BeastTheKidd

So, I know that sprintf formats the values for variables, and makes it easier to read in my opinion. However, would I be correct to assume that if someone wanted to change a certain sentence, but still have all the variables update, it would work? Example: <?php $string = "Welcome Back, %s!"; //Add value for %s $var1 = sprintf($string,"John"); $var2 = sprintf($string,"Stan"); ?>   Thanks, - Dillion

I'd just like to ask a quick question, if its not too much to ask. Would array_change_key_case on the GET array for a certain script be sufficent, or is it better to use strtolower? Thanks, - Dillion

I'am currently in the market searching for a "brand new" attacking system. Here's what I'm looking for:   Weapon Uses - Each weapon has a limited number of uses, and once the uses are up, the gun "breaks". I do NOT want a repair system, just specifying. To note on my above item, I want it so that if I set the uses to 0, the item has unlimited uses, thus unbreakable. Better fighting - I want the regular attack system look and feel, with the links for attacking, etc. However, I want a secure attacking system, as well as a different fighting formula, so that stats such as Guard are multiplied equally as Strength, and Agiliity means more hits, etc. Secure - As noted above, it needs to be secure. I will not buy a unsecure hunk of junk.   Looking to get this for about $20.

I need some help on the topic of security. What are the best methods to secure scripts, whether it be built from ground up or edited? I'm hoping that some of you can provide some information on this topic, as I'm sure it would be useful to me, and many new coders out there that got sucked into the black hole that is mccodes :) Thanks, -Dillion Also, I've provided a minor example of what I know best, so please feel free to comment on things I could work on, things that are good, etc. ( And I understand constructive criticism, but don't be a jerkoff about it. ) http://pastebin.com/qP1WAG64 The main idea here is that when someone tries to login, it first checks the database for the username input. If the database contains that username ( since there will be no duplicate usernames, due to the fact that I have my usernames and display names seperated ), check the password. The password is the password the user chose at registration, combined with a random salt ( generated at registration ), and then hashed with sha1. This ( if im correctly assuming and applying the method correctly ) will ensure that even if 2 users have the same password, and someone ( aka low life ) were to rainbow table a certain password hash, then they would find only 1 users information, rather than everyone with the same password. It does require an extra query, but i believe its worth it. Also, something that I saw in (dreaded) McCodes is that they were selecting EVERYTHING in their users table, just in their globals. Now, why would you need all this information? Wouldn't it be better if say, in my file that i include in all pages, I selected the member id and any other NEEDED info at the time? In the globals I would select anything, such as the member's id, display name, currency values, etc. but why select the username? The username should only be touched in 3 scenarios: Scenario #1: When the user registers an account, the username should be inserted into the database, never to be touched again, unless for #2 and #3. Scenario #2: Login. When your authenticating the user, obviously you need to check. Scenario #3: Re-auth. When you have important information and you want the user to re-authenticate for security purposes. In this, I do not see any reason why I would need the login name in a forum... Thats 1. Overkill on the db, and 2. A security risk. Of course, if all the variables were properly sanitized, this wouldn't be much of an issue as far as SQL injection goes, so i refer to #1, and the fact that it is plain and simple useless to select more than you need. If i'm incorrect please tell me, but I believe I'm correct in saying that... and to add, say i wanted to see what house a user has. Well, why kill the db with extra info, when I could just select the house in a query when its needed?

I suppose. Did you try out the script?

Oh and if you make a weapon unbreakable system, that will sell as it is easy, but not for the average coder.

Heres an idea for anyone: Make a completely customizable menu... this of course is for noobs who want a new menu, but its an idea ive had and dont feel like doing it: * Sortable Links ( drag and drop in different locations, re-order links ) * Add Links * Edit Links ( with conditioning if needed, such as a function that parses a string as a condition for an if statment in the code ) * Remove Links with ease * Universal link system ( say you change your link structure from dynamic to a static url with Apache, you can change the way the links take this in ) * Token url system ( So say you want tokens on certain urls you can just check a box an it will do that for you ) * Link groups ( So that you can have multiple link groups   Its more of a layout change than anything.. just so they have no need to touch the mainmenu and mess it up, plus very cool.

Disregard the price cap error in the global, just put it together.. The box on here did that, its not in the original code.. just check the code for any spaces in the variables.. ridiculous that you have to this but its not my fault.. :)

Basically, i've recreated the crystal market. I want someone to test it out and make sure that it works well, and to report any errors/security issues that pop up. This will eventually include the item market as well, to group the 2 together in one file, but I want to make sure that this half works good first.   <?php require('globals.php'); $currency_sym = '$'; //Sets your currency symbol; $sec_currency_name = 'Point'; //Sets your second currency name for output; $item_name = 'Item'; //Sets your name for for item market, so you could use Supply, etc. //$price_cap = '200000'; Sets the price capacity; $_GET['id'] = abs(@intval($_GET['id'])); switch($_GET['page']) { case 'smarket': smarket(); break; case 'imarket': imarket(); break; default: echo 'Invalid Page'; $h->endpage(); exit; break; } function smarket(){ global $db,$ir,$currency_sym,$sec_currency_name,$price_cap,$h; echo '<h3><strong><u>'.$sec_currency_name.' Market</u></strong></h3> <a href="market.php?page=smarket&cmd=add"><strong><u> Add Listing</u></strong></a>'; $db->query('DELETE FROM `crystalmarket` WHERE `cmQTY`=0'); //Clear market of entries with 0 or less quantities; switch($_GET['cmd']) { case 'view': $view = 'SELECT c.`cmID`,c.`cmQTY`,c.`cmADDER`,c.`cmPRICE`,u.`user id`,u.`username` '. 'FROM `users` u '. 'LEFT JOIN `crystalmarket` c '. 'ON c.`cmADDER`=u.`userid` '. 'WHERE u.`userid`=c.`cmADDER` '. 'ORDER BY c.`cmQTY` DESC'; $q = $db->query($view); echo '<table class="table" width="70%"> <tr><th>User</th> <th>QTY</th> <th>Price each</th> <th>Price total</th> <th>Commands</th></tr>'; while($data = $db->fetch_row($q)) { echo '<tr><td>'.htmlentities($data['username']).'['.$data['userid'].']</td> <td>'.number_format($data['cmQTY'],0).'</td> <td>'.$currency_sym.number_format($data['cmPRICE'],0).'</td> <td>'.$currency_sym.number_format($data['cmPRICE']*$data['cmQTY'],0).'</td> <td>'; if($data['cmADDER'] != $_SESSION['userid']) echo '[<a href="#">Purchase</a>]'; else echo '[<a href="market.php?page=smarket&cmd=remove&id='.$data["cmID"].'">Remove</a>]'; echo '</td></tr>'; } echo '</table>'; break; case 'purchase': $purchase = 'SELECT `cmID`,`cmADDER`,`cmQTY`,`cmPRICE` '. 'FROM `crystalmarket` '. 'WHERE `cmID`='.$_GET['id']; $q = $db->query($purchase); $data = $db->fetch_row($q); if(!$db->num_rows($q)) { echo 'Error: We could not find the requested listing.'; $h->endpage(); exit; } echo '<h3><strong>Purchase Listing</strong></h3>'; if(!$_POST['submit']) { echo '<form action="market.php?page=smarket&cmd=purchase&id='. $_GET["id"].'" method="POST"> <table class="table" cellpadding="0"> <tr><th>Qty:</th><td align="center"> <input style="width:50px;" type="text" name="p_qty" value="'.$data["cmQTY"].'" /></td></tr> <tr><td></td><td><input type="submit" name="submit" value="Purchase" /></td></tr> </form>'; } else { $_POST['p_qty'] = abs(@intval($_POST['p_qty'])); $price = floor($data['cmPRICE']*$_POST['p_qty']); if(!$_POST['p_qty']) { echo 'Error; You have either tried to purchase nothing, or there is nothing available to purchase.'; $h->endpage(); exit; } if($_POST['p_qty'] > $data['cmQTY']) { echo 'Error: You have requested more '.$sec_currency_name.'s than are available in this listing.'; $h->endpage(); exit; } if($_SESSION['userid'] == $data['cmADDER']) { echo 'Error: You cannot purchase your own listing. You can <a href="market.php?page=smarket&cmd=remove&id='.$data["cmID"].'">remove</a> it however.'; $h->endpage(); exit; } else if($price > $ir['money']) { echo 'Error: You do not have the sufficient funds to complete this purchase.'; $h->endpage(); exit; } else { $text = 'Someone has purchased your '.number_format($_POST['p_qty']).' point(s) for '.number_format($price,0).'.'; $db->query('UPDATE `users` SET `money`=`money`-'.$price.' WHERE `userid`='.$_SESSION['userid']); $db->query('UPDATE `users` SET `crystals`=`crystals`+'.$_POST["p_qty"].' WHERE `userid`='.$_SESSION["userid"]); $db->query('UPDATE `users` SET `money`=`money`+'.$price.' WHERE `userid`='.$data["cmADDER"]); $db->query('INSERT INTO `events` VALUES (NULL,'.$data["cmADDER"].','.time().',0,"'.$text.'")'); $db->query('UPDATE `crystalmarket` SET `cmQTY`=`cmQTY`-'.$_POST['p_qty'].' WHERE `cmID`='.$data["cmID"]); echo 'You have successfully purchased your '.number_format($_POST["p_qty"]).' '.$sec_currency_name.'(s)'; $h->endpage(); exit; } } break; case 'add': echo '<h3><strong>Add Listing</strong></h3>'; if(!$_POST['submit']) { echo '<form action="market.php?page=smarket&cmd=add" method="POST"> Qty: <input type="text" name="a_qty" value="'.$ir["crystals"].'" /> Price each: <input type="text" name="a_price" value="1000" /> <input type="submit" name="submit" value="Add Listing" /> </form>'; } else { $_POST['a_qty'] = abs(@intval($_POST['a_qty'])); $_POST['a_price'] = abs(@intval($_POST['a_price'])); $q = $db->query('SELECT `cmID`,`cmADDER` FROM `crystalmarket` WHERE `cmADDER`='.$_SESSION['userid']); if($_POST['a_qty'] > $ir['crystals']) { echo 'Error: You do not have enough '.$sec_currency_name.'s to complete this action.'; $h->endpage(); exit; } else if(!$_POST['a_qty'] || !$_POST['a_price']) { echo 'Error: You must enter a quantity/price.'; $h->endpage(); exit; } else if($db->num_rows($q)) { echo 'Error: You already have a listing. Please remove it before adding another one.'; $h->endpage(); exit; } // else if($ir['a_price'] > $price_cap) // { // echo 'Error: Your selling price each exceeds the current price capacity.'; // $h->endpage(); // exit; // } else { $db->query('INSERT INTO `crystalmarket` VALUES (NULL,'.$_POST["a_qty"].','.$_SESSION["userid"].','.$_POST["a_price"].')'); $db->query('UPDATE `users` SET `crystals`=`crystals`-'.$_POST["a_qty"].' WHERE `userid`='.$_SESSION['userid']); echo $sec_currency_name.'s sucessfully added to the market'; } } break; case 'remove': echo '<h3><strong>Remove Listing</strong></h3>'; $remove = 'SELECT `cmID`,`cmADDER`,`cmQTY` '. 'FROM `crystalmarket` '. 'WHERE `cmID`='.$_GET['id'].' AND `cmADDER`='.$_SESSION['userid']; $q = $db->query($remove); $r = $db->fetch_row($q); if(!$db->num_rows($q)) { echo 'Error: We could not find your entry. Either it does not exist, or you do not have permission to remove it.'; $h->endpage(); exit; } else { $db->query('UPDATE `users` SET `crystals`=`crystals`+'.$r["cmQTY"].' WHERE `userid`='.$_SESSION['userid']); $db->query('DELETE FROM `crystalmarket` WHERE `cmID`='.$_GET['id']); echo 'Your entry has successfully been removed.'; } break; default: echo 'Invalid Command'; $h->endpage(); exit; break; } } function imarket(){ } $h->endpage(); ?>

Question Can you not first check if it is a valid integer, and then search and destroy any unwanted signs in front of or after the digits?

I was thinking of creating a function that could clean any variable or array, and having it able to select how to clean it too. However, how would one achieve such an outcome? I could see it being something of this sort: <?php public function validateInput($input,$method) { if(!empty($input) && !empty($method)) { if($method == "mysql") return mysql_real_escape_string($input); if($method == "html") return htmlentities($html); } else { echo "Invalid input or no valid method was chosen."; exit; } } ?>

I'm confused. Does it really matter which one I use, basically will it hit my performance that much? If its only a half a second or so I really don't mind. Also on the topic of optimizing queries... I know you can combine queries, but how so? Also, Does formatting increase the speed at all, or just make the database cleaner ( Basically, is it really needed or just mainly a preference? ). Thank you all for your help

It looks alright, but like Mystical said, more information should be provided.

Okay. Thanks for your help Spudinski. Much Appreciated

Yeah I understand Regex, I've actually used it a couple times before.. Very good. My question though is isn't it better to use native php functions or create a group of functons like these in an Object class, for reuse. ?

This is not for any specific game, or web development. This is simply a question for Security in PHP generally. Can anyone help me refresh my memory on the best security techniques that can be used. Say I want to prevent XSS from a single form: would htmlentities on the certain variable on the way to the database as well as a mysql escape be sufficent enough to protect from XSS on that single input, or rather I use more functions? I heard it is better to escape and filter on input and escape output. Say I want to make sure a variable contains only numbers, or certain values. Would it be sufficent to use abs(@intval($var)) to make sure its a number, or is more needed? Also, say i want the variable ( in this case $_GET ) to only contain 3 possible values (red, green, blue ).. Would this work?   $_GET['var'] = ( isset($_GET['var']) && in_array($_GET['var'],array('red','blue','green') ) : 'Do Something'; ? exit; // I know this isnt completely right so thats why im asking.   Are their anymore security tips I should know about? Thanks, -Dillion

Microsoft is all and well, but I can pick up a legal copy of Linux for $0.00 and there is a community which provides fixes for free... It's hard to compare an OS to a script, but at the same time I believe the developers should pay US 50 dollars to use it :p Wouldn't that be something.

Try this  

I can make you a mod thats more customizable, such as how many items you want to be used, created, success percentage, and much more, for about 10 bucks.

Yeap. Im assuming lights layout is the same so.. basically just go to header.php and make a function called right_menu and put it after every page.. actually you could just float it.. hmm ill try it

what is `second`? Did you do the mod yourself?

Is Danny's Lite secured? If so thats amazing. Perfect for what i need

What is different about Danny's lite? is it secure? Im only asking about security because I am honeslty lazy and I dont want to go through all the files and secure them. I CAN secure any modifications though, or php in general. just too lazy to mess with all the others

Is there any secured version on sale, or do I need to get it secured? I want to make a game and someone told me I needed to get it secured?