Truefalse

This method to reset passwords has a potential serious security flaw. I could create a bash script to first send a GET request to instantiate the SESSIONS, then enumerate with POST requests 100s a second (multi-threaded process) until it finally goes through, as the captcha doesn't have enough complexity to it. I'd grab the user id from the users profile link. I'd social engineer the users email (or grab the email from a mass mail (I know 1 game that includes all emails in a mass email - i've notified the owners about 3 weeks ago, still no change)) I'd assume the user hasn't changed their login name as is still equal to their username I'd input a password of my control.   Some code to show you how many times duplicate captcha will appear in a loop of 10000 iterations; <?php $a = []; //Because it just holds digits 0-9 - 4 chars long for($i=0;$i<10000;$i++){ $n = mt_rand(1, 9999); $a[$n]++; } print_r( array_filter($a, function($b) { if($b > 1) { return true; } }) ); echo count( array_filter($a, function($b) { if($b > 1) { return true; } }) );   https://eval.in/314640 I'd consider doing what [MENTION=70715]krballard94[/MENTION] suggested

Would you say word of mouth is free advertising? I'd say it is. And of course, I wouldn't say something like that without a few resources to back me up :cool:   http://www.forbes.com/sites/kimberlywhitler/2014/07/17/why-word-of-mouth-marketing-is-the-most-important-social-media/ http://wordofmouthbook.com http://hireinfluence.com/all/elements-successful-word-mouth-marketing-campaign/ http://blog.peerindex.com/word-of-mouth-success-stories-by-industry/   rekt.

Not to mention that their site doesn't sanitise or validate all input fields...

Someone is going to offer you an engine called RC (I forgot what the initials stand for. The owner - which used to be IceColdCola - does go on these boards, so (s)he may be able to assist you). Don't take it unless they guarantee security. It's the most insecure engine out there. Though, it's what you're probably looking for as it's pretty much an exact Torn clone.

Hi guys, it's me. TP2 king. I found a SQL injection but didn't realise it actually worked until ~30 seconds later as I didn't realise the actual game body isn't real time. (@OP: If it was real time, I could have patched it for you) Look, I'll show you. (Mom will be so proud of me) btw, you have major XSS issues (as I've demonstrated).

I've hidden my love throughout your site. You'll know when you come across him. :)

OP is offering something for free with a simple signup in return. He can distribute it however he pleases. (No he wants our time to register in return. Yeah ok)

You should tell your friend to invest heavily if he can ensure someone gets unlimited of something in computing. That's truely great. On a serious note, get your friend here for him to publically answer the usual questions - what experience do you have managing servers? - what OS are you running? - what is your backup and recovery procedures? - is support included? What type of support? - do I have money back guarantee? - what payment methods do you take? - do you upgrade the software? If so, how much notice time do we have? - do clients get SSH access?

What a very low quality post. @OP: I can do this for you. Ill charge you $40 for my time though. PM me if you're interested.

Still has security holes. See my first reply.

Absolutely not. Do not preach "for me that is enough". It is nowhere near substantial. Sure, it helps against SQL injection - but binding query parameters does that a lot better. If you kept with your version that is "enough for you", you are not securing yourself against stored XSS attacks - which is a huge thing. With XSS, you can do whatever you like;   Redirect users Modify the DOM Steal users cookies ...

Yes.   stripslashes() provides near zero data sanitisation thus little security. Your lazy match (.?) in your preg_match() is very worrying (also, you're missing the anchor tags (^ and $)   Images have EXIF data - which is pretty much meta data about the image, detailing; the image name, MIME types, dimensions and everything else (such as GPS co-ordinates when taken - if the device logs this data). To secure your script, you're going to want to do the following;   Grab the image they have pasted with code Inspect that image with various functions Various functions to check something is a valid image are;   getimagesize() exif_read_data()   Now that you've checked the integrity of the thing the user is uploading, we need to check the file name (to disallow XSS, SQL, and CSRF injections). You've made a start with the preg_match() - which is decent, however your regular expression will not detect any of the threats listed above. Here is a ruleset for file naming: http://www.dpbestflow.org/file-management/file-naming   A basic regular expression you could use is the following: This will allow only; Alphabetic characters (a-zA-Z) Numeric characters Special characters (_, -, %, /)   ^([a-zA-Z0-9_\-%]+\.)(jpe?g|gif|png)$   Ofcourse this will only validate the filename, and not the entire URI. https://regex101.com/r/pD5dB5/2

If you could add a citation to that, that would be great. Saying something dumb and prefixing it with "A wise old man once said" doesn't make it fact. XML for settings and/or SOAP APIs isn't below standard. PDO is a database API and supports multiple database flavours. If the game runs on SQL, why would you need to change it (or add the flexibility to do so?) - it's not a framework. @OP - Good luck & keep us updated. I look forward to it.

Kind of there, but totally missed the point. He only security hole isn't SQLI injection, but also stored XSS - - - Updated - - -     Hey, no worries :) you're learning so that's something. It's a change from people grabbing free things from here and not giving anything in return. I look forward to your updates.

Nice addition, however it's really insecure. Will secure this once I get home. @OP: PM me if you want my skype address and I'll help you secure it instead.

Something to add here, if you do this. You will need to execute and parse the PHP file (rather than wget or curl)   php -f /path/to/cron.php

Does the game need to be established? I have a custom script that is pretty much a game, but never released it.

  Razor42 / Aaron mccmanus I think

User: http://makewebgames.io/member.php/70861-thomasleahy1 Work type: Geometric logo   Efficiency: 10/10 Communication: 10/10 (updated me) Turnaround: 10/10 (very quick) Contacted him a couple hours ago and received the work I requested to be done in a very timely fashion. He requested a few samples to base the graphic off, which he then did some amazing work. On top of the quick turnaround, the work had a very reasonable price tag. Would hire again.

Actually no. Once you have the client IP, you can get their geolocation - which, even if they are behind a proxy, you can use a method called STUN using WebRTC. You can use a technique called STUN to get a users IP for those behind a proxy, as it runs totally client-side. WebRTC is implemented in Firefox and Chrome that allows requests to STUN servers to be made that will return the local and public IP address for the user. All it takes a little bit of Javascript. What's interesting is that the STUN requests are made outside of the normal XMLHttpRequest procedure, so they're not available in the developer console - or blocked by plugins; such as AdBlockPlus. Read more on STUN at wikipedia: http://en.wikipedia.org/wiki/STUN Read more about getting an IP address behind a proxy: https://github.com/diafygi/webrtc-ips Now you have their public IP address, you can store it, and do as [MENTION=68711]KyleMassacre[/MENTION] mentioned. Although, a spammer can just reset their router/modem and get a new public IP address allocated to themselves - albeit this slows down the influx of multiple accounts being made in a short period of time to generate spam within your game. If, however, you do this, and people play at internet cafe's, be prepared to see the negative side to blocking public non-static IP addresses. In general, you shouldn't block non-static IP addresses as it will hurt your product. Instead you should think about the damage people can do (ie: spam your game), and build defences for those. Someone having multiple accounts on your site isn't a breaker. TL;DR - Don't block multiple accounts on your site. Build defences to block those multiple accounts from abusing self-trades, self-attacks (boosting).