Hey All,
I'm making online simple fighting game,
this script is the attack.php which calculate the atk from the primary weapon and secondary weapon and calculate the def from the equipped armor and get them from the db
what i want is if i add new item like Shield and i want it to be calculated in the fight beside the armor and the same if i add some thing like ring to increase the damage beside the weapons .. how i edit this script to do that? :/
if u need any more informations tell me :)

<?php
$menuhide=1;
$atkpage=1;
include "globals.php";

$_GET['ID'] == (int) $_GET['ID'];
if(!$_GET['ID'])
{
print "WTF you doing, bro?";
$h->endpage();
exit;
}
else if($_GET['ID'] == $userid)
{
print "Only the crazy attack themselves.";
$h->endpage();
exit;
}
else if ($ir['hp'] <= 1)
{
print "Only the crazy attack when their unconscious.<br />
<a href='index.php'>Back</a>";
$h->endpage();
exit;
}
else if ($_SESSION['attacklost'] == 1)
{
print "Only the losers of all their EXP attack when they've already lost.<br />
<a href='index.php'>Back</a>";
$_SESSION['attacklost']=0;
$h->endpage();
exit;
}
//get player data
$youdata=$ir;
$q=$db->query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid={$_GET['ID']}");
$odata=$db->fetch_row($q);
$myabbr=($ir['gender']=="Male") ? "his" : "her";
$oabbr=($ir['gender']=="Male") ? "his" : "her";
if($ir['attacking'] && $ir['attacking'] != $_GET['ID'])
{
print "Bad, bad, bad girl.<br />
<a href='index.php'>Back</a>";
$_SESSION['attacklost']=0;
$h->endpage();
exit;
}
if($odata['hp'] == 1)
{
print "This player is unconscious.<br />
<a href='index.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
else if($odata['hospital'])
{
print "This player is in hospital.<br />
<a href='index.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
else if($ir['hospital'])
{
print "While in hospital you can't attack.<br />
<a href='hospital.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
else if($odata['jail'])
{
print "This player is in jail.<br />
<a href='index.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
else if($ir['jail'])
{
print "While in jail you can't attack.<br />
<a href='jail.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
else if($odata['travelling'])
{
print "That player is travelling.<br />
<a href='index.php'>&gt; Back</a>";
$h->endpage();
$_SESSION['attacking']=0;
$ir['attacking']=0;
$db->query("UPDATE users SET attacking=0 WHERE userid=$userid");
exit;
}
print "<table width=100%><tr><td colspan=2 align=center>";
if($_GET['wepid'])
{
if($_SESSION['attacking']==0 && $ir['attacking'] == 0)
{
if ($youdata['energy'] >= $youdata['maxenergy']/2)
{

$youdata['energy']-= floor($youdata['maxenergy']/2);
$me=floor($youdata['maxenergy']/2);
$db->query("UPDATE users SET energy=energy- {$me} WHERE userid=$userid");
$_SESSION['attacklog']="";
$_SESSION['attackdmg']=0;
}
else
{
print "You can only attack someone when you have 50% energy";
$h->endpage();
exit;
}
}
$_SESSION['attacking']=1;
$ir['attacking']=$odata['userid'];
$db->query("UPDATE users SET attacking={$ir['attacking']} WHERE userid=$userid");
$_GET['wepid'] = (int) $_GET['wepid'];
$_GET['nextstep'] = (int) $_GET['nextstep'];
//damage

if($_GET['wepid'] != $ir['equip_primary'] && $_GET['wepid'] != $ir['equip_secondary'])
{
print "Stop trying to abuse a game bug. You can lose all your EXP for that.<br />
<a href='index.php'>&gt; Home</a>";
$db->query("UPDATE users SET exp=0 where userid=$userid",$c);
die("");
}
$qo=$db->query("SELECT i.* FROM items i   WHERE i.itmid={$_GET['wepid']}");
$r1=$db->fetch_row($qo);
$mydamage=(int) (($r1['weapon']*$youdata['strength']/($odata['guard']/1.5))*(rand(8000,12000)/10000));
$hitratio=max(10,min(60*$ir['agility']/$odata['agility'],95));
 if(rand(1,100) <= $hitratio )
{
$q3=$db->query("SELECT i.armor FROM items i   WHERE itmid={$odata['equip_armor']} ORDER BY rand()");
if($db->num_rows($q3))
{
$mydamage-=$db->fetch_single($q3);
}
if($mydamage < -100000) { $mydamage=abs($mydamage); }
else if($mydamage < 1) { $mydamage=1; }
$crit=rand(1,40);
if($crit==17) { $mydamage*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $mydamage/=(rand(20,40)/10); } 
$mydamage=round($mydamage);
$odata['hp']-=$mydamage;
if($odata['hp']==1) { $odata['hp']=0;$mydamage+=1; }
$db->query("UPDATE users SET hp=hp-$mydamage WHERE userid={$_GET['ID']}");
print "<font color=red>{$_GET['nextstep']}. Using your {$r1['itmname']} you hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n";
$_SESSION['attackdmg']+=$mydamage;
$_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. Using {$myabbr} {$r1['itmname']} {$ir['username']} hit {$odata['username']} doing $mydamage damage ({$odata['hp']})</font><br />\n";
}
else
{
print "<font color=red>{$_GET['nextstep']}. You tried to hit {$odata['username']} but missed ({$odata['hp']})</font><br />\n";
$_SESSION['attacklog'].="<font color=red>{$_GET['nextstep']}. {$ir['username']} tried to hit {$odata['username']} but missed ({$odata['hp']})</font><br />\n";
}
if($odata['hp'] <= 0)
{
$odata['hp']=0;
$_SESSION['attackwon']=$_GET['ID'];
$db->query("UPDATE users SET hp=0 WHERE userid={$_GET['ID']}");
print "<br />
<b>What do you want to do with {$odata['username']} now?</b><br />
<form action='attackwon.php?ID={$_GET['ID']}' method='post'><input type='submit' value='Mug Them' /></form>
<form action='attackbeat.php?ID={$_GET['ID']}' method='post'><input type='submit' value='Hospitalize Them' /></form>
<form action='attacktake.php?ID={$_GET['ID']}' method='post'><input type='submit' value='Leave Them' /></form>";
}
else {
//choose opp gun
$eq=$db->query("SELECT i.* FROM  items i  WHERE i.itmid IN({$odata['equip_primary']}, {$odata['equip_secondary']})");
if(mysql_num_rows($eq) == 0)
{
$wep="Fists";
$dam=(int)((((int) ($odata['strength']/$ir['guard']/100)) +1)*(rand(8000,12000)/10000));
}
else
{
$cnt=0;
while($r=$db->fetch_row($eq))
{
$enweps[]=$r;
$cnt++;
}
$weptouse=rand(0,$cnt-1);
$wep=$enweps[$weptouse]['itmname'];
$dam=(int) (($enweps[$weptouse]['weapon']*$odata['strength']/($youdata['guard']/1.5))*(rand(8000,12000)/10000));
}
$hitratio=max(10,min(60*$odata['agility']/$ir['agility'],95));
if(rand(1,100) <= $hitratio)
{
$q3=$db->query("SELECT i.armor FROM items i   WHERE itmid={$ir['equip_armor']} ORDER BY rand()");
if($db->num_rows($q3))
{
$dam-=$db->fetch_single($q3);
}
if($dam < -100000) { $dam=abs($dam); }
else if($dam < 1) { $dam=1; }
$crit=rand(1,40);
if($crit==17) { $dam*=rand(20,40)/10; } else if($crit==25 or $crit == 8) { $dam/=(rand(20,40)/10); } 
$dam=round($dam);
$youdata['hp']-=$dam;
if ($youdata['hp']==1) { $dam+=1; $youdata['hp']=0; }
$db->query("UPDATE users SET hp=hp-$dam WHERE userid=$userid");
$ns=$_GET['nextstep']+1;
print "<font color=blue>{$ns}. Using $oabbr $wep {$odata['username']} hit you doing $dam damage ({$youdata['hp']})</font><br />\n";
$_SESSION['attacklog'].="<font color=blue>{$ns}. Using $oabbr $wep {$odata['username']} hit {$ir['username']} doing $dam damage ({$youdata['hp']})</font><br />\n";
}
else
{
$ns=$_GET['nextstep']+1;
print "<font color=red>{$ns}. {$odata['username']} tried to hit you but missed ({$youdata['hp']})</font><br />\n";
$_SESSION['attacklog'].="<font color=blue>{$ns}. {$odata['username']} tried to hit {$ir['username']} but missed ({$youdata['hp']})</font><br />\n";
}
if($youdata['hp'] <= 0)
{
$youdata['hp']=0;
$_SESSION['attacklost']=1;
$db->query("UPDATE users SET hp=0 WHERE userid=$userid");
print "<form action='attacklost.php?ID={$_GET['ID']}' method='post'><input type='submit' value='Continue' />";
}
}
}
else if ($odata['hp'] < 5)
{
print "You can only attack those who have health";
$h->endpage();
exit;
}
else if ($ir['gang'] == $odata['gang'] && $ir['gang'] > 0)
{
print "You are in the same gang as {$odata['username']}! What are you smoking today dude!";
$h->endpage();
exit;
}
else if ($youdata['energy'] < $youdata['maxenergy']/2)
{
print "You can only attack someone when you have 50% energy";
$h->endpage();
exit;
}
else if ($youdata['location'] != $odata['location'])
{
print "You can only attack someone in the same location!";
$h->endpage();
exit;
}
else
{
}
print "</td></tr>";
if($youdata['hp'] <= 0 || $odata['hp'] <= 0)
{
print "</table>";
}
else
{
$vars['hpperc']=round($youdata['hp']/$youdata['maxhp']*100);
$vars['hpopp']=100-$vars['hpperc'];
$vars2['hpperc']=round($odata['hp']/$odata['maxhp']*100);
$vars2['hpopp']=100-$vars2['hpperc'];


$mw=$db->query("SELECT i.* FROM  items i  WHERE i.itmid IN({$ir['equip_primary']}, {$ir['equip_secondary']})");
print "<tr><td colspan=2 align='center'>Attack with:<br />";
if($db->num_rows($mw) > 0)
{
while($r=$db->fetch_row($mw))

{
if(!$_GET['nextstep']) { $ns=1; } else { $ns=$_GET['nextstep']+2; }
if($r['itmid']==$ir['equip_primary'])
{
print "<b>Primary Weapon:</b> ";
}
if($r['itmid']==$ir['equip_secondary'])
{
print "<b>Secondary Weapon:</b> ";
}
print "<a href='attack.php?nextstep=$ns&amp;ID={$_GET['ID']}&amp;wepid={$r['itmid']}'>{$r['itmname']}</a><br />";
}
}
else
{
print "You have nothing to fight with.";
}
print "</table>";
print "<table width='50%' align='center'><tr><td align=right>Your Health: </td><td><img src=greenbar.png width={$vars['hpperc']} height=10><img src=redbar.png width={$vars['hpopp']} height=10></td><tr><td align=right>Opponents Health:  </td><td><img src=greenbar.png width={$vars2['hpperc']} height=10><img src=redbar.png width={$vars2['hpopp']} height=10></td></tr></table>";
}
$h->endpage();
?>
Member Avatar for diafol

How about cutting down the code to the relevant bits? 304 lines of code is a bit much.

You'll probably need Ajax to update the DB without forcing a page reload. jQuery is a good option for handling ajax.

There are serious security vulnerabilities in your code, both regards to sql injection and cross side scripting attacks.

for example:
print "<font color=red>{$_GET
Here you are printing out raw data coming from user, for example javascript cookie script.
$qo=$db->query("SELECT i.* FROM items i WHERE i.itmid={$_GET}");
again working with raw data so vulnerable for sql injection.

At least it seems so after quick review but I agree with above speaker you should be able to cut the code down considerably.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.