Pascal Boschma Pascal Boschma - 3 months ago 6
PHP Question

PHP, Need number, don't get it

Hi Stackers,

I'm having a small problem with my PHP Code. It's a Crack the vault game, not finished. However, there is a problem. I Have the variable

$needednumber
, which I need to check if the user has another try or not, based on the selection which is saved in the variable
$vaultselection
.

When echoen the
$needednumber
Variable, I don't get any result, that's why I think that he isn't correctly checking. I've set myself to 0 Tries, however, it still passes the check.

What am I doing wrong?

vault.php

// Activate only when SET
if(isset($_POST['crack_vault'])){

// Get our cracker user id.
$cracker = $user['id'];
$cracktries = $user['try_vault'];

// Get the Vault selection
$vaultselection = $_GET['vaultoptions'];
echo $vaultselection;

// Check how many tries the cracker needs
if($vaultselection = "mainvault"){
$needednumber = "1";
}else if($vaultselection == "bonusvault"){
$needednumber = "2";
}

// Check if the cracker may try a crack, or else Continue
if($cracktries < $needednumber){
$error = "<div class='geenTeamlid' style='margin-bottom: 5px;'>Sorry, het is je <strong>niet</strong> gelukt iets uit de kluis te kraken!</div>";

}else{

// Get our beloved cracker his/her data.
$vault_type = htmlentities($_POST['vault_picker']);
$vaultnumber_one = htmlentities($_POST['vault_1']);
$vaultnumber_two = htmlentities($_POST['vault_2']);
$vaultnumber_three = htmlentities($_POST['vault_3']);
$vaultnumber_four = htmlentities($_POST['vault_4']);

// Get one string of four values. The final Vaultnumber.
$vaultnumbers = array($vaultnumber_one, $vaultnumber_two, $vaultnumber_three, $vaultnumber_fout);
$vaultnumber = implode("|", $vaultnumbers);

// Let us check this shit. Can we find a match?
if($vaultselection = "mainvault"){
$check_codes = mysql_query("SELECT * FROM magical_gamevault WHERE (crackvalue = '".$vaultnumber."' AND vault = 'normal')");
}else if($vaultselection = "bonusvault"){
$check_codes = mysql_query("SELECT * FROM magical_gamevault WHERE (crackvalue = '".$vaultnumber."')");
}

// Get a final number as result. YES!
$prizecount = mysql_num_rows($check_codes);

// Show the user the result!
if($prizecount < 1){
$error = "<div class='geenTeamlid' style='margin-bottom: 5px;'>Jij hebt ".$cracktries." || Jij hebt nodig " .$needednumber. " || Jij koos " .$vaultselection. ".</div>";

}else if($prizecount < 2){

}

// End the if enough cracks check.
}

// End the set when someone posted a thing!
}

Answer

As pointed out by Marvin,

if($vaultselection == "mainvault"){
    $needednumber = "1";
} elseif($vaultselection == "bonusvault"){
    $needednumber = "2";
} else { 
  # missing? security issue as $_GET data is easily manipulated
  # Setting this to 3 for could example would cause an SQL error
  $vaultselection = "mainvault";
  $needednumber = "1";
}

And..

if($vaultselection == "mainvault"){
    $check_codes = mysql_query("SELECT * FROM magical_gamevault WHERE (crackvalue = '".$vaultnumber."' AND vault = 'normal')");
} elseif($vaultselection == "bonusvault") {
    $check_codes = mysql_query("SELECT * FROM magical_gamevault WHERE (crackvalue = '".$vaultnumber."')");
} else {
    die('unknown vault selection');
}

Without the == you are setting the variable and that will always be true so only the first statement will be used.

Also what I pointed out in the else comments, always expect that the data a user sends you will be invalid. Using the else statement you can prevent further script execution or correct the data forcing default settings.

Comments