Go to page 1
| Forum » Suggestions » Bug: amount of purchase appears to be ,000,010 instead of $1,000,010 | Date | |
|---|---|---|
|
Username
5205 msgs.
Golden Ball
|
Hello, I have noticed for quite some time that the amount of a purchase is always missing the first number. Today, I saw a purchase in pounds that had the first number, and now I suspect I know the reason for the bug. The $ symbol is probably used inside a double-quoted string like "purchased for $$num,$mid,$last" and PHP is assuming that $$num is a variable. Use a single-quoted string 'purchased for $' . $num . ',' . $mid . ',' . $last and the bug will go away. This is a reasonably serious bug, unintentional variable expansion could potentially be a security hole, so I recommend plugging it ASAP. |
15/08/2011 20:13 |
| - Div/Gr | ||
|
Username
2108 msgs.
Best scorer
|
It's actually not a problem, it says the correct price in the transfers for the team, and on the player's history. |
15/08/2011 22:01 |
| - Div/Gr | ||
|
Username
5205 msgs.
Golden Ball
|
how is this not a problem? Read the part on security in my message. | 15/08/2011 22:02 |
| - Div/Gr | ||
|
Username
2108 msgs.
Best scorer
|
It isn't a problem because these are things that read what is already there, it doesn't actually store the information. If its a security hole then the most people could do is put in their own messages in the news thingy. | 15/08/2011 22:05 |
| - Div/Gr | ||
|
Username
5205 msgs.
Golden Ball
|
Trust me, there are all kinds of things that can happen when a variable is echoed without meaning to echo it. For instance, a variable could be created (depending on how the rest of striker manager is written) with the name "1" that contains javascript code that will send your browser's cookies to another server, which would allow a user to hijack your browser session and mess with your team, change your password, and should an admin view this page, it could also allow messing with the admin interface to striker manager. I am one of the core developers of the PHP language itself, as well as a heavy user, and have seen "minor" problems like this turn into major security issues in a hurry. So, yes, this is a potentially serious bug. If you are one of the code devs for striker manager, PM me and we can talk further if you still have questions. |
15/08/2011 22:14 |
| - Div/Gr | ||
|
Username
45 msgs.
Child's coach
|
I don't know a lot of internet security, but I messaged this thread to an admin, just to be sure. Thanks for sharing! | 15/08/2011 22:54 |
| - Div/Gr | ||
Go to page 1
1
