Zeggy

Theirs really no need for this, were all english speakers :D

I have never used mc codes so I won't be able to help write anything for that article :P I could help with the functions article though, I've written one before. :) I believe an article or series of articles going in-depth on security is not something that would be easy. You could write a book (and there are a few) on just PHP security. I do have an idea though: (maybe as a side project) every week, you could ask for game owners who have had their game exploited to allow you to use their game in your article. In your article, you demonstrate whatever exploit they were victim to on their game (so include screenshots), explain why it happens and how, and then show how to fix it. You get a very good article with live examples, and the game owner gets a bug fixed for free!

The error message is quite clear.

I don't mean to be advertising, but... my site Web Game Wiki (link in sig) is a wiki about web games (duh), and it's got a section for developers, and a sub-section specifically on security. I've written some articles on security already, mainly the user input, sql injection and xss articles. Since it's a wiki, everybody is free to edit it, and add more articles. So if you're interested... maybe you'd like to think about using my wiki as a platform, or even just as a reference? :P If not, then I'll volunteer myself anyways to help write your articles.

Being slapped by a php manual is not osmosis :D

Securing output protects from XSS. Securing input protects from SQL injections.    As far as I am aware, that particular syntax is specific to the printf family of functions, unlike in python... If I'm wrong, where can you use this kind of string formatting?  The F stands for formatting, not filter ;)  If I'm correct, then that's just the way your $db->query function is written. I don't think this is actual mysql OR php syntax. If it were PHP, then it would be documented in the mysql_query function. If this were mysql, then you'd be able to execute this in say, phpmyadmin. mysqli has some string formatting and variable binding functions, but I don't think you're using mysqli.

Well, chrome is improving pretty nicely... It's funny, it's already overtaken opera and safari :P And umm... people do use windows, windows is the most popular os! Both for personal use and for large businesses that require a good computer network infrastructure. It's because of the very fact that windows is commercial that allows it to better than say, linux, because they can use all that money to provide support to businesses and put out fairly decent software (and advertise of course). I'm not saying windows is better than linux, but in some ways it *is* superior. Seems like the topic has gone from user statistics -> browser wars-> os wars :D

Really? I tend to pick my software depending on how they run, not depending on the company behind it :) I find firefox is too slow (compared to chrome) and has huge memory leak issues. Chrome has its own task manager for ending tabs or processes that are using up too many resources. I am able to have several windows of chrome open at the same time, each with at least 10 tabs, while using less memory than firefox. And now that chrome extensions are out, it's *almost* as useful as firefox.

You should remember that IE is still the most popular browser. W3Schools is a web developer website, so obviously their visitors don't represent the average user. Web developers tend to know how to use computers better (duh) so they know they shouldn't use IE. The average user probably doesn't know this, so IE is still the most popular browser. So, the headaches haven't disappeared yet for layout designers :)

I don't think so... You have the added processing/time penalty of having to implode/explode variables, compared to using GET variables normally. Still, when faced with this situation it would be better to not use GET variables at all...

lol I'm also wondering how you got this problem to solve from looking at his topic... Nothing is said about arrays, 1a 2b etc., or the format of his data... :P

Any one of these should work: $c = $_GET['data' . $b]; $c = $_GET["data$b"];

You can find a free copy in the scripts vault here. :)

You could split your user table into two tables with commonly accessed information such as username, and data that is displayed on each page like player stats. Then in your secondary user table you store information that is rarely used (compared to your main user table), containing info such as password, email, profile data, and other page-specific data.   As for user's friends, you should normalise your tables - take the users and users' friends and put them in their own table. Columns: user_id, friend_id Primary key: (user_id, friend_id) This way you can let your database do the hard work. You are also able to cache results, sort friends, search friends, order friends, join data and more. You can also take advantage of the fact that this is the kind of operation a database was made for... There's no point shoving all your data into a single column in a database, otherwise you might as well store it in a flat file. Having a variable-length column like a delimited friends list means that the columns will grow from length 0 to any size, and every player will have friends data of different length. The database will need to do extra work to read/write this column of data because variable-length data is stored and read differently from fixed-size data. This means that every read and write operation on this data will be slower.

Actually, int converts the value to a number, and abs converts the number to be positive. mysql_real_escape_string can be used on numbers as well, it does NOT mess up numbers. ctype_digit is just a function to check if all the characters in a variable are digits. This means decimal and negative numbers do not pass the check. The function returns true or false.

I'm not sure what you mean by an unsecure and secure example of XSS. A login page would not likely be a target of xss because the user login data is never displayed in the browser. I have written an article on XSS, maybe you will find it helpful: http://www.webgamewiki.com/XSS

In your list of filter code like this:   $filter['filter'] = abs(@intval($filter['filter'])); $filter['filter'] = isset($filter['filter']) && is_string($filter['filter']) ? strtolower(trim($filter['filter'])) : "";   Your variables will always be set to an empty string. This is because in the first line, you change the value into an integer. The second line turns it into an empty string because the type of the variable isn't a string. This applies to all your filter code in that section.

You can be confident with your game all you want, if you don't do anything with it, your game will still be terrible :P But yeah, I agree. There is actually no way of stopping people from spreading website links. You can replace the dot with [dot], or add spaces in the url, or split the url, or get around whatever filters you have in a million other ways. Also, if players are leaving your game because they click a link and find that link is more interesting then your game, then those players would have left your game anyways. And finally - even if your game is extremely awesome and you are one of the top 100 games in the world... players will still leave your game eventually. Players come and go, that is completely natural. It is not always a bad thing when players leave. It's only a bad thing when a visitor never signs up to begin with.

I am interested. Pick me, pick me! :P

Judging from the screenshot, this program uses a dictionary attack, not brute force.   lol, ummm, no. You got the response time wrong, the more correct strings would have a longer response time. Response time by characters?! That would depend on how the strings are compared, and I doubt many systems compare on a character by character basis. What's easier? Comparing a 256bit string at once, or comparing 256 bits separately? Also, your method wouldn't work over the internet as loading time would completely overshadow any difference in computation. Using a word list to try passwords is a dictionary attack. Trying every permutation of characters is a brute force attack. Password cracking isn't a method, it's a description of an activity. Brute forcing is a method of password cracking, as is a dictionary attack, as is guessing.

lol a brute forcer is easier than a password cracker.

If you set the auto_increment value to something lower than MAX (`id`)+1, it will automatically be reset to MAX (`id`)+1. Auto_increment doesn't fill up gaps from deleted rows. It starts counting from at least the largest auto_increment value in your table.   Actually last insert ID requires an auto_increment column, and only returns the ID from the last inserted row during that connection. Meaning it will only be useful if you've just inserted a row on the same page.

LOL Change the $x++ to $i++

Use a for loop between the values you want to insert for (eg. 1-2000) Use your regular insert query for each ID, and add this to the end of the query: WHERE NOT EXISTS(SELECT `ID` FROM `players` WHERE `id`=$i) So something like this: INSERT INTO `free_ids` (`id`) VALUES ($id) WHERE NOT EXISTS(SELECT `ID` FROM `players` WHERE `id`=$i); Where $i is the ID that you are inserting. This isn't very efficient as it will still be querying the database for every single ID even if nothing's being inserted. But it's a lazy way to do it, and if you don't mind that it takes some time.

I think your regular expression is wrong. It will only match text like ahttp, bshit, ccnob, etc. Try this: /(((http|www).+)|(.+(\.com|\.co.uk|\.info|\.co\.cc|\.net))|.*(fuck|nob|fanny|vagina|dick|bitch|gay|shit).*)/i This will match words that begin with http or www, end in .com/.co.uk/etc or any words that contain swear words (even doorknob or snob will trigger because it contains nob, so watch out which words you put in here).