Mysidia Adoptables Support Forum
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Mysidia Adoptables Support Forum (http://www.mysidiaadoptables.com/forum/index.php)
-   Questions and Supports (http://www.mysidiaadoptables.com/forum/forumdisplay.php?f=18)
-   -   Asked this b4 I think... adopt hole (http://www.mysidiaadoptables.com/forum/showthread.php?t=3781)

SilverDragonTears 07-11-2012 06:43 PM
Asked this b4 I think... adopt hole
 
If you use the URL http://taleofdragons.net/adopt.php?id=# and replace # with certain (low) numbers, you can adopt different dragons

I could never figure out how to prevent this :( Help please...

Hall of Famer 07-11-2012 08:10 PM
umm this problem still exists in Mys v1.3.x? Thought it was already fixed back in Mys v1.2.2, are you sure you are not using a heavily modified version of the script?

If you have this problem, you may fix this by adding a specific session variable to the doadopt page, or a hidden field value to the adoption form. This acts like a checkpoint to see if the user can adopt a certain pet.

Eldritch 07-11-2012 08:51 PM
It's still an issue. All someone would have to do to avoid this line (in adopt.php):
Code:
$_SESSION["allow"] = 1;
is enter the doadopt.php address while viewing adopt.php. It doesn't stop the abuse of adopt.php links at all, as adopt.php automatically sets that value to 1.

Hall of Famer 07-11-2012 10:12 PM
I see, so this is how they manage to get away from the session check... Looks like adoption session has to be redesigned, I will do it in a bit.

SilverDragonTears 07-11-2012 11:06 PM
Thanks Hof! It's pretty important for people not to be able to exploit this on my site and several members have already brought it to my attention that they know how to do so.

Hall of Famer 07-12-2012 08:17 PM
Well add this at the beginning of the script:(below the 'START SCRIPT' section):

PHP Code:
if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.'); 

Eldritch 07-12-2012 10:05 PM
Quote:
Originally Posted by Hall of Famer (Post 24399)
Well add this at the beginning of the script:(below the 'START SCRIPT' section):

PHP Code:
if(!isset($_GET['submit'])) throw new Exception('Direct access to this file is forbidden, please return to adopt.php and submit your form.'); 
The S in submit should be capitalized.

This has pretty much the same problem, only now the user has to add &Submit= to it, like /doadopt.php?id=1&Submit=.

Hall of Famer 07-12-2012 11:50 PM
I see, this is getting more and more series. How about changing the form method from GET to POST?

Tequila 07-13-2012 08:34 AM
Perhaps have a look at http://www.mysidiaadoptables.com/for...read.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.

Eldritch 07-13-2012 09:51 AM
Quote:
Originally Posted by Hall of Famer (Post 24401)
I see, this is getting more and more series. How about changing the form method from GET to POST?
That would stop it from being a url problem and turn into a problem where users change the form values.

Quote:
Originally Posted by Nyxi (Post 24403)
Perhaps have a look at http://www.mysidiaadoptables.com/for...read.php?t=504 and see if any of that will help...

I'm planning on going back to a system like that once I get CH ready to launch.
I do not understand what that code is supposed to do, and so can't really say anything about it.


All times are GMT -5. The time now is 11:44 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2025, vBulletin Solutions Inc.