Joshua

Hm, i'll have to take a look at it. :)

I beleive he just got me on my game as well, though he just credited himself and nothing more. I am curious as to just how he did this   I have the following SECURED.   Header---Abs@intval and $ip secured as well as viewforum/forumreply. Registration--All $_GET and $_POST secured as well as $IP secured. Authenticate--Same as Register. Cmarket---Done by MagicTallguy--I'd assume that's as secure as it gets :P Forums----Done by MagicTallguy--Again..secure as it gets. Userslist---Found on Dev-forum and also approved to be secure. Staffpanel--Not only have the names of all files been changed to something Only I know, but I also have a Staff-Password.---Wasnt through there. Viewuser---MagicTallguy made--Secure. Usersonline---Karlos made, should be secure. Creategane--Sniko secured. Login--Secured. Bank---Made by Karlos or Magictallguy---Secured. --EDit--Crystaltemple--Made by magictallguy--secured I do not know how he bypassed and got the money. I don't know what more I am missing, but this guy had 400b Crystals, Cash and 3 donator days from my crystaltemple.php---I"M THINKING this was where the leak was, that or Gang Panel. --EDIT-- Scratch that, the Crystaltemple was also made my MagicTallguy so it shouldntt have any leaks-- Appears to have same info. Last Login 92.235.150.88 92-235-150-88.cable.ubr20.aztw.blueyonder.co.uk

Just curious..what exactly are your plans if you arent even sure how to use the installer.....   Security is right out the window....game would be hacked within 30 seconds of someone finding a link.....are you going to remove register.php? Are you just doing this to learn php?

make your game folder writeable chmod it to 777

You aren't catching onto this very quickly. Though some may start you off with a game CHEAP **like me** No one is going to just do it for free. There are thousands of people that post everyday wanting this and they usally flop or get bored within a week. No one is going to do your work for you, invest some time into what you're wanting to do.   Side Note- YES. You can alter PHP in notepad, though I'd suggest getting a PHP editing program as it's helpful to find errors on specific lines.

Ok, so I'm unaware if one of these have been done before. However, I'm seeing a lot of repetetive posts on the forums about what one should to, or how one should proceed in making their very own game. So, I'm bored and taking a few hours break from my own game. Here's a bit that I know, I'm sure other members will add to this.   STEP 1. Your going to want to do two things. 1. Research what TYPE of game you are wanting to start. Bare in mind there are MILLIONS of Mafia this, Prison that, Thug this games out there. Try and be original and think outside of the box. 2. Decide what Engine you are going to be using for your game and search the forums a bit if you aren't sure. (majority of the beginners on these forums tend to use McCodes. http://www.mccodes.com) STEP 2. Once you Decide on a game engine, You are going to want to research a host. Depending on your knowledge of PHP and MYSQL(I'm assuming nill or very little) I'd suggest a Free host. ej.am Tend to provide free service that works, I'm sure some others can tell you more. (if you do decide to go with a paid host, make sure you are committed to learning PHP and MYSQL or you will just be wasting your money) STEP 3. Once you have decided on a Game Engine, A Server Host and a Gameplan, Make your purchases and Upload your new game engine to your file manager, normally in the public_html folder. STEP 4. Normally games come with an Installer, Both versions of McCodes do, as well as McCodes lite which is freeware you can find if you search around. I'd highly suggest for beginners that are JUST getting started(AFTER YOU RUN YOUR INSTALLER) to remove their Register.php Folder as if you go with EITHER version of McCodes they are not factory Secured and you may just have someone take over your game with copy/paste hacks. Another good policy to go with is Removing your install.php file, as you dont want someone coming to your site, and re-installing your game(this can get nasty as they can get the admin slot and you have to mess around with the sql database and it's just a hassle :P) STEP 5. Before you delve right into changing codes and switching stuff up, do some BASIC(again) BASIC, security to your site. 1. This will secure a common and well known IP hack that users can copy/paste code and take over your game. IP HACK SECURE. 2. This will stop the COMMON Cmarket hacks and Forum hacks that users copy/paste to abuse your system. Basic Hacks Fix 3. This will stop just about all hacks via your Preferances Panel where users can upload and change queries to make themselves Admin. Secured Preferances. STEP 6. For fun, Open up some of your files such as...newspaper.php or announcements.php. Something not to in-depth. Familiarize yourself with some of the basic coding and use sites such as w3schools.com to help you along your way. STEP 7. Browse the forums for FREE scripts posted to add to your game, Also keep your eyes pealed for ANY security conversations as later on, this will come in handy. Remember, Sites aren't 100% secure and especially not with just a few lines of code added here and there. Give yourself a go at trying to follow STEP BY STEP instructions on a simple mod and see if you can install it to your game. If you succeed, try your mod, see if it works or if you have any errors. If you have errors, don't run straight here. Open up your script take the error you got in your game and try and locate exactly where the error is. Look for things out of place, or for things that don't match up. A common mistake for MYSELF is i miss an ending ' in links. like for example the code could be a simple html call for <a href='blah.php>Blah</a> At a quick glance I never notice that I missed the ' at the end of .php. So i receive an error, or my code won't show up at all. Or perhaps it'll throw off my layout. Learn to catch things like this and you will save yourself a lot of heartache. Look to make sure codes that are giving you an error have the proper opening and closing statements. Tinker with it, see if YOU Can get it to work---THIS IS HOW YOU LEARN, it is how I do. STEP 8. ASSUMING that you did not get the script to work, (IF YOU DO SKIP TO NEXT STEP) I usually come here and post a SMALL(Note the small) Portion of my script. I ask if anyone here can find the error. Normally, people are good natured here and will help you out(though there are a few that will give you a headache so just learn to look past it). Bare in MIND, you have to give it some effort. The people of these forums are NOT , i repeat, NOT going to just up and code your whole game for you because you don't know PHP. Most of us here have our own games we work on and unless a fair amount of $$$ is involved, we tend to steer clear of Free work. Would you go to your job and work for free? yea...no :) Use the help you can receive on these forums lightly. Dont run here the second a code doesnt work try to fix it yourself. Again, people here will help you, but you may find some of the replies in the negative if you tend to post 30 times a day and you aren't learning at all. STEP 9. Once you have your first mod installed and running properly, Try and figure out how that mod works. Sometimes a good way to learn is causing an error and finding out why what you did CAUSED that error. LEARN mysql as it makes reading PHP a lot easier and mysql isnt nearly as difficult to learn :-) STEP 10. You should be well on your way to learning PHP and MYSQL, try learning a bit of CSS and if you don't know any HTML (which most everyone does) learn a bit. Don't feel shy to ask a question as their is no stupid questions only stupid answers. If you are learning, and really trying, you won't have a problem finding help here on these boards. If however, you come back every 5 minutes and ask for help 3 lines down from code that was just offered as a fix. It means you arent learning or aren't trying. People will tend to skip right over your posts.   Again, in closing. I am NO expert, BY FAR. 6 months ago I couldn't remember the <?php ?> tags. Now i have a few of my own customized scripts that are just mine, one of a kind running in my very own game. I've learned a good deal, but guess what, I know NOTHING compared to most of these coders on this board. It's a learning process. Dont just dive in if you plan on giving up in a few weeks as you will cost yourself, time money and one severe headache. :-)   I Hope something in this post helps somebody. Feel free to pm me with any questions that weren't answered and I will add them to this post, OR if another more skilled member feels I missed anything, don't hesitate to give your 2 cents. --Why do they call it giving your 2 cents worth when it's only a Penny for your thoughts? Where'd the other penny go? Tax?

LOL forgot Table..haha..I'm not a noob I swear >< Above poster is correct > <

1. You need to find a Host to host your game on. 2. You need to have a copy of McCodes V1 or V2 (unless you are going to write your own engine, which from the sounds of it isnt possible ;-)) 3. You need to learn the basics of PHP and MYSQL ( for starters) 4. CSS is also helpful as well as being knowledgeable in GIMP or Photoshop to make custom graphics for your site. 5. Search the forums tons of posts on various questions regarding making games. :)

Well, you have to have something to host it on :P It doesnt just appear out of nowhere ;)

I explained in another post :P   Get hold of a McCodes verison 1 or 2. Get yourself a host, i'd go with a free one for now as you're just learning. ej.am is usually what a lot use. Upload McCodes to your File manager, Run the Installer. step by step.   Open up your game, have a look at it. Then go to your File Manager and have a go at some of the coding Try installing some simple scripts you can find here on the boards.   Tinker Tinker tinker until you learn something :-)   It's slow go, but it's the best way to learn :)

correct me if i'm wrong   ALTER users ADD `signature` text NOT NULL,   Would work if you did this   ALTER users ADD `signature` text NOT NULL;   Correct? or is it still the , just   INSERT INTO users ADD `signature` text NOT NULL,   shrugz, mysql with me is sketchy at best :P

Yea, as I said. Though my coding may not be 100% accurate You are telling it to check if it's an image, and if it is post a pic. However, if it ISNT an error you arent telling it what to do You need to come up with an if or else statement telling it what to do if it's not a picture and if it is a picture. I have a secured preferances posted up in the regular section of mccodes,(not the mods section) perhaps look at that one as it works :-)

$imageinfo = getimagesize($_POST['newpic']); if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg' && $imageinfo['mime'] != 'image/JPG' && $imageinfo['mime'] != 'image/png' && $imageinfo['mime'] != 'image/ico' && $imageinfo['mime'] != 'image/bmp' && isset($imageinfo)) { print "Sorry, We only accept Images."; } else { $_POST['newpic'] = "images/defaultpic.png"; }   Something along those lines perhaps? Your making a call that if the images != to but you aren't telling it what to do if they aren't.

2 problems I see here. You didn't secure the Display Pic or Sig feature Users could become an Admin within seconds :\ See MD5's response and answer to securing this [mccode v2.x] Auto-Admin Hack.   Also note, i did not go through the signature page very well, but sigs are a key target for hacks unless secured properly.

Negative, I tried that as well The endpage is sending a call to a non member function still Fatal error: Call to a member function endpage() on a non-object in /home/*******/***********/preferences.php on line 43 Easiest thing I've seen is just to remove the endpage and it works 100%

Side Note*** I completely removed the endpage function and it works 100%

**NOTE** I did not make this. This was made by Karlos as a Free mod on a differant forums. It is secured to the best of my knowledge and I have been using it. I am just getting 1 small error in that it's giving me a fatal error call to $h-endpage on a non member object. It's the Endpage where Sex Change is. if anyone could fix that small error, this is a great pref secure.   <?php include_once (DIRNAME(__FILE__). '/globals.php'); // XSS Prevention function NoXSS($Var) { return (get_magic_quotes_gpc()) ? htmlspecialchars($Var) : addslashes(htmlspecialchars($Var)); } $_GET['act'] = isset($_GET['act']) && ctype_alpha($_GET['act']) ? trim($_GET['act']) : 'Index'; switch ($_GET['act']) { case 'SexChange': SexChange(); break; case 'PassChange': PassChange(); break; case 'NameChange': NameChange(); break; case 'DPChange': DPChange(); break; case 'ForumSig': ForumSig(); break; case 'ProfileSig': ProfileSig(); break; default: Index(); break; } if (!in_array($_GET['act'], array('Index', 'SexChange', 'PassChange', 'NameChange', 'DPChange', 'ForumSig'))) { Error('Invalid Command!'); } // Index Function function Index() { echo '<h3 style="text-decoration: underline;">Your Preferences</h3> [url="prefs.php?act=SexChange"]Sex Change[/url] [url="prefs.php?act=PassChange"]Password Change[/url] [url="prefs.php?act=NameChange"]Username Change[/url] [url="prefs.php?act=DPChange"]Display Picture Change[/url] [url="prefs.php?act=ForumSig"]Forum Info Change[/url] [url="prefs.php?act=ProfileSig"]Profile Sig Change[/url] '; } // Sex Change Function function SexChange() { global $ir, $db; $NewGender = ($ir['gender'] == 'Male') ? 'Female' : 'Male'; if (isset($_POST['NewGender'])) { $db->query(sprintf("UPDATE `users` SET `gender`='%s' WHERE `userid`='%d'", $_POST['NewGender'], $ir['userid'])); echo sprintf("You Are Now A %s", $_POST['NewGender']); $h->endpage(); exit; } else { echo '<h3 style="text-decoration: underline;">Sex Change</h3> <form action="prefs.php?act=SexChange" method="post">'; echo sprintf("<input type='hidden' name='NewGender' value='%s' />", $NewGender); echo sprintf("You Are Currently A Are %s, Are You Sure You Want To Become A %s? ", $ir['gender'], $NewGender); echo '<input type="submit" value="Yes!" /> </form>'; } } // Password Change Function function PassChange() { global $ir, $db, $c; $Info = $db->fetch_row($db->query(sprintf("SELECT `userid`, `userpass`, `login_name` FROM `users` WHERE `userid`='%d'", $ir['userid']))); if (isset($_POST['OldPass'], $_POST['NewPass1'])) { if ($_POST['NewPass1'] == '') { echo 'Error! You Entered No Password '; } else if (md5($_POST['OldPass']) != $Info['userpass']) { echo 'Error! The Current Password Is Inncorrect! '; } else { $db->query(sprintf("UPDATE `users` SET `userpass`='%s' WHERE `userid`='%d'", md5($_POST['NewPass1']), $ir['userid'])); echo 'Your Password Has Been Updated! Your New Password Is: [i]'.$_POST['NewPass1'].'[/i] Keep This Password Safe And Don\'t Tell Anyone It. > [url="index.php"]Home[/url]'; } } else { echo '<h3 style="text-decoration: underline;">Password Change</h3> <form action="prefs.php?act=PassChange" method="post"> Current Password: <input type="password" name="OldPass" /> New Password: <input type="password" name="NewPass1" /> <input type="submit" value="Change Password!" /> </form>'; } } // Name Change Function function NameChange() { global $ir, $db; if (isset($_POST['NewName'])) { $CheckLog = $db->num_rows($db->query(sprintf("SELECT `userid`, `username` FROM `users` WHERE `login_name`='%s' AND `userid`!='%d'", $_POST['NewName'], $ir['userid']))); $CheckGame = $db->num_rows($db->query(sprintf("SELECT `userid`, `username` FROM `users` WHERE `username`='%s' AND `userid`!='%d'", $_POST['NewName'], $ir['userid']))); if (trim($_POST['NewName']) == '') { echo 'Error! You Did Not Enter A New Name '; } else if ($CheckLog) { echo 'Error! This Name Is In Use '; } else if ($CheckGame) { echo 'Error! This Name Is In Use '; } else if (strlen($_POST['NewName']) < '4') { echo 'Error! This Name Is Too Short'; } else if (strlen($_POST['NewName']) > '15') { echo 'Error! This Name Is Too Long'; } else { $_POST['NewName'] = str_replace(array("<", ">", "'", ";"), array("", "", "", ""), $_POST['NewName']); $db->query(sprintf("UPDATE `users` SET `username`='%s' WHERE `userid`='%d'", $_POST['NewName'], $ir['userid'])); echo 'You Have Changed Your Username'; } } else { echo '<h3>Name Change</h3> Please note that you still use the same name to login, this procedure simply changes the name that is displayed. <form action="prefs.php?act=NameChange" method="post"> New Name: <input type="text" name="NewName" /> <input type="submit" value="Change Name" /> </form>'; } } // Display Picture Change Function function DPChange() { global $ir, $db; $Pic = $db->query(sprintf("SELECT `display_pic` FROM `users` WHERE `userid`='%d'", $ir['userid'])); if (isset($_POST['NewPic'])) { if ($_POST['NewPic'] == '') { echo 'You Did Not Enter An Image'; } else { if(!preg_match('~(.?).(jpg|jpeg|gif|png)~i', $_POST['NewPic'])) { print "You are trying to upload an invalid image"; } else { $_POST['NewPic'] = str_replace(array("<", ">", "'", ";", ".php", ".html", ".js"), array("", "", "", "", "", "", ""), $_POST['NewPic']); $db->query(sprintf("UPDATE `users` SET `display_pic`='%s' WHERE `userid`='%d'", $_POST['NewPic'], $ir['userid'])); echo 'Picture Changed'; } } } else { echo '<h3>Pic Change</h3> Please note that this must be externally hosted, [url="http://imageshack.us"]ImageShack[/url] is our recommendation. <form action="prefs.php?act=DPChange" method="post">'; echo sprintf("New Pic: <input type='text' name='NewPic' value='%s' /> ", $Pic['display_pic']); echo ' <input type="submit" value="Change Picture" /> </form>'; } } // Forum Info Change Function function ForumSig() { global $ir, $db; if (isset($_POST['NewFSig'])) { $db->query(sprintf("UPDATE `users` SET `forums_avatar`='%s', `forums_signature`='%s' WHERE `userid`='%d'", NoXSS($_POST['FPic']), NoXSS($_POST['NewFSig']), $ir['userid'])); echo 'Forum Info Updated'; } else { echo '<h3>Forum Info Change</h3> Please note that the avatar must be externally hosted, [url="http://imageshack.us"]ImageShack[/url] is our recommendation. <form action="prefs.php?act=ForumSig" method="post">'; echo sprintf("Avatar: <input type='text' name='NewFPic' value='%s' /> ", $ir['forums_avatar']); echo sprintf("Signature (you may use BBcode): <textarea rows='10' cols='50' name='NewFSig'>%s</textarea> ", $ir['forums_signature']); echo '<input type="submit" value="Change Info" /> </form>'; } } // Profile Sig Change Function function ProfileSig() { global $ir, $db; if (isset($_POST['NewPSig'])) { $db->query(sprintf("UPDATE `users` SET `sig`='%s' WHERE `userid`='%d'", NoXSS($_POST['NewPSig']), $ir['userid'])); echo 'Profile Sig Updated'; } else { echo '<h3>Profile Sig</h3> <form action="prefs.php?act=ProfileSig" method="post">'; echo 'Signature (you may use BBcode): '; echo sprintf("<textarea rows='10' cols='50' name='NewPSig'>%s</textarea> ", $ir['sig']); echo '<input type="submit" value="Change Profile Sig" /> </form>'; } } $h->endpage( ); ?>

I have something i found on another forums that appears to work as well, but I will stick yours in and see if it does the trick also :-)

No, I was thinking about fetching all the Free Mods posted on Free Scripts in the McCodes section. One at a time, Securing the be-jesus out of them :)

Thanks for the input Bertrand. Im working on every single file in my site, that was..most helpful :) I've read tons of stuff here on the forums, my problem is I can't always see exactly what they are saying. I don't learn as fast as most, takes a few times and perhaps some annoyance. BUT once i DO learn, I tend to learn better than others :P Once I get this down pat I'm going to work on Securing every mod here on the forums and re-releasing it ><

Trying to learn how to secure all McCodes files in my game. Have to start somewhere so I started with a Small file. Could anyone tell me if this is secure, if I overkilled it or Underkilled it, and what I might do to fix any erros? Again, just curious if their is anymore I can do, as I can look at any errors, upgrades you can offer and install them in other files. Thanks.   <?php include "globals.php"; $_GET['ID'] = abs(@intval($_GET['ID'])); $_POST['qty']= abs(@intval($_POST['qty'])); if(!$_GET['ID'] || !$_POST['qty']) { print "Invalid use of file"; } else if($_POST['qty'] <= 0) { print "You have been added to the delete list for trying to cheat the game."; } else { $q=$db->query(sprintf("SELECT * FROM items WHERE itmid={$_GET['ID']}"); if(mysql_num_rows($q) == 0) { print "Invalid item ID"; } else { $itemd=$db->fetch_row($q); if($ir['money'] < $itemd['itmbuyprice']*$_POST['qty']) { print "You don't have enough money to buy this item!"; $h->endpage(); exit; } if($itemd['itmbuyable'] == 0) { print "This item can't be bought!"; $h->endpage(); exit; } $price=($itemd['itmbuyprice']*$_POST['qty']); item_add($userid, $_GET['ID'], $_POST['qty']); $db->query(sprintf("UPDATE users SET money=money-$price WHERE userid=$userid"); $db->query(sprintf("INSERT INTO itembuylogs VALUES ('', $userid, {$_GET['ID']}, $price, {$_POST['qty']}, unix_timestamp(), '{$ir['username']} bought {$_POST['qty']} {$itemd['itmname']}(s) for {$price}')"); print "You bought {$_POST['qty']} {$itemd['itmname']}(s) for \$$price"; } } $h->endpage(); ?>

oo that worked <3 danke

I'm trying to get this 100% but it's always 99% What I want it to do   I want it to set the Users Race in the Database upon registration and depending on that race send them to a certain City.   I can get it to Do one or the other but not both   If i change some things up it inserts their ID into userstats but sends them to wrong city If I change other things up, it sends them to right city but won't Insert them into Userstats ANY help would be appreciated   $db->query("INSERT INTO users (username, login_name, userpass, level, money, crystals, donatordays, user_level, energy, maxenergy, will, maxwill, brave, maxbrave, hp, maxhp, location, gender, signedup, email, bankmoney, lastip, lastip_signup, race) VALUES( '{$username}', '{$username}',md5('{$_POST['password']}'), 1, $sm, 0, 0, 1, 12, 12, 100, 100, 5, 5, 100, 100, 1, '{$_POST['gender']}', unix_timestamp(), '{$_POST['email']}', -1, '$IP', '$IP', '{$_POST['race']}' )"); $i=$db->insert_id(); if('race'==1) { $db->query("INSERT INTO userstats VALUES('$i', 10, 10, 50, 10, 10, 10)"); $db->query("UPDATE users SET location=3 WHERE username='$username'"); } elseif('race'==2) { $db->query("INSERT INTO userstats VALUES('$i', 10, 50, 10, 10, 10, 10)"); $db->query("UPDATE users SET location=1 WHERE username='$username'"); } elseif('race'==3) { $db->query("INSERT INTO userstats VALUES('$i', 50, 10, 10, 10, 10, 10)"); $db->query("UPDATE users SET location=2 WHERE username='$username'"); }

Aye, if you understand coding better than I do, i'd suggest MD's method Mine basically just checks to see if .jpg .jpeg .gif .png is on the end of the file extension

Problem with yours and myself, I'm a trial and error coder right now. I insert code, see if it works if it doesnt i mess with it some more, until it does.   Yours is completely new to me and I would have to basically start the trial from scratch ><   Mine works, though it's not the same as yours, if they enter something other than what I've defined it won't load it. IE--it stops them from doing the session hack. Yours is def better, but I know how to install mine :P