0

I'm creating games in Flash with ActionScript 3.0. I'm passing data to PHP to check, insert game result and send request to an API URL.

But, I'm experiencing of some failed insert query, some failed cURL and both sometimes? Why was it?

I'm using RDS Database(t2.Medium).

Here's my code in ActionScript: 

var variables:URLVariables = new URLVariables();

var varSend:URLRequest = new URLRequest(link + "parse.php");
varSend.method = URLRequestMethod.POST;
varSend.data = variables;

// Build the varLoader variable

var varLoader:URLLoader = new URLLoader;
varLoader.dataFormat = URLLoaderDataFormat.BINARY;

//varLoader.addEventListener(Event.COMPLETE, completeHandler);

variables.apikey = "<API KEY>";
variables.username = <FETCH FROM JS>
variables.side = "Good";



variables.player1 = player1;
variables.player2 = player2;
variables.player3 = player3;
variables.player4 = player4;
variables.player5 = player5;

variables.jackpot1 = jackpot1;
variables.jackpot2 = jackpot2;
variables.jackpot3 = jackpot3;
variables.jackpot4 = jackpot4;
variables.jackpot5 = jackpot5;
variables.sendRequest = "parse";

// Send the data to the php file

varLoader.load(varSend);

Here's my code in PHP:

<?php

if ($_POST['sendRequest'] == "parse") {


$datetime = date('Y-m-d H:i:s');
$datetime1 = date('Y-m-d');

$apikey = $_POST['apikey'];

$promocode = "TestGame";
$username = $_POST['username'];

$alignment = $_POST['side'];
$player1 = $_POST['player1'];
$player2 = $_POST['player2'];
$player3 = $_POST['player3'];
$player4 = $_POST['player4'];
$player5 = $_POST['player5'];
$player = $player1 + $player2 + $player3 + $player4 + $player5;


$jackpot1 = $_POST['jackpot1'];
$jackpot2 = $_POST['jackpot2'];
$jackpot3 = $_POST['jackpot3'];
$jackpot4 = $_POST['jackpot4'];
$jackpot5 = $_POST['jackpot5'];
$jackpot = $jackpot1 + $jackpot2 + $jackpot3 + $jackpot4 + $jackpot5;

$db_servername = "<RDS Host>";
$db_username = "<Database User>";
$db_password = "<DB Password>";
$db_name = "<DB Name>";


$connection = mysqli_connect($db_servername, $db_username, $db_password, $db_name);
if (mysqli_connect_errno()) {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

$check_sql = "SELECT * FROM tblpoints WHERE username = '$username' AND date(datetime) = '$datetime1'";
$result = mysqli_query($connection,$check_sql);
if (!$result) {
    echo "Error in checking record: " + mysqli_error($connection);
    exit;
}

$points = $player;
$betcondition = $points * 10;

$ch = curl_init();

curl_setopt($ch, CURLOPT_HTTPHEADER, array("Content-Type: application/json")); 

curl_setopt($ch,CURLOPT_URL, "<API URL>".$points."/".$betcondition."/".$username);
curl_setopt($ch,CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch,CURLOPT_POST,1);


curl_setopt($ch,CURLOPT_SSL_VERIFYHOST,FALSE);
curl_setopt($ch,CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,FALSE);

$result = curl_exec($ch); 

if(curl_errno($ch)) {
    print "Error: " . curl_error($ch);
} else {
    curl_close($ch);
}

$sql = "INSERT INTO tblpoints (username, alignment, player_points, player_points1, player_points2, player_points3, player_points4, player_points5, jackpot_points, jackpot_points1, jackpot_points2, jackpot_points3, jackpot_points4, jackpot_points5, datetime, status) VALUES ('$username', '$alignment', '$player', '$player1', '$player2', '$player3', '$player4', '$player5', '$jackpot', '$jackpot1', '$jackpot2', '$jackpot3', '$jackpot4', '$jackpot5', '$datetime', '$status')";
mysqli_query($connection,$sql);
mysqli_close($connection);
}
?>

Note: There will be no direct input from users here.

POGI
  • 335
  • 1
  • 3
  • 12
  • This has some serious SQL injection vulnerabilities in it. – halfer Aug 16 '16 at 18:19
  • @halfer Hi what do you mean? I'm just a newbie in php and actionscript just trying to improve my skills :) – POGI Aug 16 '16 at 18:21
  • It means you have a security problem, [read this](http://stackoverflow.com/q/60174/472495) to find out more. As to why database queries fail, you'd have to record `$check_sql` when it fails to find out why it fails. Certainly if `datetime` is not a valid date, or `$username` contains an apostrophe, it will fail with a database error. – halfer Aug 16 '16 at 18:26
  • When you get a database error, what does it say? – halfer Aug 16 '16 at 18:27
  • **WARNING**: When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. **DO NOT** use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST` or `$_GET` data directly into a query, it can be very harmful if someone seeks to exploit your mistake. – tadman Aug 16 '16 at 18:31
  • Hi, I understand your concern about security but does it causing my process to fail. The data that I'm fetching are not totally come from the users. It's already in the database and just need to pass it. – POGI Aug 16 '16 at 18:39
  • @halfer I'm actually trying to figure out how to display the database error, because when I've submitted data from actionscript to PHP it's process in the background. No logs appear. – POGI Aug 16 '16 at 19:13
  • Ah right. So set up a `curl` call to emulate what the AS is doing. This can either be `curl` on the command line (OS X and Linux) or another PHP script calling your PHP script's URL. – halfer Aug 16 '16 at 19:21

1 Answers1

0

I actually figured out what really happening in my codes. The Actionscript function I created was being delayed from processing it to PHP.

The user must not close the browser window and need to wait for the script to finish. So, what I did was display a Loading Message and hide after AS function completed.

POGI
  • 335
  • 1
  • 3
  • 12