Joshua

http://www.centraltexasnow.com/Global/story.asp?S=14204896 Just found out tonight, knew this kid since he was in diapers and his brother still hangs out over at our place all the time

Just curious on the new Patched one Paul Have you tried entering the display_pic hack with ##;.jpg ?

Radio Buttons/Submit buttons and the like can be altered using Firebug Install it on your firefox browser and have a play around with it. It's almost scary ;)

You can "secure" a site but you can't write a simple script like this? :P   Pretty sure there is a free one out already just the same >,<

3 Figures? 1.99? :D

Something similar is in the free mods section of course. I didnt have the police bit and it affected your strength/agility/ etc I'm sure there are a few differences. Good work.

I believe he did all the work on his site. He's asked me a dozen or so questions in regards to security over the past year or so, and I've checked the security on it noticing a few errors but nothing major.

Sounds like you don't have forum_forums database. That or $topic variable is coming up empty which would also pitch an error. All in all your problem is here   $q=mysql_query("SELECT * FROM forum_topics WHERE ft_id={$_GET['viewtopic']}",$c);

Quite simple to add using a $_GET or $_POST variable specific users and form data. Nice and simple, gj

Eh either way should work just fine. may need to go over the isset bit though.   :edit: I think i've sold 2-3 copies in the last week and that's about it other than months and months ago. :edit: again: Just realized, the array will check if it isset. So the theory i use works fine. It may be an old old customer of mine who just recently used it, pm me there name and I can tell you. I know who all bought it within the past week Also, The above code you pasted...that's not my work :\

The only place any information is entered for the race option to be exploited is in register.php $_POST['race'] = abs((int) $_POST['race']); $allowed = array('1', '2', '3'); if (!in_array($_POST['race'], $allowed)) { echo 'This is not allowed!'; exit; } Insure it's an int, yes i used abs((int) as i'm only using 3-5 digits max so int works fine. The array checks to make sure it's only the ones allowed. Prey tell how is it not secured :P

Exploit it ;-) A long time ago, ('we are talking 6 months to a year) when i made the mod I did not properly secure the $_POST variable It was secured as an INT but due to firebug you could change the int to any number you wanted. That's been long since secured :p

you mean while ($EV = mysql_fetch_row($QUERYGET))   lol

So now you're saying it's not "edited" ? ;-)

"hate that people believe security is a totally different thing from PHP " You can't be serious? lol...   Anywho ^_^   When one goes to school to learn a PHP subject they don't learn it all at once. They learn it in pieces, I'm most positive that one set of lessons is delving into securing your code. Hence, security is a lesson to be learned, which is where I was headed with this to begin with ANYfkinWho :P

Sigh, You may have coded it into McCodes, but I've seen this layout somewhere before. Not on a McCodes game, but the layout itself. Background included.

Blade, Before you go off on the whole "screenshots can be edited speel" Moderators can view the PM's and verify if it's real ;-) Or maybe it's admins, but one of them :p

No i get what you're saying Paul, But usually it's basic stuff and I adjust everything accordingly. Shrugz, I check before i proceed :-)

Due to being absent, I don't have much work really so yea :-) I know a lot of it is overkill but the more i do the more i get into it and i get carried away of course. There are a lot of files that have tiny exploits in them, and even a lot of the staff files can be tampered with if you have a bad staff member. Just saying. Do I do more than I'm paid to? Of course I do, I like to get customers so going above and beyond helps. Hacking there site is the first thing done of course. Test every aspect to see what's insecure etc etc. But again, I'm an overkill kinda guy i guess ;P

LMAAAAAAAAAAO owned by screenshot hahah reply button took entirely to long i was laughing to hard lol :edit: Kieran you have been offering to do the same thing as well for 50.00 and it's not securing either ;-)

Ok, just to clarify on "security" regarding McC. There is no simple script that will secure the site(Been stated before) What I myself normally do. I go through all files, roughly 100 of them (that can be exploited in one way or another) Secure them individually, by scanning them, cleaning variables, securing input and output, re-writing if necessary. a few .htaccess re-writes that i have used for quite some time that HELP with stopping xss injections incase i miss something. (this is something i googled a long while back and have tested and works) I can't write htaccess code worth a flip. Add some aftermarket modifications i designed as well as installing a few that i have found on the forums (slightly re-written) done by Illusions to keep track of any attempts. Secure the heck out of staff system using DEFINE functions via staff.php, staff password, ban on unauthorized staff etc. I like to re-structure the database as well "if i'm bored" not because it's safer, but simply because the amount of crap in the users table bugs me and when i'm bored i tend to....alter it. A lot of files i also merge into 1 larger file as well, such as send cash, bank, cyber, the search features etc. Slap staff files and crons etc into a sub folder and secure that folder from direct access, simply because i hate a cluttered pub root directory and it orginizes it a bit better. There are a few other minor quirks i do as well I'm sure, but this is why we usually charge 150.00 USD. I wouldnt do half of this stuff for 50.00 USD There are a lot of files in the McC engine, a lot. And while yes, i could probably spend 30 minutes and secure vs the known hacks, (if that) it wouldn't be air tight. there never really is air tight, but i like to come as close to it as i can get.

Well i was referring in General, but yea, it is a subject to broach on.

All in all, Glad to see someone else trying and actually putting forth some effort. Security isn't learned overnight and anyone will tell you, you constantly learn. Good Job on your first modification, really. :)

Wow, I havent seen that scrips in quite a while.   Yes, I like overkill Paul! :O

if(gamesecurity == 50) { die('amg to pricey'); return; } there is my leet skills.