• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

AAC Edit this part of php to add tibia coins looking acc name and not player name

Tampek

ECHO 'Zarkonia.online';
Joined
Dec 29, 2015
Messages
473
Solutions
5
Reaction score
33
Location
Spain
Edit this part of php to add tibia coins looking acc name and not player name :/
Code:
if($action == 'premium-points')
    {
        $player = stripslashes(ucwords(strtolower(trim($_REQUEST['character']))));
        $points = $_POST['points'];
        if(empty($player))
        {
            ECHO '<div class="well"> <h2> Add Tibia Coins </h2> <form action="" method="post"> <B> Enter Character Name: </B> <input type="text" name="character"><br>
            <B> Enter Points Amount:</B> <input type="text" name="points"><br><br> <input type="submit" value="Submit">
            </form></center><form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </DIV>';
        }
        else
        {
            $player_data = $SQL->query("SELECT * FROM `players` WHERE `name` = '".$player."';")->fetch();
            $SQL->query("UPDATE `accounts` SET `coins` = `coins` + '".$points."' WHERE `id` = '".$player_data['account_id']."'");
           
            ECHO '<div class="well"> <b><center>'.$points.' Tibia Coins added to the account of <i>'.$player.'</i> ! </b></center><br>
            <form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </div>';
        }
    }

Thnx anyway for help :D
 
Edit this part of php to add tibia coins looking acc name and not player name :/
Code:
if($action == 'premium-points')
    {
        $player = stripslashes(ucwords(strtolower(trim($_REQUEST['character']))));
        $points = $_POST['points'];
        if(empty($player))
        {
            ECHO '<div class="well"> <h2> Add Tibia Coins </h2> <form action="" method="post"> <B> Enter Character Name: </B> <input type="text" name="character"><br>
            <B> Enter Points Amount:</B> <input type="text" name="points"><br><br> <input type="submit" value="Submit">
            </form></center><form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </DIV>';
        }
        else
        {
            $player_data = $SQL->query("SELECT * FROM `players` WHERE `name` = '".$player."';")->fetch();
            $SQL->query("UPDATE `accounts` SET `coins` = `coins` + '".$points."' WHERE `id` = '".$player_data['account_id']."'");
         
            ECHO '<div class="well"> <b><center>'.$points.' Tibia Coins added to the account of <i>'.$player.'</i> ! </b></center><br>
            <form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </div>';
        }
    }

Thnx anyway for help :D

I'm not gonna help you with the TC part, that's o my area, but I'm going to help you secure your code.

PHP:
if($action == 'premium-points')
    {
        $player = stripslashes(ucwords(strtolower(trim($_REQUEST['character']))));
        $points = (int)$_POST['points'];
        if(empty($player))
        {
            ECHO '<div class="well"> <h2> Add Tibia Coins </h2> <form action="" method="post"> <B> Enter Character Name: </B> <input type="text" name="character"><br>
            <B> Enter Points Amount:</B> <input type="text" name="points"><br><br> <input type="submit" value="Submit">
            </form></center><form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </DIV>';
        }
        else
        {
            $player_data = $SQL->query("SELECT * FROM `players` WHERE `name` = \"".$player."\";")->fetch();
            $SQL->query("UPDATE `accounts` SET `coins` = `coins` + '".$points."' WHERE `id` = '".$player_data['account_id']."'");
         
            ECHO '<div class="well"> <b><center>'.$points.' Tibia Coins added to the account of <i>'.$player.'</i> ! </b></center><br>
            <form action="/?subtopic=adminpanel" method="post" ><input name="submit" type="submit" value="Back" title="Back"/></form> </div>';
        }
    }

1:
I changed
PHP:
$points = $_POST['points'];
to
PHP:
$points = (int)$_POST['points'];
because (int) will make sure only integers comes through, before that change, it was possible to do SQL injections to your code (hacking).

2:
I changed
PHP:
$player_data = $SQL->query("SELECT * FROM `players` WHERE `name` = '".$player."';")->fetch();
to
PHP:
$player_data = $SQL->query("SELECT * FROM `players` WHERE `name` = \"".$player."\";")->fetch();

If you use ' and you enter etc char name "Bo'Ques" the query will break.
So better use \" than '

Good luck with the rest thou :)
 
Back
Top