Mysidia Adoptables Support Forum  

Home Community Mys-Script Creative Off-Topic
Go Back   Mysidia Adoptables Support Forum > Projects > The Bug Tracker > Bug

Notices

Item Shop Validation Issue Tools
issueid=48 01-07-2015 04:23 PM
Premium Member
Item Shop Validation
Items not in shop can be hacked into the shop and bought.

This probably effects at least the entire v1.3.x line if not even earlier.

By simply right-clicking and inspecting the quantity field element on the shop page, a user can change the item name field client side and buy items that don't belong to that shop - or any shop, for that matter - so long as they know it's name. Therefore, validation is necessary to confirm that the item does belong in the shop.

In classes/class_itemshop.php, down in public function purchase(), you'll want to fix this.

After $mysidia = Registry::get("mysidia"); you'll want to wrap the rest of the contents in:

PHP Code:
if ($item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?');         else { 
And close the else right before return $status;.
Issue Details
Project The Bug Tracker
Category Unknown
Status Unconfirmed
Priority 4
Affected Version Mys v1.3.4
Fixed Version Mys v1.3.5
Users able to reproduce bug 1
Users unable to reproduce bug 0
Assigned Users (none)
Tags (none)

04-16-2015 02:26 PM
Explorer of Imaginea
 
I did so...and got a Parse error: syntax error, unexpected T_IF, expecting T_FUNCTION in /home2/luteus/public_html/imaginea.net/caveofcrystals/classes/class_itemshop.php on line 218, which I know has something to do with the patch, because when I remove it the message goes away. Any idea why this fix is causing this error?
Reply
04-20-2015 03:28 AM
Premium Member
 
I'm having absolutely zero problems with this fix on a fresh install. Are you positive that you closed the else statement as instructed in the post? Just in case, this is exactly what your purchase function should look like:

PHP Code:
public function purchase(Item $item){
    
$mysidia Registry::get("mysidia");
    if (
$item->shop != $this->shopname) Throw new NoPermissionException('Did you really think this item could be bought at this shop?');  
    else {  
        if(
$item->owner != $mysidia->user->username) Throw new NoPermissionException('Something is very very wrong, please contact an admin asap.');
        else{
            
$item->quantity $mysidia->input->post("quantity");
            
$cost $item->getcost($this->salestax$item->quantity);
            
$moneyleft $mysidia->user->money $cost;
            if(
$moneyleft >= and $item->quantity 0){    
                
$purchase $item->append($item->quantity$item->owner);
                
$mysidia->db->update("users", array("money" => $moneyleft), "username = '{$item->owner}'");            
                
$status TRUE;
            }            
            else throw new 
InvalidActionException($mysidia->lang->money);
        }
    }
    return 
$status;

PS: Yes, if you failed to close the else statement, then, yeah, you'd get exactly the error you described. I just tested it by only following the first step of my instructions but not the last part.
Reply
04-20-2015 08:21 AM
Explorer of Imaginea
 
Aha, it worked! I put the if/else statement in the wrong place. Thank you!
Reply
12-01-2020 12:23 PM
Administrator, Lead Coder
 
The issue is fixed in the next release.
Reply
Reply

Issue Tools
Subscribe to this issue

All times are GMT -5. The time now is 06:01 AM.

Currently Active Users: 453 (0 members and 453 guests)
Threads: 4,080, Posts: 32,024, Members: 2,016
Welcome to our newest members, jolob.
BETA





What's New?

What's Hot?

What's Popular?


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
vBCommerce I v2.0.0 Gold ©2010, PixelFX Studios
vBCredits I v2.0.0 Gold ©2010, PixelFX Studios
Emoticons by darkmoon3636