NPC Logs

skymia · September 23, 2017

How to put npclog in this script?

to avoid abuse of this item rewarder

//======Name========================================
// Event Reward Giver
//======Version=====================================
// 0.9 (Untested)
// Authors: UnoDelta, Sandbox
//======Comments====================================
// In loving memory of AstralRO
//==================================================


sec_in01,177,179,4	script	Event Reward	563,{

set .npcname$,"[ Event Reward ]";
if (getgroupid() < 4){end;}

mes .npcname$;
mes "Hello "+strcharinfo(0)+", How can I help you?";
menu "-Give Reward",N_Name,"-Nothing",-;
next;
mes .npcname$;
mes "Alright! See you soon.";
close;

N_Name:
next;
mes .npcname$;
mes "Please tell me the name of the player:";
input .@Rew_Name$;
next;
query_sql "SELECT `online` FROM `char` WHERE `name`='"+.@Rew_Name$+"'",.@charstatus; //STATUS CHECK (ONLINE/OFFLINE)
if (.@charstatus == 0) {
mes .npcname$;
mes "Char Name: "+.@Rew_Name$+".";
mes "Char Status: ^FF0000OFFLINE^000000";
mes "";
mes "You cannot proceed.";
menu "-Try Again",N_Name,"-Cancel",-;
next;
mes .npcname$;
mes "Your action was canceled.";
set .@loop,0;
close;}

if (.@charstatus == 1) {
mes .npcname$;
mes "Char Name: "+.@Rew_Name$+".";
mes "Char Status: ^009F00ONLINE^000000";
mes "";
mes "You may proceed.";
if (.@loop == 1) {goto N_End;}
goto N_Item;}

N_Item:
next;
mes .npcname$;
mes "Please input the item ID to be given:";
mes "^FF0000*Note that only item ID's will be accepted.^000000";
input .@Rew_Item;
if (.@Rew_Item <= 500) {goto N_Item;}
set .@itemname$,getitemname(.@Rew_Item);
if (.@loop == 1) {goto N_End;}
goto N_Amt;

N_Amt:
next;
mes .npcname$;
mes "Please input the amount of the reward.";
input .@Rew_Amt;
if (.@Rew_Amt == 0) {goto N_Amt;}
goto N_End;

N_End:
next;
query_sql "SELECT `online` FROM `char` WHERE `name`='"+.@Rew_Name$+"'",.@charstatus; //STATUS CHECK (ONLINE/OFFLINE)
if (.@charstatus == 0) {
mes .npcname$;
mes "Char Name: "+.@Rew_Name$+".";
mes "Char Status: ^FF0000OFFLINE^000000";
mes "Item Name: "+.@itemname$+".";
mes "Item Amount: "+.@Rew_Amt+".";
mes "";
mes "You cannot proceed. Character is Offline.";
menu "-Try Again",N_Name,"-Cancel",-;
next;
mes .npcname$;
mes "Your action was canceled.";
set .@loop,0;
close;}

if (.@charstatus == 1) {
mes .npcname$;
mes "Char Name: "+.@Rew_Name$+".";
mes "Char Status: ^009F00ONLINE^000000";
mes "Item Name: "+.@itemname$+".";
mes "Item Amount: "+.@Rew_Amt+".";
mes "";
mes "You may proceed. Confirm Reward?";
set .@loop,1;
menu "-Confirm",R_Proc,"-Change Name",N_Name,"-Change Item",N_Item,"-Change Amount",N_Amt,"-Cancel",-;
next;
mes .npcname$;
mes "Your action was cancelled.";
set .@loop,0;
close;}

R_Proc:
next;
set .@Rew_GM$,strcharinfo(0);
set .@Rew_Time$,gettimestr("%Y-%m/%d %H:%M:%S",21);
query_sql "INSERT INTO `evt_prize` VALUES('"+.@Rew_Time$+"','"+.@Rew_Name$+"','"+.@Rew_Item+"','"+.@Rew_Amt+"','"+.@Rew_GM$+"')";
getitem .@Rew_Item, .@Rew_Amt,getcharid(3, .@Rew_Name$);
announce "[Event GM] "+strcharinfo(0)+" has rewarded "+.@Rew_Amt+" "+.@itemname$+" to "+.@Rew_Name$+".",bc_all,0xFF8080;
mes .npcname$;
mes "You have given your reward.";
set .@loop,0;
close;
}

Emistry · September 23, 2017

why you still need another log since the `evt_prize` table already store all the information you need?

skymia · September 25, 2017

On 9/23/2017 at 2:41 PM, Emistry said:

why you still need another log since the `evt_prize` table already store all the information you need?

sir how to add the evt_prize table in my sql? i dont have the table yet sir

ToiletMaster · September 26, 2017

Hope you don't mind if I divert from the original request of this thread, however, Correct me if I'm wrong, doesn't this part here make this vulnerable to SQL injection?

On 9/23/2017 at 12:05 PM, skymia said:

input .@Rew_Name$; next; query_sql "SELECT `online` FROM `char` WHERE `name`='"+.@Rew_Name$+"'",.@charstatus; //STATUS CHECK

while it does have a check to prevent groupID to be 4 and above to be able to interact with the NPC, however if it falls into the wrong hands they could do quite a bit of damage if they really wanted.

skymia · September 26, 2017

20 minutes ago, ToiletMaster said:

Hope you don't mind if I divert from the original request of this thread, however, Correct me if I'm wrong, doesn't this part here make this vulnerable to SQL injection?

while it does have a check to prevent groupID to be 4 and above to be able to interact with the NPC, however if it falls into the wrong hands they could do quite a bit of damage if they really wanted.

ohh i see....can you recommend a better reward npc sir or you can revise the script?

ToiletMaster · September 26, 2017

1 hour ago, ToiletMaster said:

input .@Rew_Name$; next; query_sql "SELECT `online` FROM `char` WHERE `name`='"+escape_sql(.@Rew_Name$)+"'",.@charstatus; //STATUS CHECK

Whenever there's an input for string with SQL, you should always try to use escape_sql command to make it safe. As long as you parse the variable with this then it should be fine, I've not tested this entirely though since I'm on my phone but it should work.

Sign In

NPC Logs

Question

skymia

Link to comment

Share on other sites

5 answers to this question

Recommended Posts

Emistry

Link to comment

Share on other sites

skymia

Link to comment

Share on other sites

ToiletMaster

Link to comment

Share on other sites

skymia

Link to comment

Share on other sites

ToiletMaster

Link to comment

Share on other sites

Join the conversation

Recently Browsing 0 members

Docs

Get Started

Github

Community

My Account