if (isset($_GET["allow"])) {
if (isset($_GET["deny"])) {
if (isset($_POST["value-del"])) {
if (isset($_POST["value-add"])) {
if (isset($_GET["help"])) {
function js()
    $page = CurrentPageName();
    $tpl = new templates();
    $title = $tpl->_ENGINE_parse_body("{crossroads_access_control}");
    $html = "YahooWin3(600,'{$page}?popup=yes','{$title}')";
    echo $html;
function item_gift2()
    global $db, $ir, $c, $userid, $h;
    $q = $db->query("SELECT * FROM itemmarket im LEFT JOIN items i ON i.itmid=im.imITEM WHERE imID={$_POST['ID']}");
    if (!$db->num_rows($q)) {
        print "Error, either this item does not exist, or it has already been bought.<br />\r\n<a href='itemmarket.php'>Back</a> </div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div> ";
    $r = $db->fetch_row($q);
    $curr = $r['imCURRENCY'];
    if ($r['imPRICE'] > $ir[$curr]) {
        print "Error, you do not have the funds to buy this item.<br />\r\n<a href='itemmarket.php'>Back</a></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>";
    item_add($_POST['user'], $r['imITEM'], 1);
    $i = $db->insert_id() ? $db->insert_id() : 99999;
    $db->query("DELETE FROM itemmarket WHERE imID={$_POST['ID']}");
    $db->query("UPDATE users SET {$curr}={$curr}-{$r['imPRICE']} where userid={$userid}");
    $db->query("UPDATE users SET {$curr}={$curr}+{$r['imPRICE']} where userid={$r['imADDER']}");
    if ($curr == "money") {
        event_add($r['imADDER'], "<a href='viewuser.php?u={$userid}'>{$ir['username']}</a> bought your {$r['itmname']} item from the market for \$" . number_format($r['imPRICE']) . ".", $c);
        event_add($_POST['user'], "<a href='viewuser.php?u={$userid}'>{$ir['username']}</a> bought you a {$r['itmname']} from the item market as a gift.", $c);
        $u = $db->query("SELECT username FROM users WHERE userid={$_POST['user']}");
        $uname = $db->fetch_single($u);
        $db->query("INSERT INTO imbuylogs VALUES ('', {$r['imITEM']}, {$r['imADDER']}, {$userid},  {$r['imPRICE']}, {$r['imID']}, {$i}, unix_timestamp(), '{$ir['username']} bought a {$r['itmname']} from the item market for \${$r['imPRICE']} from user ID {$r['imADDER']} as a gift for {$uname} [{$_POST['user']}]')");
        print "You bought the {$r['itmname']} from the market for \$" . number_format($r['imPRICE']) . " and sent the gift to {$uname}.<br />\r\n<a href='itemmarket.php'>Back</a></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>";
    } else {
        event_add($r['imADDER'], "<a href='viewuser.php?u={$userid}'>{$ir['username']}</a> bought your {$r['itmname']} item from the market for " . number_format($r['imPRICE']) . " crystals.", $c);
        event_add($_POST['user'], "<a href='viewuser.php?u={$userid}'>{$ir['username']}</a> bought you a {$r['itmname']} from the item market as a gift.", $c);
        $u = $db->query("SELECT username FROM users WHERE userid={$_POST['user']}");
        $uname = $db->fetch_single($u);
        $db->query("INSERT INTO imbuylogs VALUES ('', {$r['imITEM']}, {$r['imADDER']}, {$userid},  {$r['imPRICE']}, {$r['imID']}, {$i}, unix_timestamp(), '{$ir['username']} bought a {$r['itmname']} from the item market for {$r['imPRICE']} crystals from user ID {$r['imADDER']} as a gift for {$uname} [{$_POST['user']}]')");
        print "You bought the {$r['itmname']} from the market for " . number_format($r['imPRICE']) . " crystals and sent the gift to {$uname}.<br />\r\n<a href='itemmarket.php'>Back</a></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>";
    $q = $db->query("SELECT * FROM compspecials WHERE csID={$_POST['ID']}");
    if ($db->num_rows($q) == 0) {
        print "There is no Company Special with this ID!";
    } else {
        $r = $db->fetch_row($q);
        if ($ir['comppoints'] < $r['csCOST']) {
            print "You don't have enough company points to get this reward!";
        if ($r['csJOB'] != $cs['busClass']) {
            print "You are not in this type of Company!";
        if ($r['csITEM']) {
            item_add($userid, $r['csITEM'], '1');
        $money = $r['csMONEY'];
        $crys = $r['csCRYSTALS'];
        $cost = $r['csCOST'];
        $endu = $r['csENDU'];
        $iq = $r['csIQ'];
        $lab = $r['csLABOUR'];
        $str = $r['csSTR'];
        $db->query(sprintf("UPDATE users SET money=money+%u, crystals=crystals+%u, comppoints=comppoints-%u WHERE userid=%u", $money, $crys, $cost, $userid));
        $db->query(sprintf("UPDATE userstats SET strength=strength+%u,IQ=IQ+%u,labour=labour+%u WHERE userid=%u", $str, $iq, $lab, $userid));
        print "You successfully redeemed the {$r['csNAME']} Special for {$r['csCOST']} Company Points.";
include "globals.php";
$_GET['ID'] = abs((int) $_GET['ID']);
$id = $db->query("SELECT iv.*,it.* FROM inventory iv LEFT JOIN items it ON iv.inv_itemid=it.itmid WHERE iv.inv_id={$_GET['ID']} AND iv.inv_userid={$userid} LIMIT 1");
if ($db->num_rows($id) == 0) {
    print "Invalid item ID\r\n<br />\r\n<a href='inventory.php'>Back</a>";
} else {
    $r = $db->fetch_row($id);
if (!$r['weapon']) {
    print "This item cannot be equipped to this slot.\r\n<br />\r\n<a href='inventory.php'>Back</a>";
if ($_GET['type']) {
    if (!in_array($_GET['type'], array("equip_primary", "equip_secondary"))) {
        print "This slot ID is not valid.\r\n<br />\r\n<a href='inventory.php'>Back</a>";
    if ($ir[$_GET['type']]) {
        item_add($userid, $ir[$_GET['type']], 1);
    item_remove($userid, $r['itmid'], 1);
    $db->query("UPDATE users SET {$_GET['type']} = {$r['itmid']} WHERE userid={$userid}");
    print "Item {$r['itmname']} equipped successfully.\r\n<br />\r\n<a href='inventory.php'>Back</a>";
} else {
    print "\r\n\r\n<div class='generalinfo_txt'>\r\n<div><img src='images/info_left.jpg' alt='' /></div>\r\n<div class='info_mid'><h2 style='padding-top:10px;'> Equip Weapon</h2></div>\r\n<div><img src='images/info_right.jpg' alt='' /></div> </div>\r\n<div class='generalinfo_simple'><br> <br><br>\r\n\r\n\r\n<form action='equip_weapon.php' method='get'>\r\n<input type='hidden' name='ID' value='{$_GET['ID']}' />\r\nPlease choose the slot to equip {$r['itmname']} to, if there is already a weapon in that slot, it will be removed back to your inventory.<br />\r\n<input type='radio' STYLE='color: black;  background-color: white;' name='type' value='equip_primary' checked='checked' /> Primary<br />\r\n<input type='radio' STYLE='color: black;  background-color: white;' name='type' value='equip_secondary'  /> Secondary<br />\r\n<input type='submit' STYLE='color: black;  background-color: white;' value='Equip Weapon' /></form> </div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div> ";
Example #5
     $_GET['quantity'] = mysql_real_escape_string($_GET['quantity']);
     $_GET['quantity'] = abs($_GET['quantity']);
     $getitemname = $db->query("select * from items where itmid={$im['itemid']}");
     $itm = mysql_fetch_array($getitemname);
     $itemname = $itm['itmname'];
     $time = time();
     if ($_GET['quantity'] > $im['quantity']) {
         die("There aren't {$_GET['quantity']} of this item available.\r\n<a href=\"javascript: history.go(-1)\">click here to go back</a>");
     if ($_GET['quantity'] == 0) {
         $_GET['quantity'] = 1;
     $price = $_GET['quantity'] * $im['price'];
     $getuser = $db->query("select * from usershops where id={$im['shopid']}");
     $u = mysql_fetch_array($getuser);
     item_add($userid, $im['itemid'], $_GET['quantity']);
     $db->query("update users set money=money-{$price} where userid={$userid}");
     $db->query("insert into usershoplogs values('','{$userid}','{$u['userid']}','{$itemname}','{$price}','{$_GET['quantity']}','{$time}')");
     event_add($shop['userid'], "{$ir['username']} has purchased {$_GET['quantity']} of your {$item['itmname']}'s from your shop!", $c, 'general');
     print "<center>You have successfully purchased <b>{$_GET['quantity']}</b> <b>{$item['itmname']}(s)</b> for \${$price}.!</center>";
     $db->query("update usershops set totalsold=totalsold+{$_GET['quantity']}, money=money+{$price} where id={$im['shopid']}");
     $db->query("update usershopitems set quantity=quantity-{$_GET['quantity']} where id={$im['id']}");
     $db->query("delete from usershopitems where quantity=0");
 } else {
     if ($im['quantity'] > 1) {
         print "\r\n\r\n<div class='generalinfo_txt'>\r\n<div><img src='images/info_left.jpg' alt='' /></div>\r\n<div class='info_mid'><h2 style='padding-top:10px;'> Buy Items ...</h2></div>\r\n<div><img src='images/info_right.jpg' alt='' /></div> </div>\r\n<div class='generalinfo_simple'><br> <br><br>\r\n\r\n<center>How many <b>{$item['itmname']}'s</b> would you like to buy for \${$im['price']} each?\r\n<br>\r\nThere are {$im['quantity']} Available\r\n<br>\r\n<table class=table>\r\n<tr>\r\n<td>\r\n<form action=shopbuy.php method=get>\r\n<input type=hidden name=itemnum value='{$_GET['itemnum']}'>\r\n<input type=hidden name=yes value='1'>\r\nAmount: <input type=text name=quantity value='1'>\r\n<input type=submit value=Purchase>\r\n</form>\r\n</td>\r\n<td>\r\n<form action=\"javascript:history.go(-1)\"><input type=submit value=Nevermind></form>\r\n</td>\r\n</tr>\r\n</table></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>\r\n</center>";
     } else {
         if ($im['quantity'] == 1) {
             print "\r\n\r\n<div class='generalinfo_txt'>\r\n<div><img src='images/info_left.jpg' alt='' /></div>\r\n<div class='info_mid'><h2 style='padding-top:10px;'> Buy Items ...</h2></div>\r\n<div><img src='images/info_right.jpg' alt='' /></div> </div>\r\n<div class='generalinfo_simple'><br> <br><br>\r\n\r\n\r\n<center>Are you sure you wish to buy the <b>{$item['itmname']}</b> for \${$im['price']}?\r\n<br>\r\n<table>\r\n<tr>\r\n<td>\r\n<form action=shopbuy.php method=get>\r\n<input type=hidden name=itemnum value='{$_GET['itemnum']}'>\r\n<input type=hidden name=yes value='1'>\r\n<input type=hidden name=quantity value=1>\r\n<input type=submit value=Yes>\r\n</form>\r\n</td>\r\n<td>\r\n<form action=\"javascript:history.go(-1)\"><input type=submit value=No></form>\r\n</td>\r\n</tr>\r\n</table></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>\r\n</center>";
    } else {
        $r = $db->fetch_row($id);
        $m = $db->query("SELECT * FROM users WHERE userid={$_GET['user']} LIMIT 1");
        if ($_GET['qty'] > $r['inv_qty']) {
            print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou are trying to send more than you have!  <br><br>\r\n\r\n<a href='inventory.php'><font color='white'>Back To Inventory</font></a>\r\n\r\n</div></div> \r\n\r\n";
        } else {
            if ($_GET['qty'] <= 0) {
                print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou know, I'm not dumb, j00 cheating hacker. <br><br>\r\n\r\n<a href='inventory.php'><font color='white'>Back To Inventory</font></a>\r\n\r\n";
            } else {
                if ($db->num_rows($m) == 0) {
                    print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou are trying to send to an invalid user!  <br><br>\r\n\r\n<a href='inventory.php'><font color='white'>Back To Inventory</font></a>\r\n\r\n";
                } else {
                    $rm = $db->fetch_row($m);
                    //are we sending it all
                    item_remove($userid, $r['inv_itemid'], $_GET['qty']);
                    item_add($_GET['user'], $r['inv_itemid'], $_GET['qty']);
                    print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: green;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou sent {$_GET['qty']} {$r['itmname']}(s) to {$rm['username']}\r\n\r\n<br><br>\r\n\r\n<a href='inventory.php'><font color='white'>Back To Inventory</font></a>\r\n\r\n";
                    event_add($_GET['user'], "You received {$_GET['qty']} {$r['itmname']}(s) from <a href='viewuser.php?u={$userid}'>{$ir['username']}</a>", $c);
                    $db->query("INSERT INTO itemxferlogs VALUES('',{$userid},{$_GET['user']},{$r['itmid']},{$_GET['qty']},unix_timestamp(), '{$ir['lastip']}', '{$rm['lastip']}')");
} else {
    if ($_GET['ID']) {
        $id = $db->query("SELECT iv.*,it.* FROM inventory iv LEFT JOIN items it ON iv.inv_itemid=it.itmid WHERE iv.inv_id={$_GET['ID']} AND iv.inv_userid={$userid} LIMIT 1");
        if ($db->num_rows($id) == 0) {
            print "\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nInvalid item ID <br><br>\r\n\r\n<a href='inventory.php'><font color='white'>Back To Inventory</font></a>";
        } else {
            $r = $db->fetch_row($id);
            print "\r\n\r\n\r\n<div class='generalinfo_txt'>\r\n<div><img src='images/info_left.jpg' alt='' /></div>\r\n<div class='info_mid'><h2 style='padding-top:10px;'> Send Items</h2></div>\r\n<div><img src='images/info_right.jpg' alt='' /></div> </div>\r\n<div class='generalinfo_simple'><br> <br><br>\r\n\r\n\r\n\r\n<b>Enter who you want to send {$r['itmname']} to and how many you want to send. You have {$r['inv_qty']} to send.</b><br />\r\n<form action='itemsend.php' method='get'>\r\n<input type='hidden' name='ID' value='{$_GET['ID']}' />User ID: <input type='text' STYLE='color: black;  background-color: white;' name='user' value='' /><br />\r\nQuantity: <input type='text' STYLE='color: black;  background-color: white;' name='qty' value='' /><br />\r\n<input type='submit' STYLE='color: black;  background-color: white;' value='Send Items (no prompt so be sure!' /></form>\r\n</table></div><div><img src='images/generalinfo_btm.jpg' alt='' /></div><br></div></div></div></div></div>\r\n\r\n";
Example #7
function removeitem()
    global $ir, $c, $userid, $db, $us;
    $_GET['id'] = mysql_real_escape_string($_GET['id']);
    $getid = $db->query("select * from usershopitems where id='{$_GET['id']}'") or die(mysql_error());
    if (mysql_num_rows($getid) == 0) {
        die("This item is not in your shop.");
    $id = mysql_fetch_array($getid);
    if ($id['quantity'] > 1) {
        item_add($userid, $id['itemid'], $id['quantity']);
    } else {
        item_add($userid, $id['itemid'], 1);
    $db->query("delete from usershopitems where id={$id['id']}") or die(mysql_error());
    print "<center>The item has been removed from your shop.<br><a href=myshop.php?do=manage>Continue Managing Items</a></center>";
Example #8
    $q = mysql_query("SELECT * FROM crimes WHERE crimeID={$_GET['c']}", $c);
    $r = mysql_fetch_array($q);
    if ($ir['brave'] < $r['crimeBRAVE']) {
        print "\r\n\r\n<style type='text/css'>\r\n.style1 {\r\n    color: #FF0000;\r\n}\r\n</style>\r\n\r\n\r\n<body class='style1'>\r\n\r\nYou do not have enough Brave to perform this crime. \r\n\r\n";
    } else {
        $ec = "\$sucrate=" . str_replace(array("LEVEL", "CRIMEXP", "EXP", "WILL", "IQ"), array($ir['level'], $ir['crimexp'], $ir['exp'], $ir['will'], $ir['IQ']), $r['crimePERCFORM']) . ";";
        print $r['crimeITEXT'];
        $ir['brave'] -= $r['crimeBRAVE'];
        mysql_query("UPDATE users SET brave={$ir['brave']} WHERE userid={$userid}", $c);
        if (rand(1, 100) <= $sucrate) {
            print str_replace("{money}", $r['crimeSUCCESSMUNY'], $r['crimeSTEXT']);
            $ir['money'] += $r['crimeSUCCESSMUNY'];
            $ir['crystals'] += $r['crimeSUCCESSCRYS'];
            $ir['exp'] += (int) ($r['crimeSUCCESSMUNY'] / 8);
            mysql_query("UPDATE users SET money={$ir['money']}, crystals={$ir['crystals']}, exp={$ir['exp']},crimexp=crimexp+{$r['crimeXP']} WHERE userid={$userid}", $c);
            if ($r['crimeSUCCESSITEM']) {
                item_add($userid, $r['crimeSUCCESSITEM'], 1);
        } else {
            if (rand(1, 2) == 1) {
                print $r['crimeFTEXT'];
            } else {
                print $r['crimeJTEXT'];
                $db->query("UPDATE `users` SET `jail` = '{$r['crimeJAILTIME']}', `jail_reason` = '{$r['crimeJREASON']}' WHERE `userid` = '{$userid}'");
        print "<br /><a href='docrime.php?c={$_GET['c']}'>Try Again</a><br />\r\n<a href='criminal.php'>Crimes</a>";
Example #9
$_POST['qty'] = abs((int) $_POST['qty']);
if (!$_GET['ID'] || !$_POST['qty']) {
    print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nInvalid use of file    <br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n\r\n";
} else {
    if ($_POST['qty'] <= 0) {
        print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou have been added to the delete list for trying to cheat the game.  <br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n\r\n";
    } else {
        $q = $db->query("SELECT * FROM items WHERE itmid={$_GET['ID']}");
        if (mysql_num_rows($q) == 0) {
            print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nInvalid item ID\r\n\r\n<br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n\r\n";
        } else {
            $itemd = $db->fetch_row($q);
            if ($ir['money'] < $itemd['itmbuyprice'] * $_POST['qty']) {
                print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\n\r\nYou don't have enough money to buy this item!\r\n\r\n\r\n<br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n";
            if ($itemd['itmbuyable'] == 0) {
                print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: red;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nThis item can't be bought!\r\n\r\n<br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n";
            $price = $itemd['itmbuyprice'] * $_POST['qty'];
            item_add($userid, $_GET['ID'], $_POST['qty']);
            $db->query("UPDATE users SET money=money-{$price} WHERE userid={$userid}");
            $db->query("INSERT INTO itembuylogs VALUES ('', {$userid}, {$_GET['ID']}, {$price}, {$_POST['qty']}, unix_timestamp(), '{$ir['username']} bought {$_POST['qty']} {$itemd['itmname']}(s) for {$price}')");
            print "\r\n\r\n<div id='mainOutput' style='text-align: center; color: green;  width: 600px; border: 1px solid #222222; height: 70px;\r\nmargin: 0 auto 10px; clear: both; position: relative; left: -20px; padding: 8px'>\r\n\r\nYou bought {$_POST['qty']} {$itemd['itmname']}(s) for \${$price}\r\n\r\n\r\n<br><br>\r\n\r\n<a href='shops.php'><font color='white'>Back To Shops</font></a>\r\n\r\n</div></div> \r\n\r\n";
Example #10
            if ($pack == 1 && $payment_amount != "1.00") {
            if ($pack == 5 && $payment_amount != "4.50") {
            // grab IDs
            $buyer = $packr[3];
            $for = $buyer;
            // all seems to be in order, credit it.
            if ($pack == 1) {
                item_add($for, $set['willp_item'], 1);
            } else {
                if ($pack == 5) {
                    item_add($for, $set['willp_item'], 5);
            // process payment
            event_add($for, "Your \${$payment_amount} worth of Will Potions ({$pack}) has been successfully credited.", $c);
            $db->query("INSERT INTO willps_accepted VALUES('', {$buyer}, {$for}, '{$pack}', unix_timestamp(), '{$txn_id}')", $c);
        } else {
            if (strcmp($res, "INVALID") == 0) {
                fwrite($f, "Invalid?");