Asked this b4 I think... adopt hole

[SilverDragonTears]

If you use the URL http://taleofdragons.net/adopt.php?id=# and replace # with certain (low) numbers, you can adopt different dragons

I could never figure out how to prevent this :( Help please...

[Hall of Famer]

umm this problem still exists in Mys v1.3.x? Thought it was already fixed back in Mys v1.2.2, are you sure you are not using a heavily modified version of the script?

If you have this problem, you may fix this by adding a specific session variable to the doadopt page, or a hidden field value to the adoption form. This acts like a checkpoint to see if the user can adopt a certain pet.

[Eldritch]

It's still an issue. All someone would have to do to avoid this line (in adopt.php):

Code:

$_SESSION["allow"] = 1;

is enter the doadopt.php address while viewing adopt.php. It doesn't stop the abuse of adopt.php links at all, as adopt.php automatically sets that value to 1.

[Hall of Famer]

I see, so this is how they manage to get away from the session check... Looks like adoption session has to be redesigned, I will do it in a bit.

[SilverDragonTears]

Thanks Hof! It's pretty important for people not to be able to exploit this on my site and several members have already brought it to my attention that they know how to do so.

[Hall of Famer]

Well add this at the beginning of the script:(below the 'START SCRIPT' section):

PHP Code:

if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.'); 


[Eldritch]

Quote:

Originally Posted by Hall of Famer

Well add this at the beginning of the script:(below the 'START SCRIPT' section):

PHP Code:

if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.'); 


The S in submit should be capitalized.

This has pretty much the same problem, only now the user has to add &Submit= to it, like /doadopt.php?id=1&Submit=.

[Hall of Famer]

I see, this is getting more and more series. How about changing the form method from GET to POST?

[Tequila]

Perhaps have a look at http://www.mysidiaadoptables.com/for...read.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.

[Eldritch]

Quote:

Originally Posted by Hall of Famer

I see, this is getting more and more series. How about changing the form method from GET to POST?

That would stop it from being a url problem and turn into a problem where users change the form values.

Quote:

Originally Posted by Nyxi

Perhaps have a look at http://www.mysidiaadoptables.com/for...read.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.

I do not understand what that code is supposed to do, and so can't really say anything about it.