Zero-Affect

Maybe in new php it isn't a issue but i seem to remember being told by a actual programmer that it was a issue which is why i never did it, something to do with whitespace i believe but im sure the administration knows best, my mistake.

Good job Fbiss was planning on giving this guy a hand but it's already taken care of, looks like a interesting mod good work.

Good point i did direct them to a previous post without a link, Simply you have no protection on the inputted string which will allow users to do almost anything. Allowing HTML in signatures could be auto refreshed to viruses or simply make you make them admin using a simple Injection (which i will not post). A obvious but very rarely used protection against attacks like this would be the very well known striptags() function which only allows what code you direct it to allow. There maybe a newer way of doing this but i have been away from PHP for afew months now and am working on old experience with Signature being one of the most exploited things i found on MC codes. Other solutions could involve only allowing Alpha and Numeric chars to be inputted which would stop the simple decoding of chars to make a HTML string work with striptags included. Researching possible ways your code can and will be attacked is about 80% of the whole idea of coding something. Everyone wants a easy way of doing something and every little 12 year old can easily get a injection from google. They see it as a game yet you should look at it as your business. htmlentities() striptags() ctype_alnum() search on http://www.php.net 3 helpers which i consider my favorites against wannabe hackers

stats are worked out on generic MC codes in global_func.php => function get_rank($stat, $mykey) { global $db; global $ir,$userid,$c; $q=$db->query("SELECT count(*) FROM userstats us LEFT JOIN users u ON us.userid=u.userid WHERE us.$mykey > $stat AND us.userid != $userid AND u.user_level != 0") ; return $db->fetch_single($q)+1; } you could simply change this to function get_rank($stat, $mykey) { global $db; global $ir,$userid,$c; $q=$db->query("SELECT count(*) FROM userstats us LEFT JOIN users u ON us.userid=u.userid WHERE us.$mykey > $stat AND us.userid != $userid AND u.user_level == 1") ; return $db->fetch_single($q)+1; } This may be a issue when viewing this function on a administration username so probably best editing index page only allowing users to view their stats something simple like   if ( $ir['user_level'] == 1 ) { // show stats } else { echo "Administrators do not have statistics"; }   This is just a rough idea, hope it helps. In advance i know * is not always the best idea but this is from the generic MC codes engine not my own.

i really don't understand that script you posted, closing the ?> before the end of the file is never a good idea i would refer to a alternative video if they are telling you to do that.

also htmlentities() may help you can use stripslashes() and addslashes() to add slashes for a database entery then remove on the visual side when brought from database

Your kidding right? I said research i did not do it for them as you did, this is a learning forum your not supposed to give them the solution but make them figure it out for themselves which is how i taught myself. You are obviously a "programmer" as your a admin on here but don't get me wrong the admin is never always right, atleast when nyna was a admin she never just give the solution away... Notice when reading over my post i never once said it was secure... i GAVE advise rather than showing people a easy solution and trust me im not the only one who would agree your MC codes version of a SQL entery is OLD.   my version is like that for a reason for example if i was to... $db->Execute("UPDATE users SET username = '".mysql_real_escape(stripslash($_POST['name']))."', desc = '".mysql_real_escape(stripslash($_POST['desc']))."' WHERE userid = '$userid'");   compared to my version...   $db->query("UPDATE `users` SET `username` = '".mysql_real_escape_string($_POST['name'])."', `desc` = '".mysql_real_escape_string($_POST['desc'])."' WHERE `userid` = '$userid'");   a little FYI for the Admin Programmer it's mysql_real_escape_string not mysql_real_escape EDITED due to typo noticed by Kyle, also due to something pointed out to me i would suggest not using addslashes or stripslashes with MRES.

Damn why are people posting idea i have, i have found about 5 already of which i thought would make my new project unique, considering the difference in my version and yours i won't see any clash but very good work.

if($ir['donatordays'] > 0) { ...into if($ir['donatordays']) { simple is it not? considering this modification does not look secure in the slightest i would recommend not using it, i have posted earlier afew simple functions on another post which may help against simple attacks. Considering i could easily take control of your website and even make you make me admin from anyone using this code.

lol Kyle whats wrong with using LOL alot i do and never bothered anyone, maybe besides yourself. Nice addon but considering all the SQL queries i could never use it

$db->query(sprintf(" UPDATE `users` SET `username` = '%s', display_pic = '%s', forums_avatar = '%s', forums_signature = '%s', email = '%s', login_name = '%s', profsignature = '%s' WHERE `userid` = %u", $_POST['newname'], $_POST['newpic'], $_POST['forums_avatar'], $_POST['forums_signature'], $_POST['newemail'], $_POST['newloginname'], $_POST['newsignature'], $userid );   also may wanna research such things on php.net MRES() addslashes() stripslashes() and so on maybe ctype_alnum()   when changes strings with ereg_replace i suggest changing to preg_replace due to the new php...

Interesting method Photoshop brushes and very well put out, good job

Kyle you are the security expert now? I would suggest 3 simple steps cpanel => delete database ftp => delete all files pc => shut off If you have no knowledge in security for a website that is your first mistake, you could pay someone like Kyle to secure the script but when PHP new versions come out old functions become less secure and you pay again, the best solution is to trust one persons work over MC codes i would suggest Horizons Game Engine over MC codes anyday as a 5 year old dyslexic could do better. http://samples.phphorizons.com/login.php http://www.php.net Spend your money on learning how it works rather than getting people who believe they know how it works to protect you. Truthfully i don't believe one single member of this forum (including myself) could secure MC codes. without a entire recode.

Really, that is not what i heard but he/she did say the attacker is running that ip, so lets say someone believes that is a hacker and "gives him what he deserves" by hacking his computer from the information provided by the original post. who would be in the wrong the forum or the user posting, i would say the forum would be in the wrong as the administration obviously have no issue with it when it was brought to their attention. could be quite interesting contacting a lawyer about this. if you were the so called attacker.

I maybe incorrect here but are you allowed to give out a member of your sites IP without his/her permission. Ever heard of a little thing called Privacy Laws, now even if this user hacked your game he could by rights be immune from all charges and sue you.

Re: [mccode v2] Steal (Money / Crystals) [$10.00] One of the previous people who reserved a copy had backed out of the deal therefore there is one copy left.

Re: [Review] - Killah-City.net - Please Review   I seem to remember you being sexist racist and attacking staff members with insulting mails, comments and in shoutbox. This was a review for a game which we all know was owned by Kyle AKA Killah obviously by the name u can see Kyle loved the site alot. The site was exploitable to a massive extent when Kyle owned it i see the only issue with old players is they can't cheat or abuse the bugs anymore so they leave or become very crude with remarks. All i really have to say to these cretins is get a bloody life!

Re: Name bug wasn't this guys issue about people doing the same name has overs? simply in name change check all username, login_name against the new name if they are active then error text... so simple a child could do it

Re: Help needed will pay $20 Kyle lol i say you delete your entire DB just for a giggle if you get a T String error lol Ill gladly upload files for 20 bucks a piece though sounds good to me

Re: Complete new gang system... i've done something like this on my game, im just about to edit the war n ally system to a unique style. good luck in the coding

Re: [mccode v2] Steal (Money / Crystals) [$10.00] are you pointing out the obvious for a reason?

Re: [mccode v2] Steal (Money / Crystals) [$10.00] bump

Re: [v2] SMS Messaging System Rep and Downloaders? I also have experience in PHP nuke 3 years owning several PHP nuke websites lol, I've been into sites since i was 13 :-D

Re: Thank a CE mccode Mod Developer Day lol is this where i say 'i've created a monster' I myself dislike you on a professional level nothing else, I wish you luck with you future i hope inspiration from a 'noob' like me will help you become a good Programmer. Good luck Michael On another note Anthony, Kyle & Karlos have came a long way and deserve alot of credit specially Karlos, Good work guys. I won't be on CE much for awhile so guess ill take this moment to say ciao :-D

Re: [v2] SMS Messaging System looks good, don't get why not many people have posted but i understand this maybe over some peoples heads lol