-2

I have a simple market and user customisation system, when a user equips an item it goes to (URL)/render.php?id=item ID , in the render.php file it has simple code found below. How would I make the file check if the user actually owns the item before equiping it? (at the moment it doesn't and you can wear stuff you don't own by abusing that)

<? include "../../header.php";
$id = $_GET['id'];
$item = $handler->query("SELECT * FROM items WHERE id=" . $_GET['id']);
$gI = $item->fetch(PDO::FETCH_OBJ);
$handler->query("UPDATE `users` SET `$gI->type`='$gI->wearable' WHERE `id`='$myu->id'");
?>
<head><meta http-equiv="refresh" content="1; url=/Customize/"></head>
Dharman
  • 30,962
  • 25
  • 85
  • 135
CodeFlow
  • 7
  • 5
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman May 29 '21 at 10:30

1 Answers1

0

You can make a table for users_items and use the table to save the users items when a user obtains an item. You would insert a row in this table that links the user to the item, i.e: id, user_id, item_id, then instead of directly selecting from the items table, you select from users_items and JOIN from the items table the details of the item.

SELECT items.type, 
       items.wearable 
FROM users_items
LEFT JOIN items ON items.id = users_items.item_id
WHERE users_items.item_id = ?

Then use prepared queries on ?, instead of string concatenation to prevent SQL injection

Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106
Kareem Adel
  • 371
  • 2
  • 10
  • Thanks for this reply, I don't really understand this..? I already have a table called inventory which has an id, the users id and the item id, how would I select this and read it then go on to execute the rest? – CodeFlow May 29 '21 at 03:24
  • You Can Get The Items USER have and search in and if he have the item then Update query if not you can Send Error TO USER – Kareem Adel May 31 '21 at 14:07