Truefalse

This method to reset passwords has a potential serious security flaw. I could create a bash script to first send a GET request to instantiate the SESSIONS, then enumerate with POST requests 100s a second (multi-threaded process) until it finally goes through, as the captcha doesn't have enough complexity to it. I'd grab the user id from the users profile link. I'd social engineer the users email (or grab the email from a mass mail (I know 1 game that includes all emails in a mass email - i've notified the owners about 3 weeks ago, still no change)) I'd assume the user hasn't changed their login name as is still equal to their username I'd input a password of my control.   Some code to show you how many times duplicate captcha will appear in a loop of 10000 iterations; <?php $a = []; //Because it just holds digits 0-9 - 4 chars long for($i=0;$i<10000;$i++){ $n = mt_rand(1, 9999); $a[$n]++; } print_r( array_filter($a, function($b) { if($b > 1) { return true; } }) ); echo count( array_filter($a, function($b) { if($b > 1) { return true; } }) );   https://eval.in/314640 I'd consider doing what [MENTION=70715]krballard94[/MENTION] suggested

Would you say word of mouth is free advertising? I'd say it is. And of course, I wouldn't say something like that without a few resources to back me up :cool:   http://www.forbes.com/sites/kimberlywhitler/2014/07/17/why-word-of-mouth-marketing-is-the-most-important-social-media/ http://wordofmouthbook.com http://hireinfluence.com/all/elements-successful-word-mouth-marketing-campaign/ http://blog.peerindex.com/word-of-mouth-success-stories-by-industry/   rekt.

Not to mention that their site doesn't sanitise or validate all input fields...

Someone is going to offer you an engine called RC (I forgot what the initials stand for. The owner - which used to be IceColdCola - does go on these boards, so (s)he may be able to assist you). Don't take it unless they guarantee security. It's the most insecure engine out there. Though, it's what you're probably looking for as it's pretty much an exact Torn clone.

Hi guys, it's me. TP2 king. I found a SQL injection but didn't realise it actually worked until ~30 seconds later as I didn't realise the actual game body isn't real time. (@OP: If it was real time, I could have patched it for you) Look, I'll show you. (Mom will be so proud of me) btw, you have major XSS issues (as I've demonstrated).

I've hidden my love throughout your site. You'll know when you come across him. :)

OP is offering something for free with a simple signup in return. He can distribute it however he pleases. (No he wants our time to register in return. Yeah ok)

You should tell your friend to invest heavily if he can ensure someone gets unlimited of something in computing. That's truely great. On a serious note, get your friend here for him to publically answer the usual questions - what experience do you have managing servers? - what OS are you running? - what is your backup and recovery procedures? - is support included? What type of support? - do I have money back guarantee? - what payment methods do you take? - do you upgrade the software? If so, how much notice time do we have? - do clients get SSH access?

What a very low quality post. @OP: I can do this for you. Ill charge you $40 for my time though. PM me if you're interested.

Still has security holes. See my first reply.

Absolutely not. Do not preach "for me that is enough". It is nowhere near substantial. Sure, it helps against SQL injection - but binding query parameters does that a lot better. If you kept with your version that is "enough for you", you are not securing yourself against stored XSS attacks - which is a huge thing. With XSS, you can do whatever you like;   Redirect users Modify the DOM Steal users cookies ...

Yes.   stripslashes() provides near zero data sanitisation thus little security. Your lazy match (.?) in your preg_match() is very worrying (also, you're missing the anchor tags (^ and $)   Images have EXIF data - which is pretty much meta data about the image, detailing; the image name, MIME types, dimensions and everything else (such as GPS co-ordinates when taken - if the device logs this data). To secure your script, you're going to want to do the following;   Grab the image they have pasted with code Inspect that image with various functions Various functions to check something is a valid image are;   getimagesize() exif_read_data()   Now that you've checked the integrity of the thing the user is uploading, we need to check the file name (to disallow XSS, SQL, and CSRF injections). You've made a start with the preg_match() - which is decent, however your regular expression will not detect any of the threats listed above. Here is a ruleset for file naming: http://www.dpbestflow.org/file-management/file-naming   A basic regular expression you could use is the following: This will allow only; Alphabetic characters (a-zA-Z) Numeric characters Special characters (_, -, %, /)   ^([a-zA-Z0-9_\-%]+\.)(jpe?g|gif|png)$   Ofcourse this will only validate the filename, and not the entire URI. https://regex101.com/r/pD5dB5/2

If you could add a citation to that, that would be great. Saying something dumb and prefixing it with "A wise old man once said" doesn't make it fact. XML for settings and/or SOAP APIs isn't below standard. PDO is a database API and supports multiple database flavours. If the game runs on SQL, why would you need to change it (or add the flexibility to do so?) - it's not a framework. @OP - Good luck & keep us updated. I look forward to it.

Kind of there, but totally missed the point. He only security hole isn't SQLI injection, but also stored XSS - - - Updated - - -     Hey, no worries :) you're learning so that's something. It's a change from people grabbing free things from here and not giving anything in return. I look forward to your updates.

Nice addition, however it's really insecure. Will secure this once I get home. @OP: PM me if you want my skype address and I'll help you secure it instead.