First about html: its bad, really bad. eg:
<div class="">
or using ’ instead of ". Login form doesnt submit when i hit Enter/Return
Now a fast look into your code, includes dir:
functions.php
[CODE] function wClass($class)
{
switch($class)
{
case 1:
$class = “Warrior”;
break;
// rest of code
}
}[/CODE]
Really? Why dont you just:
[CODE]
$class = array(
1 => “Warrior”
// etc
);[/CODE]
And then echo $class[$class_id] ? Same with race and expansion. Your whole functions.php except sha1_pass() is useless
I dont like how language variable is declared, you should name the array keys, eg $lang[‘pass’] etc.
login/index.php
I dont like how you handle with mysql, this can be done better. Use PDO for it.
Also, $_POST variables should be verified with PHP aswell, i cant see a single preg_match there.
$_SESSION['username'] = ucwords(strtolower($overeni_fetch['username']));
Thats bad, why dont you use a single function like ucfirst() here?
pages/email.php
filter_var is a nice approach on validating email but it will return true when some1 puts [email protected]
changing an email should require email validation (you send an email with confirmation linkto old adress,
user clicks the link and then mail is changed) same should be done with password.
pages/password.php
$pass_sql = "UPDATE account SET sha_pass_hash='".sha1_pass($_SESSION['username'], $pass_mres)."' WHERE id=".$_SESSION['id'];
Wont work, you have to reset (set to 0) v, s and session_key columns in account table aswell. You should wipe
the session and force user to relogin after changing a pass.
pages/rename.php
Done wrong, you dont control the input name at all, eg Aw3s0m_e will be a valid name. Not mentioning this
is not how rename should go. You are updating the name in characters table instead of updating at_login column.
Why? Wouldnt be better to let the game handle rename? What if some1 picks a name that is owned by some1 allready?
[CODE]$char_exist_sql = “SELECT * FROM characters WHERE name='”.$rename_mres.“'”;
$char_exist_q = mysql_query($char_exist_sql);
$char_exist = mysql_num_rows($char_exist_q);
$golds_sql = “SELECT * FROM characters WHERE guid=”.$name_mres;[/CODE]
What? Such a fail, and im sure theres more of those in your code ;-p
Why SELECT * ? Why 2 SQL’s? “SELECT id, name, mone FROM…” Theres 71 colums in characters table
some of them hold large amount of data and you really dont need all of those. Also, SELECTs should
be done by id when its possible, and it is possible in this case.
I see same SQL fail in pages/lottery.php. I dont like your variable naming aswell, some times you use your
local language instead of english, if i wouldnt know php i would have problems with understanding whats
going on in the code.
Ok, i think its enought GL & HF fixing your code.