ZnoteAAC: Choose skill of new character by vocation

[Itutorial]

Replace your createcharacter.php with this:

<?php require_once 'engine/init.php';
protect_page();
include 'layout/overall/header.php'; 
if (empty($_POST) === false) {
    // $_POST['']
    $required_fields = array('name', 'selected_town');
    foreach($_POST as $key=>$value) {
        if (empty($value) && in_array($key, $required_fields) === true) {
            $errors[] = 'You need to fill in all fields.';
            break 1;
        }
    }
   
    // check errors (= user exist, pass long enough
    if (empty($errors) === true) {
        if (!Token::isValid($_POST['token'])) {
            $errors[] = 'Token is invalid.';
        }
        $_POST['name'] = validate_name($_POST['name']);
        if ($_POST['name'] === false) {
            $errors[] = 'Your name can not contain more than 2 words.';
        } else {
            if (user_character_exist($_POST['name']) !== false) {
                $errors[] = 'Sorry, that character name already exist.';
            }
            if (!preg_match("/^[a-zA-Z_ ]+$/", $_POST['name'])) {
                $errors[] = 'Your name may only contain a-z, A-Z and spaces.';
            }
            if (strlen($_POST['name']) < $config['minL'] || strlen($_POST['name']) > $config['maxL']) {
                $errors[] = 'Your character name must be between ' . $config['minL'] . ' - ' . $config['maxL'] . ' characters long.';
            }
            // name restriction
            $resname = explode(" ", $_POST['name']);
            foreach($resname as $res) {
                if(in_array(strtolower($res), $config['invalidNameTags'])) {
                    $errors[] = 'Your username contains a restricted word.';
                }
                else if(strlen($res) == 1) {
                    $errors[] = 'Too short words in your name.';
                }
            }
            // Validate vocation id
            if (!in_array((int)$_POST['selected_vocation'], $config['available_vocations'])) {
                $errors[] = 'Permission Denied. Wrong vocation.';
            }
            // Validate town id
            if (!in_array((int)$_POST['selected_town'], $config['available_towns'])) {
                $errors[] = 'Permission Denied. Wrong town.';
            }
            // Validate gender id
            if (!in_array((int)$_POST['selected_gender'], array(0, 1))) {
                $errors[] = 'Permission Denied. Wrong gender.';
            }
            if (vocation_id_to_name($_POST['selected_vocation']) === false) {
                $errors[] = 'Failed to recognize that vocation, does it exist?';
            }
            if (town_id_to_name($_POST['selected_town']) === false) {
                $errors[] = 'Failed to recognize that town, does it exist?';
            }
            if (gender_exist($_POST['selected_gender']) === false) {
                $errors[] = 'Failed to recognize that gender, does it exist?';
            }
            // Char count
            $char_count = user_character_list_count($session_user_id);
            if ($char_count >= $config['max_characters']) {
                $errors[] = 'Your account is not allowed to have more than '. $config['max_characters'] .' characters.';
            }
            if (validate_ip(getIP()) === false && $config['validate_IP'] === true) {
                $errors[] = 'Failed to recognize your IP address. (Not a valid IPv4 address).';
            }
        }
    }
}
?>

<h1>Create Character</h1>
<?php
if (isset($_GET['success']) && empty($_GET['success'])) {
    echo 'Congratulations! Your character has been created. See you in-game!';
} else {
    if (empty($_POST) === false && empty($errors) === true) {
        if ($config['log_ip']) {
            znote_visitor_insert_detailed_data(2);
        }
       
        if (($_POST['selected_vocation']) == 1) {
       
        //Register
        $character_data = array(
            'name'        =>    format_character_name($_POST['name']),
            'account_id'=>    $session_user_id,
            'vocation'    =>    $_POST['selected_vocation'],
            'town_id'    =>    $_POST['selected_town'],
            'sex'        =>    $_POST['selected_gender'],
            'lastip'    =>    ip2long(getIP()),
            'created'    =>    time(),
            'maglevel'    =>    0,
            'skill_fist'    =>    10,
            'skill_sword'    =>    10,
            'skill_club'    =>    10,
            'skill_axe'    =>    10,
            'skill_dist'    =>    10,
            'skill_shielding'    =>    10,
            'skill_fishing'    =>    10
        );
        } elseif (($_POST['selected_vocation']) == 2) {
        //Register
        $character_data = array(
            'name'        =>    format_character_name($_POST['name']),
            'account_id'=>    $session_user_id,
            'vocation'    =>    $_POST['selected_vocation'],
            'town_id'    =>    $_POST['selected_town'],
            'sex'        =>    $_POST['selected_gender'],
            'lastip'    =>    ip2long(getIP()),
            'created'    =>    time(),
            'maglevel'    =>    0,
            'skill_fist'    =>    10,
            'skill_sword'    =>    10,
            'skill_club'    =>    10,
            'skill_axe'    =>    10,
            'skill_dist'    =>    10,
            'skill_shielding'    =>    10,
            'skill_fishing'    =>    10
        );
        } elseif (($_POST['selected_vocation']) == 3) {
        //Register
        $character_data = array(
            'name'        =>    format_character_name($_POST['name']),
            'account_id'=>    $session_user_id,
            'vocation'    =>    $_POST['selected_vocation'],
            'town_id'    =>    $_POST['selected_town'],
            'sex'        =>    $_POST['selected_gender'],
            'lastip'    =>    ip2long(getIP()),
            'created'    =>    time(),
            'maglevel'    =>    0,
            'skill_fist'    =>    10,
            'skill_sword'    =>    10,
            'skill_club'    =>    10,
            'skill_axe'    =>    10,
            'skill_dist'    =>    10,
            'skill_shielding'    =>    10,
            'skill_fishing'    =>    10
        );
        } elseif (($_POST['selected_vocation']) == 4) {
        //Register
        $character_data = array(
            'name'        =>    format_character_name($_POST['name']),
            'account_id'=>    $session_user_id,
            'vocation'    =>    $_POST['selected_vocation'],
            'town_id'    =>    $_POST['selected_town'],
            'sex'        =>    $_POST['selected_gender'],
            'lastip'    =>    ip2long(getIP()),
            'created'    =>    time(),
            'maglevel'    =>    0,
            'skill_fist'    =>    10,
            'skill_sword'    =>    10,
            'skill_club'    =>    10,
            'skill_axe'    =>    10,
            'skill_dist'    =>    10,
            'skill_shielding'    =>    10,
            'skill_fishing'    =>    10
        );
        }
   
       
        user_create_character($character_data);
        header('Location: createcharacter.php?success');
        exit();
        //End register
       
    } else if (empty($errors) === false){
        echo '<font color="red"><b>';
        echo output_errors($errors);
        echo '</b></font>';
    }
    ?>
    <form action="" method="post">
        <ul>
            <li>
                Name:<br>
                <input type="text" name="name">
            </li>
            <li>
                <!-- Available vocations to select from when creating character -->
                Vocation:<br>
                <select name="selected_vocation">
                <?php foreach ($config['available_vocations'] as $id) { ?>
                <option value="<?php echo $id; ?>"><?php echo vocation_id_to_name($id); ?></option>
                <?php } ?>
                </select>
            </li>
            <li>
                <!-- Available genders to select from when creating character -->
                Gender:<br>
                <select name="selected_gender">
                <option value="1">Male(boy)</option>
                <option value="0">Female(girl)</option>
                </select>
            </li>
            <?php
            $available_towns = $config['available_towns'];
            if (count($available_towns) > 1):
                ?>
                <li>
                    <!-- Available towns to select from when creating character -->
                    Town:<br>
                    <select name="selected_town">
                        <?php 
                        foreach ($available_towns as $tid): 
                            ?>
                            <option value="<?php echo $tid; ?>"><?php echo town_id_to_name($tid); ?></option>
                            <?php 
                        endforeach; 
                        ?>
                    </select>
                </li>
                <?php
            else:
                ?>
                <input type="hidden" name="selected_town" value="<?php echo end($available_towns); ?>">
                <?php 
            endif;
            /* Form file */
            Token::create();
            ?>
            <li>
                <input type="submit" value="Create Character">
            </li>
        </ul>
    </form>
    <?php
}
include 'layout/overall/footer.php'; ?>

Then in engine/function: replace your users.php with this:

users.php

 

[Codex NG]

Bad idea to do form validation directly on the server end, this should be handled on the client side.

Also the code is quite excessive, I am sure it could shortened up a bit, like why is there 4 instances of character_data defined exactly the same way?

I would use an ajax call to the server or just basic javascript, validate it before it reached the server to make sure all the fields were checked properly and then had the server process the data.

You are also missing this function mysql_real_escape_string
http://php.net/manual/en/function.mysql-real-escape-string.php

 

[Cornex]

Bad idea to do form validation directly on the server end, this should be handled on the client side.

You always want to validate data on the server end, easy to just turn of JavaScript in the browser and you can insert any data you want.
Or did I just missunderstand what you ment?

 

[Codex NG]

You always want to validate data on the server end, easy to just turn of JavaScript in the browser and you can insert any data you want.
Or did I just missunderstand what you ment?

Slightly

 

[Itutorial]

Edited my initial post so you guys understand.

 

[Itutorial]

nvm cant edit. Anyway, This is not the best way of doing this but it works

 

[Znote]

Bad idea to do form validation directly on the server end, this should be handled on the client side.

Also the code is quite excessive, I am sure it could shortened up a bit, like why is there 4 instances of character_data defined exactly the same way?

I would use an ajax call to the server or just basic javascript, validate it before it reached the server to make sure all the fields were checked properly and then had the server process the data.

You are also missing this function mysql_real_escape_string
http://php.net/manual/en/function.mysql-real-escape-string.php

I don't see any queries? Where and why should he use mysql_real_escape_string?
He passes data to the user_create_character function, which is an official function created by me.

https://github.com/Znote/ZnoteAAC/blob/master/engine/function/users.php#L1127-L1128
First thing happening in this function (if using default Znote AAC files) is array walk, which sanitizes the input
https://github.com/Znote/ZnoteAAC/blob/master/engine/function/general.php#L395-L397
And uses the escape string method from mysqli.
https://github.com/Znote/ZnoteAAC/blob/master/engine/database/connect.php#L276-L279

You MUST ALWAYS do form validation on the server. Frontend valiation with etc javascript is just for extra convenience, and holds no security benefit.
And ajax validation is also just for convenience. Unless your building a SPA application you really shouldn't need to do any ajax at all.

 

[Codex NG]

I don't see any queries? Where and why should he use mysql_real_escape_string?
He passes data to the user_create_character function, which is an official function created by me.

https://github.com/Znote/ZnoteAAC/blob/master/engine/function/users.php#L1127-L1128
First thing happening in this function (if using default Znote AAC files) is array walk, which sanitizes the input
https://github.com/Znote/ZnoteAAC/blob/master/engine/function/general.php#L395-L397
And uses the escape string method from mysqli.
https://github.com/Znote/ZnoteAAC/blob/master/engine/database/connect.php#L276-L279

There is a lot of things I don't see in scripts, this does not mean you shouldn't guard against them, if I am expecting a user's input then I would like to be prepared for the "just in case factor"

 

[Znote]

There is a lot of things I don't see in scripts, this does not mean you shouldn't guard against them, if I am expecting a user's input then I would like to be prepared for the "just in case factor"

Yes, and for that use the getValue function:
https://github.com/Znote/ZnoteAAC/blob/master/engine/function/general.php#L12-L14

But if you already know the input is being sanitized, there is no need to do it twice. He shouldn't be criticized for precise and correct use of code for my framework.

 

[Codex NG]

Yes, and for that use the getValue function:
https://github.com/Znote/ZnoteAAC/blob/master/engine/function/general.php#L12-L14

But if you already know the input is being sanitized, there is no need to do it twice. He shouldn't be criticized for precise and correct use of code for my framework.

Criticism/debate is big part of open development

 

[Itutorial]

I think the point is so people can help each other become more successful. Which usually means showing them how they did it wrong by creating an example of what is right, not criticism. That's why in some posts you see people ask for criticism. The only person who has made negative criticism apart of this community is you.