I have some problems with my hiscore table. Some players have got a lot of points really fast, more then possible. I post two code below:
The first one is the one I currently use, which cause the problem:
$name = mysql_real_escape_string($_POST['name']);
$set = mysql_real_escape_string($_POST['set']);
if ($set == 1 && isset($_POST['score']))
{
$score = mysql_real_escape_string($_POST['score']);
$query = mysql_query("UPDATE users SET totalScore=totalScore + '$score' WHERE username='$name'");
if ($query)
{
echo 'success';
}
else {
echo 'error';
}
}
I tried to cast the score as an int in the code below, but the update result is a huge number (4294967295) to be set as the totalScore. The totalScore is of type int(25) and I set attribute to unsigned so a player can't end up on the minus side.
Please help Thanks
$name = mysql_real_escape_string($_POST['name']);
$set = (int)$_POST['set'];
if ($set == 1 && isset($_POST['score']))
{
$score = (int)$_POST['score'];
$query = mysql_query("UPDATE users SET totalScore=totalScore + $score WHERE username='$name'");
if ($query)
{
echo 'success';
}
else {
echo 'error';
}
}
if this is the only script that you use to save the score no wonder that people cheated to get high score - in order to prevent it you need to insert some encryption to the parameters, and add some session and time based protections to the script
Its because you are adding a integer onto propably an integer datatype. There is no need of quotes and escaping, if you make sure the input is integer (which you are already doing)
"UPDATE users SET totalScore=totalScore + $score WHERE username='$name'" LIMIT 1;
Only you are updating the query based on the name, You might need to LIMIT the execution.