From 9f94c14d0dd6909fadc89bee72354f1b9f06cbb6 Mon Sep 17 00:00:00 2001 From: Joel Date: Mon, 25 Nov 2024 20:05:44 -0800 Subject: [PATCH 1/2] fix: validate purchase item name with server-side data --- server/main.lua | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/server/main.lua b/server/main.lua index 7d888148..080e662e 100644 --- a/server/main.lua +++ b/server/main.lua @@ -351,6 +351,11 @@ QBCore.Functions.CreateCallback('qb-inventory:server:attemptPurchase', function( end end + if shopInfo.items[itemInfo.slot].name ~= itemInfo.name then -- Check if item name passed is the same as the item in that slot + cb(false) + return + end + if amount > shopInfo.items[itemInfo.slot].amount then TriggerClientEvent('QBCore:Notify', source, 'Cannot purchase larger quantity than currently in stock', 'error') cb(false) From e86c8a9f46407d281981c8c17ccdeda9bcdbcd46 Mon Sep 17 00:00:00 2001 From: Joel Date: Mon, 25 Nov 2024 20:06:34 -0800 Subject: [PATCH 2/2] fix: validate item price server-side --- server/main.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/main.lua b/server/main.lua index 080e662e..c6007722 100644 --- a/server/main.lua +++ b/server/main.lua @@ -327,7 +327,6 @@ QBCore.Functions.CreateCallback('qb-inventory:server:attemptPurchase', function( local itemInfo = data.item local amount = data.amount local shop = string.gsub(data.shop, 'shop%-', '') - local price = itemInfo.price * amount local Player = QBCore.Functions.GetPlayer(source) if not Player then @@ -368,6 +367,7 @@ QBCore.Functions.CreateCallback('qb-inventory:server:attemptPurchase', function( return end + local price = shopInfo.items[itemInfo.slot].price * amount if Player.PlayerData.money.cash >= price then Player.Functions.RemoveMoney('cash', price, 'shop-purchase') AddItem(source, itemInfo.name, amount, nil, itemInfo.info, 'shop-purchase')