Quote:
Originally Posted by Mzyxptlk
Agreed. The previous eta never bug was also caused by a complete lack of server-side checking.
|
It sounds like a nasty pattern. I wonder what else isnt checked server-side.
Hint to whoever coded it.
When you recieve a post form for production orders ( or indeed anything ), you dont trust anything that is submitted.
You find out *yourself* from the database for anything that is needed, such as number of factories that the person has.
You check *yourself* from the database that there are enough resources to build the requested ships
You check *yourself* to see if there are enough production slots
You never ever ever accept verbitem anything that is sent from the client, and absolutely never ever ever ever
ever assemble an sql string directly from data submitted without doing checks on it or you open yourself up to sql injection attacks if not using prepared statements, which i doubt you are.