0

Sorry if it is a duplicate, but I haven't found anything yet about an inventory system like mine.

So I'm creating a game and I'm stuck on the inventory system. Here what i want to do :

  • There is a column named "Inventory" which stock items with text. For example, Players 1's Inventory can be like "Meat, Potion, Sword" and so on...

  • When the user defeat a mob, he get a drop, and the drop will be added in "Inventory".

    $query=$db->prepare('UPDATE users SET Inventory=   ('.$infomonstre["fightm_monsterloot"] .') WHERE username=:username');
$query->bindValue(':username', $username, PDO::PARAM_INT);
$query->execute();
$query->CloseCursor();

  • In the user's page, the items are displayed normally.

What I want to do is adding the item in the inventory, and as you guess this is not working. Mainly because what I wrote would overwrite the Inventory, but this is also just not working at all, the Inventory stay empty.

Thanks for the help !

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Lucas G
  • 71
  • 6
  • I don't follow your question, but I will point out that you are using a half-baked prepared statement. For the username, you bind a parameter (correctly), but you also concatenate something in there; this might not be completely safe from injection attacks. – Tim Biegeleisen Aug 06 '17 at 13:02
  • Hi, thanks for the advice ! I'm not really sure to understand your warning (mostly because i'm not very good at english..) but how can someone do an injection attack just because i'm concatenating something in the inventory ? – Lucas G Aug 06 '17 at 13:06
  • Just Google around you'll find something. How about injecting `''; DELETE FROM users WHERE 1=1 OR ` – Tim Biegeleisen Aug 06 '17 at 13:07
  • 1
    @Strawberry Oops...glad comments can't be downvoted! Well, it looks like I wouldn't make a good living injecting websites :-) – Tim Biegeleisen Aug 06 '17 at 13:10
  • 2
    @LucasG Typically, you would have a separate table for inventory, with a column for the user, and a column for the item - one row for each item – Strawberry Aug 06 '17 at 13:13
  • I really recommend what Strawberry suggested. It will give you the best flexibility. Plus you can store additional information about each item (for example when it was given to the user) – Manuel Otto Aug 06 '17 at 14:01
  • One duplicate topic describes why storing delimited data in a single field is a bad idea. The other one describes what normalisationis (that is @Strawberry 's recommendation). – Shadow Aug 06 '17 at 14:54

0 Answers0