diff --git a/index.php b/index.php
index 3d9ae19..0390b3f 100644
--- a/index.php
+++ b/index.php
@@ -254,7 +254,7 @@ function babblebox() {
global $userrow;
if (isset($_POST["submit"])) {
- $safecontent = my_htmlspecialchars($_POST["babble"]);
+ $safecontent = makesafe($_POST["babble"]);
if ($safecontent == "" || $safecontent == " ") { //blank post. do nothing.
} else { $insert = doquery("INSERT INTO {{table}} SET id='',posttime=NOW(),author='".$userrow["charname"]."',babble='$safecontent'", "babble"); }
header("Location: index.php?do=babblebox");
diff --git a/lib.php b/lib.php
index beff4a3..2a59d00 100644
--- a/lib.php
+++ b/lib.php
@@ -2,7 +2,7 @@
$starttime = getmicrotime();
$numqueries = 0;
-$version = "1.1.3a";
+$version = "1.1.4";
$build = "";
function opendb() { // Open database connection.
@@ -67,28 +67,16 @@ function is_email($email) { // Thanks to "mail(at)philipp-louis.de" from php.net
}
-function my_htmlspecialchars($text) { // Thanks to "etymxris at yahoo dot com" from php.net!
+function makesafe($d) {
+
+ $d = str_replace("\t","",$d);
+ $d = str_replace("<","<",$d);
+ $d = str_replace(">",">",$d);
+ $d = str_replace("\n","",$d);
+ $d = str_replace("|","??",$d);
+ $d = str_replace(" "," ",$d);
+ return $d;
- $ALLOWABLE_TAGS = array("b", "i", "u", "p", "blockquote", "ol", "ul", "li");
- static $PATTERNS = array();
- static $REPLACEMENTS = array();
- if (count($PATTERNS) == 0) {
- foreach ($ALLOWABLE_TAGS as $tag) {
- $PATTERNS[] = "/<$tag>/i";
- $PATTERNS[] = "/<\/$tag>/i";
- $REPLACEMENTS[] = "<$tag>";
- $REPLACEMENTS[] = "";
- }
- }
-
- $result = str_replace(array(">", "<", "\"", "'"),
- array(">", "<", """, "'"),
- $text);
-
- $result = preg_replace($PATTERNS, $REPLACEMENTS, $result);
-
- return $result;
-
}
function admindisplay($content, $title) { // Finalize page and output to browser.
diff --git a/towns.php b/towns.php
index 5df457a..29e287c 100644
--- a/towns.php
+++ b/towns.php
@@ -5,6 +5,7 @@ function inn() { // Staying at the inn resets all expendable stats to their max
global $userrow, $numqueries;
$townquery = doquery("SELECT name,innprice FROM {{table}} WHERE latitude='".$userrow["latitude"]."' AND longitude='".$userrow["longitude"]."' LIMIT 1", "towns");
+ if (mysql_num_rows($townquery) != 1) { display("Cheat attempt detected.
Get a life, loser."); }
$townrow = mysql_fetch_array($townquery);
if ($userrow["gold"] < $townrow["innprice"]) { display("You do not have enough gold to stay at this Inn tonight.
You may return to town, or use the direction buttons on the left to start exploring.", "Inn"); die(); }
@@ -40,6 +41,7 @@ function buy() { // Displays a list of available items for purchase.
global $userrow, $numqueries;
$townquery = doquery("SELECT name,itemslist FROM {{table}} WHERE latitude='".$userrow["latitude"]."' AND longitude='".$userrow["longitude"]."' LIMIT 1", "towns");
+ if (mysql_num_rows($townquery) != 1) { display("Cheat attempt detected.
Get a life, loser."); }
$townrow = mysql_fetch_array($townquery);
$itemslist = explode(",",$townrow["itemslist"]);