Redex

I just portrayed a idea to the community, it's up to you whether you use it or not ;)

I've said from the starting there may be some things wrong in the post, so please correct them. There's no need to pin point them like that, to make me feel ashamed in front of everyone becuase i'm still in the learning process. I understand that there are things wrong with the post, so just correct them, there is no need to ask questions to me saying you think this & that just correct them ! LazyT, you might not think this is the best of security tutorials, but meh i'm not sure many people have a image about you rather than a hacker, who just like to humiliate people. Once again, just keep your heads cool and correct the mistakes, and hopefully all of us can re-join the community in a happy mannered way ;). This is all i have to say, and please do not state your opinion whether you agree or disagree with me on this statement, i just wanted to help the people out there who were requesting security tutorials, and many people were rejecting them ( I'm not saying them people were wrong, they were right in there own ways )

I don't quite understand what you mean?

Welcome back Shedh, although i don't know you :P

Chance rate - One idea that just popped into my head today since on some games people are level 700+ 800+ like on a game i used to play ages before. One wise feature you could add to this modification, is implement a chance feature to this modification. The way this works is when you have enough experience to upgrade to the next level, there is a button saying test your luck, and then you click it. The outcome would be something like Positive : Congratulations, this time luck was on your side, and your account has been upgraded to the next level whilst Negative could be something like Negative : You tried your luck, however you were unable to upgrade to the next level. work harder, and come back next time. In my opinion, this would increase the excitement of the game and would increase communication on your website, because users will be messaging one another saying : ' I managed to successfully upgrade my level and now i am a higher level than so & so or ' I tried it but this time i failed, well i'm going to try again when i get enough experience and i'm going to beat you ' . This is just something which could be done in order to advance game play a little. Best Regards: Redex. Bludcart, i believe you could code this and add this to the modification your selling, and this could improve the chances of you selling this modification.

Security thread, done to the best of my ability $_GET = an output because it’s getting something from the database. $_POST = input because it’s inputting something into the database Securing numbers abs () - This determines that the number you post is absolute value $_GET[‘number’]= abs($_GET[‘number’]) ; An output because it’s $_GET & abs is makes sure it’s an absolute number McCodes example $_GET[‘ID’]=abs($_GET[‘ID’]); - this is a output because it’s $_GET & abs is making sure the number is a absolute value $_POST[‘ID’] = abs($_POST[‘ID’]); - this is a input because it’s $_POST Intval() intval() – makes sure the number is not a decimal, and is a whole number. $_GET[‘number’]= intval($_GET[‘number’]); - This is an output because it’s $_GET & intval makes sure the number is not a decimal McCodes example echo intval(4.2); // 4 $_POST[‘money’]= intval($_POST[‘money’]); Now, if we want a number which is not a decimal and is a absolute value you have to combine the two options we have above together example $_POST[‘number’]=abs(intval($_POST[‘number’)); McCodes example $_POST[‘money’]= abs(intval($_POST[‘money’])); floatval() floatval ( ) makes sure it’s a floating integer ( any number ) $_GET[‘number’]= floatval($_GET[‘number’]); Mccodes example $_POST[‘money’] = floatval($_POST[‘money’]); $_GET[‘money’] = floatval($_POST[‘money’]); Combine with abs to make the number more secure $_POST[‘money’]= abs(floatval($_POST[‘money’])); $_GET[‘money’]= abs(floatval($_GET[‘money’])); mysql_real_escape_string mysql_real_escape_string - escapes special characters in a string $_POST[‘string’] = mysql_real_escape_string($_POST[‘string’]); Only use mysql_real_escape_string on Input’s $_POST McCodes example $_POST[‘user’] = mysql_real_escape_string($_POST[‘user’]); Stripslashes Stripslashes - strips slashes Example: <?php $example = “ Hello blah what\’s up ? “ echo stripslahses($example); Output would be Hello blah what’s up? htmlspecialchars htmlspecialchars - Convert special characters to HTML entities Example: $link = htmlspecialchars (“<ahref = ‘test.php’> Test </a> “ Htmlentities Htmlentities – converts all applicable characters to html entities <?php $str = "A 'quote' is bold"; echo htmlentities($str); Ip hack how to secure ? fine code $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR']; in login register header authenticate.php and replace with $IP = mysql_real_escape_string($_SERVER['REMOTE_ADDR']); How to secure cmarket.php ? add this directly under <?php $_GET['ID'] = abs(@intval($_GET['ID'])); Note : The last two only prevent the ip hack and cmarket hack they do not secure the whole file. That’s the end of my tutorial. If there is anything wrong, can the experienced coders please correct it. Thanks, but at least I attempted a tutorial ;)

Zero Affect, so polite and sweet :P

Thanks for that, Paddytm.

Seanybob, is that meant to secure the game to a more advanced level?

I've been having lots of problems with windows ( operating system ) lately, so therefore after thinking lots about it i decided to move to Linux ( Ubuntu ) after being recommended by a friend. The CD, will be arriving by post, in 2 weeks time maximum as i have ordered today. The reason why i have kept this post, is i'm waning to know from you people, how to set up wireless connection from a Netgear router from Linux ( Ubuntu ) operating system. I would also like to know, some of the things which are a must to download when using that specific version of the Linux operating system, and what are the positives of moving if there are any? The problem, i am having with Windows if any of you are wondering is, it is too slow, and i know there are many fixes to this and also, when i open my laptop and enter the password for the user it goes onto a black screen for sometime before loading explorer.exe. Please feel free to give me any other information regarding Linux ( Ubuntu ). Thanks. Best regards: Redex.

Looking good, keep up the good work ;)

Looks like a good product, but then again never judge a book by its cover ;)

Eternal, after logging into your website there is not many boards ;)

It's OK, as i said all feedback is welcome. How about you helping me, Zero affect?

Thanks for that. I'm not a person who wants to cause a argument, so I'll do what you said ;) Done - [OPINION] added.

Hello again, fellow members of the Makewebgame community. Today i bring to you, a secured sendcash.php with the ability to send messages added as well ;)   <?php include_once(DIRNAME(__FILE__).'/globals.php'); if(!isset($_GET['ID'])) { echo 'Invalid User ID'; } else if($_GET['ID'] == $_SESSION['userid']) { echo 'Haha, what does sending money to yourself do anyway?'; } else { if(isset($_POST['money'])) { if($_POST['money'] > $ir['money']){ echo 'Die j00 abuser.'; } else { $_POST['money'] = abs(intval($_POST['money'])); $_GET['ID'] = abs(intval($_GET['ID'])); $db->query("UPDATE `users` SET `money` = `money` - ".$_POST['money']." WHERE (`userid` = $userid)"); $db->query("UPDATE `users` SET `money` = `money` + ".$_POST['money']." WHERE (`userid` = ".$_GET['ID'].")"); echo 'You sent $'.number_format($_POST['money']).' to ID '.$_GET['ID'].' with the message: '.htmlentities(stripslashes($_POST['Message'])).''; event_add($_GET['ID'],"You received $".number_format($_POST['money'])." from ".htmlentities(stripslashes($ir['username']))." with the message: ".htmlentities(stripslashes($_POST['Message'])).""); $it = $db->query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid=".$_GET['ID'].""); $er = $db->fetch_row($it); $db->query("INSERT INTO `cashxferlogs` VALUES ('', $userid, ".$_GET['ID'].", ".$_POST['money'].", unix_timestamp(), '".$ir['lastip']."', '".$er['lastip']."')"); } } else { echo '<h3> Sending Money</h3> You are sending money to ID: [b]'.$_GET['ID'].'[/b] . You have [b]$'.number_format($ir['money']).'[/b] you can send. <form action="sendcash.php?ID='.$_GET['ID'].'" method="post"> Amnt: <input type="text" name="money" /></p> Message: <input type = "text" name = "Message" /></p> <input type="submit" value="Send" /></form></p>'; echo '<h3>Latest 5 Transfers</h3> <table width=90% border="2" cellspacing = "1"> <th width = "35%">Time</th> <th width = "15">User From</th> <th width = "15%">User To</th> <th width = "35%">Amount</th> </tr>'; $q = $db->query("SELECT cx.*,u1.username as sender, u2.username as sent FROM cashxferlogs cx LEFT JOIN users u1 ON cx.cxFROM=u1.userid LEFT JOIN users u2 ON cx.cxTO=u2.userid WHERE cx.cxFROM=$userid ORDER BY cx.cxTIME DESC LIMIT 5"); while($r=$db->fetch_row($q)) { if($r['cxFROMIP'] == $r['cxTOIP']) { $m="<span style='color:red;font-weight:800'>MULTI</span>"; } else { $m=""; } echo '<tr> <td>' . date("F j, Y, g:i:s a",$r['cxTIME']) . '</td> <td>'.htmlentities(stripslashes($r['sender'])).' ['.$r['cxFROM'].'] </td> <td>'.$r['sent'].' ['.$r['cxTO'].'] </td> <td> $'.number_format($r['cxAMOUNT']).'</td> </tr>'; } echo '</table>'; } } $h->endpage(); ?>   Enjoy :P

I have a slight issue with your idea of most gym visits, becuase to get on the hall of fame people could keep clicking gym then going on a another page and clicking gym again, so therefore the statistics at the end will be misleading.This is just my point of view, feel free to disagree :P

Chris, this is my first time securing preferences, but to note it is also only my 2nd attempt at securing anything ;) . Thanks for the positive feedback though, it's highly appreciated.

Mcfarlin, i think many people will agree with me that your a good Human-being. Community of Makewebgames, has not / and will never try to discourage someone from running a game. We are all here to help, whether someone has limited knowledge or maximum knowledge of languages such as php/mysql, with everyone's input and knowledge you and many other people will be able to take there site to the level there happy with. There are many people on here, who aim to help people as much as they can, becuase it's the good feeling that's preventing them from going back from the right path. I'm sure many people would agree with me here, that most of the times, when a member of this forum needs help and he posts his problem here, generally it is solved. I know i'm not a experienced coder, nor i am that good with security, but it's motivation from other people that keeps you going, and the feeling that hopefully if your work does not help one person then it may help the other. I attempted to secure 2 files yesterday, they might not be the best but who knows it could have helped some of the people out there who were looking for a bit more security on there bank file or preferences file . I'm just trying to make a point here, never give up and always try your best at everything. I for one can say, if you ever need my help in anything, and i have the capabilities to do it i will spend all my time and effort, into ensuring that you get what you want, and it is achieved to the best of my ability. I would also like to inform the members of Makewebgames, not only Mcfarlin but anyone else who needs my help i am always willing to play my part where necessary. I know, my skills and knowledge are limited but i'm sure everyone would agree, i'm going through the learning process, and i am progressing at a acceptable rate. Consequently, this is a message i would like to portray to everyone, never give up and always take negative criticism as motivation, as that will help you in the long run, and at the end you will go back to the person who gave you that criticism and say thank you, becuase without them motivating you, and providing you with that last energy needed to complete you task you would not be where you are now. I hope this helps many people, and Mcfarlin i'm always there for you buddy. Best Regards: Redex

Immortal, it's unlikely but your not on Messenger? Sorry for spamming your topic!

Thanks for all the replies. As i have mentioned in the past, all feedback is welcome whether it is negative or positive since i'm still in the learning process, and it's through mistakes that you learn ;)

Copy paste this exact code, it works fine for me and for someone else testing it, you might have edited it. I'm sorry for not being able to help :(

Works fine for me ?

I'll see to it, and post a fix ;)

Hello fellow Makewebgames community, Today, i have been advancing my security skills, so since many people get hacked because of insecure preferences i secured it.   <?php //this has been secured by Redex include_once(DIRNAME(__FILE__).'/globals.php'); $_GET['action'] = isset($_GET['action']) && is_string($_GET['action']) ? strtolower(trim($_GET['action'])) : ""; switch($_GET['action']) { case 'sexchange2': do_sex_change(); break; case 'sexchange': conf_sex_change(); break; case 'passchange2': do_pass_change(); break; case 'passchange': pass_change(); break; case 'namechange2': do_name_change(); break; case 'namechange': name_change(); break; case 'picchange2': do_pic_change(); break; case 'picchange': pic_change(); break; case 'forumchange2': do_forum_change(); break; case 'forumchange': forum_change(); break; default: prefs_home(); break; } function prefs_home() { global $db,$ir,$c,$userid,$h; print "<h3>Preferences</h3> [url='preferences.php?action=sexchange']Sex Change[/url] [url='preferences.php?action=passchange']Password Change[/url] [url='preferences.php?action=namechange']Name Change[/url] [url='preferences.php?action=picchange']Display Pic Change[/url] [url='preferences.php?action=forumchange']Forum Info Change[/url] "; } function conf_sex_change() { global $ir,$c,$userid,$h; if($ir['gender'] == "Male") { $g="Female"; } else { $g="Male"; } print "Are you sure you want to become a $g? [url='preferences.php?action=sexchange2']Yes[/url] | [url='preferences.php']No[/url]"; } function do_sex_change() { global $db,$ir,$c,$userid,$h; if($ir['gender'] == "Male") { $g="Female"; } else { $g="Male"; } $db->query("UPDATE `users` SET `gender` = '".$g."' WHERE (`userid` = $userid)"); print "Success, you are now $g! [url='preferences.php']Back[/url]"; } function pass_change() { global $ir,$c,$userid,$h; print "<h3>Password Change</h3><form action='preferences.php?action=passchange2' method='post'>Current Password: <input type='password' name='oldpw' /> New Password: <input type='password' name='newpw' /> Confirm: <input type='password' name='newpw2' /> <input type='submit' value='Change PW' /></form>"; } function do_pass_change() { global $db,$ir,$c,$userid,$h; if(hash("sha512", $_POST['oldpw']) != $ir['userpass']) { echo ('The current password you entered was wrong. [url="preferences.php?action=passchange"]> Back[/url]'); } else if($_POST['newpw'] !== $_POST['newpw2']) { echo ('The new passwords you entered did not match! [url="preferences.php?action=passchange"]> Back[/url]'); } else { $_POST['newpw'] = hash("sha512", $_POST['newpw']); $db->query("UPDATE `users` SET `userpass` = ".$_POST['newpw']." WHERE (`userid`=$userid"); echo ('Password changed!'); } } function name_change() { global $ir,$c,$userid,$h; print "<h3>Name Change</h3> Please note that you still use the same name to login, this procedure simply changes the name that is displayed. <form action='preferences.php?action=namechange2' method='post'> New Name: <input type='text' name='newname' /> <input type='submit' value='Change Name' /></form>"; } function do_name_change() { global $db,$ir,$c,$userid,$h; $_POST['newname']= mysql_real_escape_string(strip_tags($_POST['newname'])); if(empty($_POST['newname'])) { echo 'You didn\'t enter a new name <a href=\'prefernces.php?action=namechange\'>Back</a>'; } else { $_POST['newname']=str_replace(array("<", ">", "\\\'"), array("<", ">", "'"), $_POST['newname']); $db->query("UPDATE `users` SET `username`='".$_POST['newname']."' WHERE (`userid`=$userid)"); print "Username changed!"; } } function pic_change() { global $ir,$c,$userid,$h; print "<h3>Pic Change</h3> Please note that this must be externally hosted, [url='http://imageshack.us']ImageShack[/url] is our recommendation. Any images that are not 150x150 will be automatically resized <form action='preferences.php?action=picchange2' method='post'> New Pic: <input type='text' name='newpic' value='".htmlspecialchars(stripslashes($ir['display_pic']))."' /> <input type='submit' value='Change Name' /></form>"; } function do_pic_change() { global $db,$ir,$c,$userid,$h; $_POST['newpic']= mysql_real_escape_string(strip_tags($_POST['newpic'])); if(empty($_POST['newpic'])) { echo 'you didn\'t enter a new picture <a href=\'preferences.php?action=pic_change\'>Back</a>'; } else { $_POST['newpic']=str_replace('\\\'',''', $_POST['newpic']); $db->query("UPDATE `users` SET `display_pic`='".$_POST['newpic']."' WHERE (`userid`=$userid)"); print "Pic changed!"; } } function forum_change() { global $ir,$c,$userid,$h; print "<h3>Forum Info Change</h3> Please note that the avatar must be externally hosted, [url='http://imageshack.us']ImageShack[/url] is our recommendation. Any avatars that are not 100x100 will be automatically resized <form action='preferences.php?action=forumchange2' method='post'> Avatar: <input type='text' name='forums_avatar' value='".htmlspecialchars(stripslashes($ir['forums_avatar']))."' /> Signature (you may use BBcode): <textarea rows=10 cols=50 name='forums_signature'>".$ir['forums_signature']."</textarea> <input type='submit' value='Change Info' /></form>"; } function do_forum_change() { global $db,$ir,$c,$userid,$h; $_POST['forums_avatar']= mysql_real_escape_string(strip_tags($_POST['forums_avatar'])); $_POST['forums_avatar']=str_replace(array("<", ">"), array("<", ">"), $_POST['forums_avatar']); $db->query("UPDATE `users` SET `forums_avatar`='".$_POST['forums_avatar']."', `forums_signature` = '".$_POST['forums_signature']."' WHERE (`userid`=$userid)"); print "Forum Info changed!"; } $h->endpage(); ?>   Thanks, i hope to be getting positive comments ;)