If you use the URL http://taleofdragons.net/adopt.php?id=# and replace # with certain (low) numbers, you can adopt different dragons

I could never figure out how to prevent this :( Help please...

umm this problem still exists in Mys v1.3.x? Thought it was already fixed back in Mys v1.2.2, are you sure you are not using a heavily modified version of the script?

If you have this problem, you may fix this by adding a specific session variable to the doadopt page, or a hidden field value to the adoption form. This acts like a checkpoint to see if the user can adopt a certain pet.

It's still an issue. All someone would have to do to avoid this line (in adopt.php): $_SESSION["allow"] = 1; is enter the doadopt.php address while viewing adopt.php. It doesn't stop the abuse of adopt.php links at all, as adopt.php automatically sets that value to 1.

I see, so this is how they manage to get away from the session check... Looks like adoption session has to be redesigned, I will do it in a bit.

Thanks Hof! It's pretty important for people not to be able to exploit this on my site and several members have already brought it to my attention that they know how to do so.

Well add this at the beginning of the script:(below the 'START SCRIPT' section):


if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.');

Well add this at the beginning of the script:(below the 'START SCRIPT' section):


if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.');



The S in submit should be capitalized.

This has pretty much the same problem, only now the user has to add &Submit= to it, like /doadopt.php?id=1&Submit=.

I see, this is getting more and more series. How about changing the form method from GET to POST?

Perhaps have a look at http://www.mysidiaadoptables.com/forum/showthread.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.

I see, this is getting more and more series. How about changing the form method from GET to POST?

That would stop it from being a url problem and turn into a problem where users change the form values.

Perhaps have a look at http://www.mysidiaadoptables.com/forum/showthread.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.

I do not understand what that code is supposed to do, and so can't really say anything about it.

umm yeah, they can cheat with inspect element then. To my understanding the doadopt.php and adopt.php files should be one instead of two split files, all problems should be gone if this happens.

So how do I fix it? Just found out 4 different people on my site have a Spriter ONLY dragon that they should not have and could only have gotten by cheating.