they have ? 

if(isset($_POST["action"])) 
{ 
    /// we take hp from the player 
    $hpdown = mysql_query("UPDATE battle SET hp=hp-".$random_number." WHERE username = '".$_SESSION['username']."'") 
or die(mysql_error()); 
    /// at the same time we take hp from the enermy 

    $enermy = mysql_query("UPDATE battle SET gympokemon1hp=gympokemon1hp-".$random_number2." WHERE username = '{$_SESSION['username']}'") 
or die(mysql_error()); 



    } 

?> 

已把您可以看到IM在頁面的頂部設置gymleader會議virable

$_SESSION['gymleader'] = mysql_escape_string($_GET['gymleader']); 

但是當他們正在爭奪它只會刷新看過的頁面全部在1頁上並重新設置了它?

並即時得到上我已經添加

$blah = mysql_query("UPDATE users SET '".$_SESSION['gymleader']."'='1'WHERE username = '".$_SESSION['username']."'") 
or die(mysql_error()); 

但我想這是因爲沒有什麼是方的會話virable gymleader代碼的新位一個錯誤?

會話開始在config.php與SQL連接

+0

錯誤是什麼意思? – Zefiryn 2011-12-29 15:26:20

回答

0
session_start(); //Insert this here. 

print_r ($_SESSION); 
/// Here we unset the win/lost status 
unset($_SESSION['battle_won']); 
unset($_SESSION['battle_lost']); 

您需要先使用它開始會話,然後再使用它,銷燬或取消設置它。

+0

會話在config.php中啓動 – user1121083 2011-12-29 11:56:43