Joshua

Know this is an old post but http://www.samuraioflegend.com This is McV2. Decio hacked it lol.

It is less secure, but secureable just the same.   Not to mention, it's good for people to look into other engines as well, it's called broadening ones horizons ;) Learn all kinds of things looking at others work.

I've looked at over 50 various engines, and while they are all unique in there own way, so far, the one that is easiest to "maneuver around" is McCodes simply because of how it's set-up Even the GRPG engine took me a week or so to figure out how it runs and even still it's a pain in the butt to alter to much right off. But I guess it's just one of those things that take a bit of time, like was invested into McCodes, and as said many times in the past, there are so many of us that know the ins and outs of that engine for someone wanting to learn it, we are here to help. This is something you won't get from other engines as the community is so much smaller.

Just another point of how things are secured differently. Some things that shouldn't be decimals do not need ctype, as where some that do should. same with different variables like BIGINT, i think abs((int) will not work on that as it will only go to 2.14 something or other, i believe. Which is why i've tried to make a habbit to use ctype, however, again, they both work fine :P

lol. Re-code, Re-Code, Re-code   I seriously need to just sit down and write my own engine that's as simple as McC but secure. Then release it for free and end the drama over mcc :| Would have paid add-ons of course but eh ;d

I said OR ;) Either or work just the same :P abs((int) or ctype_digit :P

You know you may be correct in that assumption I'm not 100% sure myself, But securing the $_POST variable anywho which is how i always do it rather than use sprintf, stops that. a simple ctype_digit or abs((int) on the $_POST['ID'] is usually where i'd go with it which means if i were to use %u it wouldn't matter if it accepts negative integers anywho. But %s is only for strings, it was just an example as how this person charging to do security has absolutely no idea, and this is one of 4 scripts i've seen that have been altered at all from there original state.

Dominion, the reason that was Pointed out as the person in question called that a secured script, when in fact the $_POST variable is not secured and sprintf is being used improperly ^_- Paul-- I made a habbit when i did like to use sprintf to use %u on integers as the only difference is one is unsigned and one is signed. I see no major problem with either, though one can always learn I suppose. but putting single ' ' around a %s for $_POST['ID'[ (i removed them) is just plain useless.

Personally I wouldnt use sprintf on something of this nature at all But %u is for integers where as %s is for strings Obviously $_POST['ID'] is going to be an integer.

Straight getting annoyed going back through all these files this guy supposedly did. example   $qc=$db->query(sprintf("select * from contactlist where cl_ADDER=$userid and cl_ADDED='%s'",$_POST['ID'])); Not only is %s for strings the above should be %u But no need for sprintf and $_POST variable is secured no where in the script Just an example ^ this whole darn file is full of it >,<

Well, I didnt say the name ;)

It is GRPG Not highly re-coded either, a lot of the same scrips remain in tact, just secured yes, i know this post is super super old lol I was playing this game when it only had 400 users ><

The owner of the site was the one that requested I take a look at it. I've been in discussion with him and have since taken over the job (hence i've seen first hand the work that's been done) or lack there of. Won't post a link to his site until I've secured it and he wants to, as it's his site ;-)

I'd almost be willing to conduct a list of known programmers, availability, knowledge base, costs etc and see if we couldn't get a mod to sticky it. Would eliminate some of the problems, but again, new programmers arise and there are always those who fly off the radar.

I've not named them as I do not believe they were set on the intention of scamming anyone. yet. I believe they have spent time browsing the boards and thought they may have known exactly how to stop all the exploits, or maybe understood a few of the php basics and in turn tried to turn a profit. I do not believe the person this post was originated about had the direct intention "scamming" anyone as work was put in, and after i hacked the site in about 9 different ways he fixed the exploits "to a degree" It's just that he assured the guy his site was secure (the first time) and I managed to staff myself. Told them the exploits used, which were a few various ones. Got the message today saying all has been fixed would i mind checking (from the owner not the person who secured it) and managed to hack it again using different exploits. I've seen been going over some of the files that were supposedly secured and really do not see anything extreme to stop the majority of these hacks. Header, Globals, authenticate haven't even been touched, (which..ok) But cmarket, viewuser, forums, itemmarket, contacts, mailbox and several others were the stock McV2 files. I think he added the $_GET[id] = abs() bit after I did the cmarket hack the first time, but other than that and a preg match call on preferences to stop the display picture hack "but not really" i didnt see any changes to any of the files. There were a few mods, like Player Report ( i believe it's one MagicTallGuy made) a long while back, bug report, etc that are secure. But they weren't "secured" they were written by someone else and installed.

I don't wish to put those involved names out there yet, however I will post this warning.   Recently there have been several people paying 50-90.00 USD to have there site secured from various new users on these forums. The jobs being done are simply a few quick scripts copied/pasted off of MWG and placed on your site. I've seen some of this work first hand and was absolutely amazed at how anyone could charge for the small bit of work being done.   Things such as the cmarket hack, forums hack, preferences hack, viewuser hack, preport hack, IP sploof, Referral Hack (On register) and countless others have worked on these so called "secured" sites.   So this is basically a message to all those who are paying to have there sites secured. Please do a little bit of research here on the forums. There are countless members that are most capable of securing your site properly with a decent reputation. I'm quite sure some of them will feel obliged to post here.   I'd also make sure and document any/all work performed by anyone claiming they are securing your site. Check your files, before and after the work is completed. There should be a noticeable difference in a majority of them. A few header/global inserts will not stop all hacking attempts. A few free mods off mwg may be secure for those files but will not secure your site. It's been my experience, you get what you pay for. I believe most people who know what they are doing when it comes to securing your website charge on average 150.00 U.S.D If you are getting it for 50-100.00 there's a good chance (not 100%) that you are getting screwed. There are the select few that do discounts and are just looking for work, but if most charge 150.00 Be weary of those charging next to nothing to secure over 120 files. That's a lot of work ;-) Ciao

Not secured, No License, No graphics. Just another googl'ed McCode download >,<

Always helps to post screenshots, though just looking at the code it's just a basic table :) On another note. [url='index.php']Coming Soon[/url]</td></tr></table>"; print "</td></tr></table> You don't need to have the closing and opening php tags since you removed the if(statement) that was once there [url='index.php']Coming Soon[/url]</td></tr></table> </td></tr></table>   Don't forget to remove the " at the end of the statement as well if you do the above.

Can you provide a valid mccodes license? And how can you "sell" other people's mods?

Psh I'm teh master

Rank rank rank blah blah blah ;d

I already made this mod. >,<

As I recall the GRPG script is even more so unsecure than Mccodes itself It really is a royal pain going through it all and even more so being sure you got everything

Remembering back, just about every single file with GRPG was unsecured. Not to mention there was absolutely no encryption on the password system.

Same sadly, 150.00 USD.