Graal Forums - Graal Stock Market

Graal Forums (https://forums.graalonline.com/forums/index.php)

- Code Gallery (https://forums.graalonline.com/forums/forumdisplay.php?f=179)

- - Graal Stock Market (https://forums.graalonline.com/forums/showthread.php?t=134267716)

Dsider trollin' the nerds. lol

Quote:

Originally Posted by BlueMelon (Post 1711462)

PHP Code:


		
			
  if(params[0] == "Buy"){
    temp.rate = Stocks.stock_price.(@params[1]);
    temp.amnt = params[2];
    temp.price = amnt*rate;
    if(clientr.stockcash >= price){
      clientr.stockcash -= price;
      clientr.stocks.(@int(random(1,9999999)))= {params[1], rate, amnt};
      clientr.stockcash = clientr.stockcash.substring(0, clientr.stockcash.pos(".") + 3);
    }
  }
  if(params[0] == "Sell"){
    temp.rate = Stocks.stock_price.(@params[1]);
    for(temp.i : getstringkeys("clientr.stocks.")){
      temp.amnt = clientr.stocks.(@i)[2];
      temp.price = amnt*rate;
      temp.checkname = clientr.stocks.(@i)[0];
      if(checkname == params[1]){
        temp.checkrate = clientr.stocks.(@i)[1];
        if(checkrate.pos(params[2]) >= 0){
          temp.checkquantity = clientr.stocks.(@i)[2];
          if(checkquantity == params[3]){;
            if(clientr.stocks.(@i) == null) return;
            clientr.stocks.(@i) = null;
            clientr.stockcash += price;
            return;
          }
        }
      }
    }
  }

No validation? Huge security holes... What if params[1] or params[2] was negative?
clientr.stockcash -= -(price);

See where I'm going?

No validation?
It checks with the database NPC.
And I haven't thought about if stocks are that negative.
Generally people don't buy negative stocks..
And it does check if your money is greater than or equal to the stock you're buying.
And the priced is taken from the DB NPC.

Validation as in, are you getting the right input? What if the triggers value (from clientside) was modified to send a negative value in the trigger? (Happened on era, that's why I'm saying this)

Checking for things like negative input is something you really need to get into a habit of doing. That kind of **** is what will let a player walk away from a bank with a free million dollars/gralats.

Quote:

Originally Posted by DustyPorViva (Post 1711506)

Checking for things like negative input is something you really need to get into a habit of doing. That kind of **** is what will let a player walk away from a bank with a free million dollars/gralats.

Delteria's banking system was like this

Quote:

Originally Posted by Gunderak (Post 1711500)

-rep for being retarded

The value can't be negative. As you can't buy - stocks.
I'll add an extra check anyway..

Quote:

Originally Posted by Gunderak (Post 1711515)

The value can't be negative. As you can't buy - stocks.
I'll add an extra check anyway..

You have t o realize that any clientsided code can be altered with various memory editors and whatnot, thus, anyone with the knowledge and enough free time on their hands can modify the trigger and send a negative value with it. ALWAYS make sure things are as they should be on clientside AND serverside.

Quote:

Originally Posted by Gunderak (Post 1711515)

The value can't be negative. As you can't buy - stocks.
I'll add an extra check anyway..

Since you are sending the values FROM client-side, TO server-side, they can be edited before sending the values. The trigger params can be edited by anyone who knows how. Always do serverside validation, making sure you have the correct values...