0

I have a problem in that someone is using a bot to exploit my site. It would appear from logs that he is able to send multiple requests very quickly before the code is able to deduct the amount requested from his balance.

I had thought about stating a random value for every time it executes, which then gets put into his account row and compared against itself. This way it would be different every time its run.

Below is the head of the code: 

$player=mysql_fetch_array(mysql_query("SELECT `id`,`time`,`ex`,`btc`,`string` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));
$random = base64_encode(openssl_random_pseudo_bytes(10));
$setstring = $random;
mysql_query("UPDATE `players` SET `string` = $setstring WHERE `id`=$player[id] LIMIT 1");
$playersec=mysql_fetch_array(mysql_query("SELECT `string` FROM `players` WHERE `hash`='".prot($_GET['_unique'])."' LIMIT 1"));

 if (!is_numeric($_GET['amount']) || (double)$_GET['amount']>$player['btc'] || (double)$_GET['amount']< 0 || $setstring != $playersec['string'] ) {
$error='yes';
$con=1;
}

I'm pretty sure this is the problem, as when it executes it doesn't put anything in thestring field i.e. it's left empty.

mysql_query("UPDATE `players` SET `string` = $setstring WHERE `id`=$player[id] LIMIT 1");

Yet when I run:

<?php

$random = base64_encode(openssl_random_pseudo_bytes(10));
$setstring = $random;
echo $setstring;
?>

It outputs fine with: IAXUqtKraNDb1Q==

Does anyone have any ideas?

Thanks

Ben
  • 369
  • 1
  • 3
  • 14

1 Answers1

0

At this moment you are creating a work around. To prevent this kind of abuse, it is best to stop it at the root cause and to do that to use database transactions.

Steps:

1) Use INNODB

2) Use transaction encapsulation on php.

Update and retrieve your totals from the database. Since they are now in a transaction, the next transaction has to wait on the first, with as result that only the real available values can be retrieved.

Norbert
  • 6,026
  • 3
  • 17
  • 40