[oMa37]

Introduction:

Simple shop page which works with Socket and MySQL, basically, when you click on the 'Buy' button, you will get the item immediately in-game and decrease your money for the price of the item you bought, you don't have to re-login.

Features:

- Simple, clean design.
- Login page using MySQL.
- You can register directly from the webpage.
- You will be logged out if you're inactive for 15 minutes.
- Shows how much money you have currently.
- All forms are made using .ajax function (No need to refresh the page).

Screenshots:

Login Page:




Register Page:




Vehicles Page:




Skins Page:




Requirements:

MySQL - BlueG/maddinat0r
Socket - BlueG
SSCANF2 - Y_Less/maddinat0r/Emmet_
Command Processor - SickAttack

Download:

ClickHere! - GitHub - This one doesn't include the vehicles/skins pictures.
ClickHere! - Solidfiles - Recommended.

Special Thanks:

jlalt - Helped me with some socket stuff, much thanks.

[blackgangs]

Great work!

[darkhunter332]

Nice work buddy, you are awesome!

[oMa37]

Thanks.

[justice96]

I wonder who is tellin' about Ajax thing. anyway, good job!

[Younes44]

Wow
Nic one oMa :3
why dont you complet your work with UCP/ACP XD

[oMa37]

Quote:

Originally Posted by Younes44 why dont you complet your work with UCP/ACP XD

I will.

[SlowARG]

Hi there.
First, nice Webshop, i like this idea.

Second, i've seen that this shop is vulnerable to Web Parameter Tampering, we can tamper POST data (such as price of skins/vehicles) and we can get them for free. Another way is executing the JavaScript code directly.

So, the original request originates here:

Code:

<p><button type='button' class='btn btn-info' on‌Click='BuySkin(".$skins[$i][1].", ".$skins[$i][0].")'>Buy</button></p>

We can execute JavaScript directly:

Code:

BuySkin(240, 0);

Regards,
Nobody.

[oMa37]

Quote:

Originally Posted by SlowARG Hi there. First, nice Webshop, i like this idea. Second, i've seen that this shop is vulnerable to Web Parameter Tampering, we can tamper POST data (such as price of skins/vehicles) and we can get them for free. Another way is executing the JavaScript code directly. So, the original request originates here: Code: <p><button type='button' class='btn btn-info' on‌Click='BuySkin(".$skins[$i][1].", ".$skins[$i][0].")'>Buy</button></p> We can execute JavaScript directly: Code: BuySkin(240, 0); Regards, Nobody.

Thanks for pointing that out for me, I will work on that.

[Anadolu]

Awesome bro great works

[TheMaskedGamer]

This was made for explosive freeroam isnt it? Back when you were creating the ucp

[Barnwell]

Pretty good!

[oMa37]

Quote:

Originally Posted by TheMaskedGamer This was made for explosive freeroam isnt it? Back when you were creating the ucp

Not really, I made it before few weeks.

[azzerking]

Holy Crap,

Your script is completely open to MySQL Injection.

Code:

$query = "SELECT Username, Password FROM `Users` WHERE `Username` = '".$_POST["playerName"]."'";
$result = mysqli_query($conn, $query);

Please use prepared statements.

Code:

$stmt = $mysqli->prepare("SELECT Username, Password FROM `Users` WHERE `Username` = :username ");
$stmt->execute( array( ":username", $_POST[ 'playerName' ] ) );

PHP Prepared Statements

[Roozevelt]

Good work.

[Omirrow]

Well, me and one of my friends were planning to do something like that, seems like someone else thought this before us!

Good one.