Lady Gaga

Because ill be aware of the top Hackers

don't you think they should have hacker of the month.

Well glad to hear that Who ever made this top security for People that cannot secure Needs A Top Rating :) Let me know :D

I FOUND THIS ON IMMORTAL-DARKNESS FORUM I THINK IT WILL HELP   In this thread I will enlighten everyone to the information I've learned in my McCodes adventure as well as a few tips and tricks on how to make your game a bit safer. Granted there will always be more to add, but this should get you started, enjoy.   Step 1. Securing your IP Variable to stop some older versions of firefox using the x forward sploofer to auto admin themselves on your site In ALL of these files. header.php login.php register.php forums.php global_func authenticate.php   Find: $IP = ($_SERVER['HTTP_X_FORWARDED_FOR']) ? $_SERVER['HTTP_X_FORWARDED_FOR'] : $_SERVER['REMOTE_ADDR'];   Replace With: $IP = $_SERVER['REMOTE_ADDR']; $IP=addslashes($IP); $IP=mysql_real_escape_string($IP); $IP=strip_tags($IP);       Step 2. Basic Security vs The Forums and Cmarket Hack. --This hack is done off a simple URL injection forming a long string of code that is basically inserting false info into your php script and database. The quickest way to secure this, tho not "full proof" as other hacks will eventually be written around leaky PhP code is the following. Open header and find function userdata($ir,$lv,$fm,$cm,$dosessh=1) { global $db,$c,$userid, $set;   Beneath this should be your new IP variable. Directly under the IP variable query add $_GET['ID'] = abs(@intval($_GET['ID'])); $_GET['reply'] = abs(@intval($_GET['reply']));   Step 3. On most McCodes games the ability to change ones User Level is by calling to the table in users known as user_level. A few hundred hacks have been formed to use this, and the display Pic, or Signature function in your viewuser.php file, to automatically make an Admin, Admin another person. For example. If you are an admin you have a file normally called staff_special.php in your staff menu. Going here and selecting a user can you make them admin. This hack is basically the function that you would select when making someone an admin. They insert it into their display picture instead of an actual URL link to a valid image. In turn, when an Admin views the users profile, there is some hidden work going on the admin is unaware of where they are actually running through the process of setting that user as an admin. There is no quick fix for this. As there are a few ways for this to be done. If you stop them from entering staff_special.php they will try a re-direct with the <meta tag> hack via the same process. Or perhaps Bug report, Player report, Forums, Player Ads, just about any place that posts user info. The best Option here is to create an Off-Site host that users must upload pictures to and only accept Links from that site for your display pic. While this is a HUGE hassle this will stop ALL Shell uploads and Re-Directs via this option. I might suggest if you have gangpics you use that as well as it's just as vulnerable. Another option is having them upload pictures to a secure folder on your site and making 110% sure it's not a .php/shell type upload by using a whitelist. URL's can always be re-directed if not secured properly and rather than just show 1 way, i'd rather explain how it works as it's not easy to stop. A sudo quick fix that i've done, among other things, is change your user_level. Re-Vamp your user level system, change table names, change staff file names and disable errors from displaying on your screen to give away your new tables. This brings us to step 4 Step 4. Stop displaying critical Table Data anytime a User makes a booboo.   In your class/class_db_mysql.php file located in the class folder of your Root Directory. In this file, are several queries that convert in your main database. You will find the function in this file that looks of the following function query_error() Replace the ENTIRE query_error function should be about 5 lines or so, to this   function query_error() { if(isset($_SESSION['loggedin']) && $_SESSION['userid'] == 1) { die("QUERY ERROR: ".mysql_error()." Query was {$this->last_query}"); } else { echo "An error has been detected, please report this error to ID 1 stating exactly where you found it (copy the URL if possible)"; exit; } }   This will enable your error to ONLY show to ID 1. If they are anything other than ID 1 it will simply tell them an error has been detected. Step 5. All $_GET and $_POST variables MUST be secured to insure proper data input. Not cleaning data that goes into or comes out of your database can be hazardous to your site. Image a .php script in your game. Something along the lines of.. if($_POST['data'] = blah) { $db->query("UPDATE users SET money=money+500 WHERE userid=$userid"); } Imagine if someone inserted blah ' OR ("DROP TABLE users"); Now the string would look like this if($_POST['data'] = blah ' OR ("DROP TABLE users")); and there went your users table. Granted that's not going to work as i just used for an example, but now you get the idea of how important it is to secure your variables. How to secure INPUT / POST variables. $_POST['blah'] Not Secure $_POST['blah'] = mysql_real_escape_string(htmlentities($_POST['blah'])); Secure. You can either do the above for EACH $_POST you see, or Define it in advance and use it only once. This will secure all STRINGS. For Integers you would just need to do this $_POST['integer'] = abs(@intval($_POST['integer'])); The abs(@intval insures that it's a Positive integer and isnt a decimal. Step 6. Securing OutPut All data that is traveled from the database and output on your site can also be potentially harmful. Why this part is also important. Wherever data that users enter, such as signature, forum data, etc, is fetched from the Database and then printed on your site could be deadly. Secure it as such $_GET['string'] unsecure $_GET['string'] = stripslashes(htmlspecialchars($_GET['string'])); Secure For integers you again can use $_GET['integer'] = abs(@intval($_GET['integer'])); Step 7. Some debate on sprintf and it's values as it tends to lag smaller servers. However, this will trim and clean data to slow or stop RHI hacks. Proper Use of sprintf ("UPDATE users SET money=money-$loss WHERE userid=$userid"); That is insecure, and can be fiddled around with. So we'd sprintf() it, and go about doing it like this. $sprintf = sprintf("UPDATE `users` SET `money` = `money` - %d WHERE (`userid` = $userid)", abs(@intval($loss))); $db->query($sprintf);   Miscellanious info Here is a little function you could use to secure your get and post info, bare in mind you'd have to call to it, just entering this will do nothing.   function anti_inject($campo) { foreach($campo as $key => $val) { //remove words that contains syntax sql $val = preg_replace(sql_regcase("/(from|select|insert|delete|where|drop table|show tables|#|\*|--|\\\\)/"),"",$val); //Remove empty spaces $val = trim($val); //Removes tags html/php $val = strip_tags($val); //Add inverted bars to a string $val = addslashes($val); // store it back into the array $campo[$key] = $val; } return $campo; //Returns the the var clean } $_GET = anti_inject($_GET); $_POST = anti_inject($_POST);   EVEN MORE $_POST['var'] = preg_replace('/<(.+?)>/ims', '', $_POST['var']); $_POST['var'] = mysql_real_escape_string($_POST['var'], $connection); echo htmlspecialchars(stripslashes($_GET['var']));   Re-Name your staff files. Re-Adjust your important tables. Hide Staff-Files in a folder, lock it from outside users. Include a staff password protection on each staff page, only give the password to your staff. Things i've done extra. Include a database table in users called staff password. Add a password of your choice. Then in header, Put a check for all users above user level 1. If they dont have the staff password in their users table, it auto Feds them.   Insert Hacklogs, can be found on several forums, I'll post link later when I find it. This tells you who has tried to hack your site so you can take pre-emptive action. Have trustworthy staff, dont just make anyone who begs for staff an admin as they can prove more harmful than helpful. Never Share your Cpanel info with ANYONE Ever unless absolutely necessary and you know for sure you can trust this person. Do background searches on random people via the forums and see what type of post history they have.   Again, this is not all that can be done, but it is a start. I offer to do all of the above for reasonable rates if you do not feel you are capeable of doing it yourself. I really hope this helps you all. Enjoy.

I Hope This Decio I HOPE HE GOES TO JAIL HE MESSED MY GAME AROUND SO I QUITTED! CODING JUST HELPING OUT ON MODS!   I wish i knew how to hack >,<

Argh So mad He just dropped my server i give up guys. bye

dildo he goes as name as decio he keeps hacking alot of games, something needs to be done its not fair or right!   Be aware of this hacker, he shuts my server down 24/7 and hacks order games do not trust him!     Thank you