Dominion

If you know of a problem even pm'ing a file name where the exploit is or name of the type of attack would help the user fix it. Saying a site is insecure is a still giving people a target. It just means if we really want to empty the database (what you claim the attack does) we would look ourselves.

http://makewebgames.io/showthread.php/36080-User-Comments

Happy new year everyone.

Welcome back Faz`, and good luck. :)

Or just don't login so if you ever wish to return you may? Don't swear in your posts; I removed that post, and the quotes of it.   Sorry, but I am unsure of what it does from the screenshots. Seems like an attack ladder for gangs where you go to war with the one above you, and if you win you gain their rank?

http://makewebgames.io/showthread.php/38968-jQuery-Second-Minute-Countdown

I doubt they would have any problems with you posting a fix. It's been done before, and many free mods are there as a way to offer a secure alternative to the original feature.

Inactive so they come back and sell something full of bugs... helpful. 2.03 may have had this aim, however Redux a paid update? I don't believe that's the case or at least was a poor attempt to show what they intended to.   Grpg is worse then mcc I admit. Horizon I have never seen, and ezrpg, and zap are free engines that require next to no work on the base. Nothing next to what Redux was being sold as; a fully ready game.

Fairly sure I actually said the new versions were better then the originals. Only attack I have publicly made was about Redux being restrictive. Don't have the most updated patch to give any kind of viewpoint on security (at least past the first/second release), and even if I did I doubt I would have time to go though the entire engine at the moment.

Name of merit, Description, Dropdown of values you could add to (e.g. money, brave, maxbrave, energy etc...). Amount to update by. Then check it's something in the array of given values -> escape then name, and description, store it. When updating the user table to give the merit check what's saved to update in the database, and add that value to an update query. Just as it's done for crimes for example or how many crystals it takes to refill energy in game. No direct query input needed...

I would assume all sites have some way to limit who is seeing what page even if it's an if() inside the staff file. You're talking about a query that's built, and then sanitized as opposed to yours that is simply typed in then run. Anything can be manipulated sure, but allowing direct query input is something completely different.

This has been asked twice in the last few days. I believe this thread ended with the users solving their problem - http://makewebgames.io/showthread.php/40703-Problems-with-queries-running-more-than-once

You can do a lot of damage with just those two... you're being very optimistic to believe every staff member is 100% trustworthy. The people I trust that much would have access to phpmyadmin...

My mistake, but you are the one supporting redux?   Of course. If it was personal I apologize if my comment came across the wrong way.   We're a forum, the point is to post the issue and get help. Private messaging a single member defeats the object of the community.

If I can run an sql from the staff panel what's to stop me dropping tables?

merry Christmas, and enjoy your holiday. :)

Then start reading. What's the one thing you're most confused on?

I have a few quick questions. I believe you could produce something of extremely good quality, however due to your area of work you do tend to be very professional. Normally good, but not always. For example creating an over complex system your average customer could not understand. (If it updates from the site that should not be an issue.) Define what you mean by PHP5. I believe you’re not a massive fan of PHP’s oop, therefore will you be avoiding massive usage of it within this framework? So... would it all be in procedural? What do you plan on using to communicate with the database (mysql_, mysqli, PDO,) or even what type of database will it be using? “modular / plugin”, so how much would the programmer need to know? Example -> mccodes you need to do all the HTML etc yourself, but the core is there (inside globals that you include), for zap I believe it’s got functions for in game buttons etc, but the user still needs to call them. (if that made sense at all.) “download / install plugins directly from site” free ones if going with the base engine or a fee for every download? “Template system.” Your own or something premade (e.g. smarty).   All I will say here is most modifications for current engines start at around $5, and would not be worth creating at all if you then lost 20%. As suggested above build this feature into forum software, and have two areas “site approved/ reviewed” that go through this channel and pay the 20%, and another for those who do not.

I won’t say I have “lost all respect for you” because it’s over the top. What did annoy me was that you did the job for them, and then seemed to turn into them; you disappeared. You’re a member of the team. Answer support threads as a mccodes team member, and that issue is gone. I mean other then this thread I don’t think I have seen you post lately... and it would be nice to see you active again even if it’s just posting a few times a day when you take a break from MonoDistrict.

Post the error, and the secure function?

I believe he is looking for quotes from people...

I do hope to see you around more. One thing I would suggest is getting 3rd party reviews of this new engine before even a beta is up for the public to test. Maybe even during development (many people do this) Having other opinions on the programming may help with a lot of the negative feeling now aimed towards it. I wish you the best of luck.

I have a copy of Redux, and use it to offer support when people ask. Just the .03 I have never seen (or the v1 update if there has been one...).

My opinion is from posts around this forum (since I don't have a copy of 2.03), and would be interested in having some kind of review of the more recent patch. May help people decide when looking to buy it. Just an idea if anyone cares to take the time... I'm sure Danny's Lite update could always be reposted.

The newest patches are much better on this front. v1 I am unsure about, however 2.0.3 has most of the problems fixed in terms of sql injections that can be found thought the web for mcc since it's actually checking the user supplied data. I have not done my own tests since there would be very little point in me doing so, but as fair as I'm aware it's a massive improvement. I have heard of some issues within the source, but it's more of a "this requires to check to insure they should be able to do this" rather then a hack e.g. one admin fedding another admin account. although the way the checks are done done is something people seem to dislike. More information here - http://makewebgames.io/showthread.php/38706-MCC-v2-0-3/ Redux is secured in the same way. You can find many threads on both versions, and their known issues.