a_bertrand

Great job so far! Keep it coming! and many many thanks ;)

Gangster legend: http://www.glscript.net/ ezRPG: http://www.ezrpgproject.com/ zapEngine (really bare bone): http://sourceforge.net/projects/zapengine/ and there is more... check even on those forums ;)

As said, the only thing you can do is inform your users. For internal (inside the company) it's somewhat doable, yet for external people it's nearly impossible beside sending from time to time emails informing them to not trust anyone XD

You can't fix social engineering, as it's your trusted users which are doing the stupidities... you can inform them, yes, but not much more. For CISSP, as I said, I'm no expert so I can't even rate their certifications ;) But yes there is quiet some training / certification possibilities.

OOOPS! SQL Injection can be done here (and I didn't check further)! You script is hardly secure. I would NOT use it till you have cleaned it up.

I can't answer sorry, I don't have such info.

Well I have windows 7 64 bit, chrome, firefox and IE, and all shows without any glitch the code. Maybe some sort of caching or some sort of anti-virus blocking the JS?

I'm using Microsoft essential, it does its job for what I need.

The latest ZCE, but not the one I did, that I can tell you ;) (I made mine in 2006, so 6 years ago and it was PHP 4) The current ZCE do have indeed quiet more focus on security (thanks Spudinski to pointing me to the right info, I must admit I didn't checked it since I made mine), and OO which was nearly existent at the time I did it. And I think ZCE does tell if you are a security expert? The answer is again no, you may (now) have some overview, but you are certainly not an expert. To be an expert in the field, you should normally do formal training on that specific field, or at least have some long working expertise in the field. Also a script on the same site to trigger some hack is for me something different than the CSRF as for me it's more a CSS / XSS attack and that one was known to me ;) Finally, I shall add, that even if you are an expert, you may as well miss things, I mean, how do you think that even sites like youtube, google, yahoo get hacked otherwise? Don't you think they have full time security experts working there? Yet there is always some security aspect which has been forgotten or some new viscous way to pass the security. One of the well known and not really fixable issue is the so known "social engineering": http://en.wikipedia.org/wiki/Social_engineering_(security)

Zend Certificate doesn't cover any security aspect. It covers purely the language. As I always said, I'm a programmer not a security expert nor an hacker. Yet I'm also not a McCode owner, developer, so all this McCode world and possible hacks are unkown to me ;) You know, computer science is really big, you can't know all. For example somebody working with Oracle will not know SQL Server details and same in the other side. An expert in Java will normally not be an export in C# or yet, if you are a Java GUI developer maybe the Servlet and JSP are only basic knowledge. Does that make A Java guru a bad programmer? No, but simply not a good security expert. Usually security and development are 2 separated things, where you need true skilled people for security which do basically nothing else than that, and the programmers at the other side. Sure a soft need to be secured, specially if it goes on internet, but many soft never reach any public hands and may have completely different design goals. Even formal training show huge difference in what you get: Nickson which is doing system administration and security is getting all kind of trainings to learn the possible (known) attacks, where when I made my master I didn't got even a single course about security. As said, there is simply too much to know, and you can't learn all. Then it's up to you to focus on the thing you are interested, but don't think that only one branch of the computer science is the most important, that would be a huge mistake ;)

Indeed preventing completely those kind of attacks seems to be relatively hard. On my own code I did quiet some work, yet I only hope to have covered all those possible issues. Some times you never have enough imagination to cover all holes or at least me. And I wasn't aware those kind of attacks have been successfully done on McCode game.

That would be more code style Danny. There is really a lot of open issues in the code, from very obvious which can for example to some others....

On some forums there is like a spoiler tag which allows you to hide it until you click on the tag and then you see the content. If there was something like that, then maybe it would make sense to leave the results directly on the thread. As we don't have such feature, I'm all in favor of keeping the results away for the moment. BTW My "octarine score" is: Pretty good. all round. not bad, but you would not get you hired.

Sorry SomeRandomBastart: I don't want direct answer otherwise people will not need to make any efforts to find the issues as simple as that. It's like a game, so don't spoil it ;) Octarine will help us later on by giving all the info or nearly.

It's indeed a good test, it may help some MWG (and me too actually) spot some of the most common and yet some of the less common issues most scripts I saw on MWG share.

Ok I found... quiet some. Some are really serious, some are annoying, others are... just... would be better to change. Will send you my list in PM.

Thanks to Octarine, I learned something new: CSRF or XSRF, for more information: http://en.wikipedia.org/wiki/Cross-site_request_forgery For making a long story short: if your users are logged it, via session / cookie or whatever and some external site point an image to your game like <img src="http://yourgame.com/index.php?cmd=change_pass&new_pass=123456" width="1" height="1"> The browser of your players will actually try to load that image (even if it is not an image), pass the session / cookie over and... actually trigger some actions. Doing it with a post instead of a get? It involves a bit more work, and may not work with a simple image as you need some javascript (as far as I'm aware of), however it is also doable. Now how do you protect yourself from such things? Well, a good option is to check the Referer header and see if it match with your site. If not, the request comes from the outside, and should be dropped. Yet even better, limit the life time of the session / cookie, such that the player is vulnerable only for X min (unless he/she browse malicious sites in the same time), or, require some sort of password when you do such things. Honestly load of sites (if not most) are partially or completely vulnerable for such attack, yet it doesn't mean it's easy to setup and actually run, as the attacker shall know your site, and shall find a way to contact the users of your site for example. Also the impact of such attack on a game is... not very high Is it an high security risk for a game? answer I don't think so. Could something be done to yet lower the risks? Sure, however preventing completely those kind of attacks is hard. However you can certainly try to block some of the easiest things. The other points, octarine said are for me more important for me, like blocking an account after X fails in X minutes.

Me: My own code which is NEaB => Nowhere Else and Beyond

Clearly the piece: $result = mysql_query("UPDATE login SET quote='".$_POST['quote_box']."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") or die(mysql_error());   Is not secure and allows all kind of injections through the quote_box field. How so? Easy: If I put an hello', col2='admin into it, you will actually end up with a query which will touch the quote column AND the col2 column as it will produce the following query: UPDATE login SET quote='hello', col2='admin' WHERE id='1'   to make it safer: $result = mysql_query("UPDATE login SET quote='".mysql_real_escape_string($_POST['quote_box'])."' WHERE id='" .mysql_real_escape_string($_SESSION['user_id']). "'") or die(mysql_error());

I see, so sure you are allowed to do a mod, I thought you want to make a package of all the mods and the engine and redistribute that one.

Do any one still use PHP 4? However filter_var seems a PHP 5.2 or later not 5.1 which is the default of Cent OS 5 for example.

A source for which engine? V2? Sorry but that would be illegal... as you don't have the rights to re-distribute the source. Also due to the design of the engine, enabling and disabling mods can be more or less complex and quiet certainly different for each mods.

Honestly I'm unsure what you propose. What is "the source" ? Basically a demo of McCode V2 or whatever with all the possible mods installed, to show how those mods works?

The link is: http://jacklmoore.com/colorbox/ Now, to answer your question, there is no super simple solution, you will need to use some javascript to make like a "window" within your HTML page, or if you want to open a true browser window you can set the link target as _blank or _new so something like <a href='register.php' target='_blank'>Register!</a> However I doubt this is what you want. So either ask somebody to do it for you, or learn some JS / jQuery to be able to implement it yourself.

Well the link I gave you do just that ;)