I have a web game that players can train troops according to the gold they have , but someone is bypassing that and able to create billions of troops
I want to confirm if this function is vulnerable before I apply any fixes
please check code and tell me if there is any change he may bypass intval()
I read like people do input stuff like 100000e-100 or 9e18 and that would do the trick , I tried it did not work for me
I need help detecting how is he getting this amount of troops
function :
public function handleWarrior()
{
$itemId = $this->buildings[$this->buildingIndex]['item_id'];
$this->troopsUpgrade = array();
$_arr = explode(',', $this->data['troops_training']);
foreach ($_arr as $troopStr) {
list($troopId, $researches_done, $defense_level, $attack_level) = explode(' ', $troopStr);
if (($researches_done == 1 && 0 < $this->gameMetadata['troops'][$troopId]['gold_needed'])) {
$this->troopsUpgrade[$troopId] = $troopId;
}
}
$this->warriorMessage = '';
if (((is_post('tf') && !$this->isGameTransientStopped()) && !$this->isGameOver())) {
$cropConsume = 0;
$totalGoldsNeeded = 0;
$trop = array();
foreach ($_POST['tf'] as $troopId => $num) {
$num = intval($num);
if (($num <= 0 || !isset($this->troopsUpgrade[$troopId]))) {
continue;
}
$troopMetadata = $this->gameMetadata['troops'][$troopId];
$needres = $troopMetadata['training_resources'][1] + $troopMetadata['training_resources'][2] + $troopMetadata['training_resources'][3] + $troopMetadata['training_resources'][4];
$totalGoldsNeeded += $num;
$trop[$troopId] = floor(($troopMetadata['gold_needed'] / ($needres / 100)) * $num);
$cropConsume += $troopMetadata['crop_consumption'] * $trop[$troopId];
$totalGoldsNeeded = ceil($totalGoldsNeeded);
}
if ($totalGoldsNeeded <= 0) {
return null;
}
$canProcess = ($totalGoldsNeeded <= $this->data['gold_num'] and $totalGoldsNeeded <= $this->data['gold_buy']);
$this->warriorMessage = ($canProcess ? 1 : 2);
if ($canProcess) {
$troopsString = '';
foreach ($this->troops as $tid => $num) {
if ($tid == 99) {
continue;
}
$neededNum = ((isset($this->troopsUpgrade[$tid]) && isset($trop[$tid])) ? intval($trop[$tid]) : 0);
if ($troopsString != '') {
$troopsString .= ',';
}
$troopsString .= $tid . ' ' . $neededNum;
}
$this->load_model('Plus', 'm');
$this->m->DeletPlayerGold($this->player->playerId, $totalGoldsNeeded,16);
$this->data['gold_num'] -= $totalGoldsNeeded;
$procParams = $troopsString . '|0||||||1';
$buildingMetadata = $this->gameMetadata['items'][$this->buildProperties['building']['item_id']];
$bLevel = $this->buildings[$this->buildingIndex]['level'];
$needed_time = $buildingMetadata['levels'][$bLevel - 1]['value'] * 3600;
$this->load_library('QueueTask', 'newTask', array(
'taskType' => QS_WAR_REINFORCE,
'playerId' => 0,
'executionTime' => $needed_time
));
$this->newTask->villageId = 0;
$this->newTask->toPlayerId = $this->player->playerId;
$this->newTask->toVillageId = $this->data['selected_village_id'];
$this->newTask->procParams = $procParams;
$this->newTask->tag = array(
'troops' => NULL,
'hasHero' => FALSE,
'resources' => NULL,
'troopsCropConsume' => $cropConsume
);
$this->queueModel->addTask($this->newTask);
}
}
}