seanybob

RE: Someone help me with using an ARRAY system here   if($ir['race'] != $r['item_race'] && $ir['race'] != $r['item_race2'] AND $ir['race'] != $r['item_race3']) { //if you race isn't item_race, item_race2, and item_race3 then you shouldn't be here print "The selected item is not able to be used by your race."; $h->endpage(); exit; }

That's kind of what I was thinking with the code I put in the first post too. Make a quick for loop that cycles through all get and post variables, and cleanse them, and put it in globals.php. the function is_numeric would tell you if it's a number or not, which tells you which cleansing function to use.

I think it's about time we (as a community) organized all the mccode security related threads on this engine. Immortal made a good start with his post in another thread in this section. (For reference, I'll post it below) Not only would I like to compile a list of all the fixes in this forum, I'd like to think about / work on better methods of securing mccodes. For starters, take a look at this code below and tell me what you think/improvements/comments/questions/etc.   foreach($_POST as $k => $v) { if(is_numeric($_POST[$k])) { //or intval or '+ 0' I'm not sure what the differences are between these options $_POST[$k] = abs((int) $_POST[$k]); } else { /*only allows letters, numbers, spaces, and periods. User input should not need anything else... unless you have profile images / signatures / forums / mailboxes or whatnot. I prefer getting rid of mccodes mailbox + forum system in favor of something more secure that I don't have to constantly update myself like smf or phpbb. To run a different function for mailbox, we could just add a variable at the top of the mailbox page (such as $mailbox=1;) and then use that flag to run a different function in here that parses bbcode and is a bit more lax*/ $_POST[$k] = preg_replace("/[^A-Za-z0-9. ]/","", $_POST[$k]); } } foreach($_GET as $k => $v) { if(is_numeric($_GET[$k])) { $_GET[$k] = abs((int) $_GET[$k]); } else { $_GET[$k] = preg_replace("/[^A-Za-z0-9. ]/","", $_GET[$k]); } }   Post all your ideas/thoughts about securing this engine here, then I will make a new sticky thread with a compilation of the best we can come up with.  

Thank you Immortalthug for posting these links for the OP. I'm sure they will help him.

Sigh. My 'E-Peen' is bigger! No, honestly though, these kind of posts get me going. A kid talking about what a 'bad boy' hacker he can be, and not writing an informative post about the vulnerabilities he has seen. Even beyond that, proclaiming a sort of final, expert knowledge on a subject I doubt he's known for more than a year or two and probably learned through mccodes. Auto admin is easy to stop.   A simple for loop in your header.php will take care of this on all pages except for login and register.   All staff pages (by their very nature) should be closed to anyone not of the owner's IP. Barring that, at least closing them to anyone who doesn't have the owner's userid would work just fine.   Not if you don't re-invent the wheel. Don't use the mccode forum system, get smf or phpbb. Don't allow users to upload images, require them to do it off-site (on photobucket or imageshack or something). Don't allow complicated user inputs for profile signatures, profile pictures, etc - require an approval process where an admin checks the input string for profile image changes if you're not good with regular expressions and can't do the image size trick mdshare posted in these forums.   Congratulations. To Eruondo, You can do a decent job securing your site yourself. Be careful about what mods you choose to install, as most of them have gaping security holes. As for the mccodes game engine itself, there are a lot of holes... do your best searching these forums for specific hacks/issues others have had, and implementing their solutions. If you don't have the php experience necessary to write your own security, then that's pretty much the best you can do if you don't have a thick wallet. I'd like to help you mate, but I don't have the time to dedicate to it. If you're still looking for help when summer time rolls around, I'd be happy to help then.

BBcode is better than nothing (but it can be just as bad as HTML if you use a crappy BBcode engine). http://htmlpurifier.org/ I've never used HTML Purifier, but I've heard good things about it.

RE: RE: need some help with this I added this line: if(!$_GET['price']){$_GET['price']=1;} It looks like $_GET['price'] was empty.   <?php include "globals.php"; $_GET['statid'] = abs((int) $_GET['statid']); $_GET['price'] = abs((int) $_GET['price']); $statid = abs((int) $_GET['statid']); $stat = mysql_real_escape_string ($_GET['stat']); $amount = abs((int) $_GET['amount']); $price = mysql_real_escape_string (abs ((int) $_GET['price'])); if($_GET['price']) { $q=$db->query("SELECT * FROM implants WHERE statid={$_GET['statid']} AND userid=$userid"); if($db->num_rows($q) > 0) { print "Invalid Statid"; } else { if(!$_GET['price']){$_GET['price']=1;} $r=$db->fetch_row($q); $db->query("INSERT INTO implant_market (marketid, statid, userid, stat, amount, price) Values ('',{$_GET['statid']},$userid,'{$_GET['stattype']}',{$_GET['amount']},{$_GET['price']})"); $db->query("DELETE FROM implants WHERE statid={$_GET['statid']} and userid=$userid"); $db->query("INSERT INTO smarketlogs (smlid, statid, userid, stat, amount, price, time) VALUES('',{$_GET['statid']},$userid,'{$_GET['stattype']}',{$_GET['amount']}, {$_GET['price']},unix_timestamp())"); print "Stat added to market."; } } else { $q=$db->query("SELECT * FROM implants WHERE statid={$_GET['statid']} AND userid=$userid"); if($db->num_rows($q) > 0) { print "Invalid statid ID"; } else { $r=$db->fetch_row($q); print "Adding an item to the Stat market... <form action='statadd.php' method='get'> <input type='hidden' name='ID' value='{$_GET['statid']}' /> Price: <input type='text' name='price' value='0' /> <input type='submit' value='Add' /></form>"; } } $h->endpage(); ?>

RE: need some help with this Post the error. However, my best guess is that you got some error with all the extra single quotes you have in there. In a mysql query, you don't have to put numbers in single quotes. I fixed those for you, let me know if it works.   <?php include "globals.php"; $_GET['statid'] = abs((int) $_GET['statid']); $_GET['price'] = abs((int) $_GET['price']); $statid = abs((int) $_GET['statid']); $stat = mysql_real_escape_string ($_GET['stat']); $amount = abs((int) $_GET['amount']); $price = mysql_real_escape_string (abs ((int) $_GET['price'])); if($_GET['price']) { $q=$db->query("SELECT * FROM implants WHERE statid={$_GET['statid']} AND userid=$userid"); if($db->num_rows($q) > 0) { print "Invalid Statid"; } else { $r=$db->fetch_row($q); $db->query("INSERT INTO implant_market (marketid, statid, userid, stat, amount, price) Values ('',{$_GET['statid']},$userid,'{$_GET['stattype']}',{$_GET['amount']},{$_GET['price']})"); $db->query("DELETE FROM implants WHERE statid={$_GET['statid']} and userid=$userid"); $db->query("INSERT INTO smarketlogs (smlid, statid, userid, stat, amount, price, time) VALUES('',{$_GET['statid']},$userid,'{$_GET['stattype']}',{$_GET['amount']}, {$_GET['price']},unix_timestamp())"); print "Stat added to market."; } } else { $q=$db->query("SELECT * FROM implants WHERE statid={$_GET['statid']} AND userid=$userid"); if($db->num_rows($q) > 0) { print "Invalid statid ID"; } else { $r=$db->fetch_row($q); print "Adding an item to the Stat market... <form action='statadd.php' method='get'> <input type='hidden' name='ID' value='{$_GET['statid']}' /> Price: <input type='text' name='price' value='0' /> <input type='submit' value='Add' /></form>"; } } $h->endpage(); ?>

This Slots mod is based off the actual 7's and Stripes slots machines you see in the casinos. The math has been tested (With a little over half a million test runs) to ensure that the default settings for this mod will gently take money from your economy. This mod doesn't take it as hastily as my other casino mods, but gives a player return of about 98% or so. The symbols/reel probabilities are exactly based off the real-life casino game. It also has two progressive jackpots, as well as random events (such as a user seeing some money on the floor). All this has been calculated into the probabilities. Cost: $25 Demo Site Has some nice, quick loading graphics to add that extra 'umph' to the game. I'll stop yapping - just check out the demo. It speaks for itself. To purchase, send $25 to my paypal ([email protected]) with the note "Slots Mod" and the email you want the mods sent to (if not your paypal email). Best Wishes, Seanybob

Just use an iframe. It's not SEO friendly, but it gets the job done.

It wasn't the most probable - it was the cause of the hack. I know that without looking at his game, just reading through this thread. He didn't mention anything else that the 'hacker' (I use that term lightly) did to his game. His database tables weren't dropped, no extra admins were created, his paypal links weren't changed... just the database information was altered in his config.php. What does installer.php do? It just alters the database information in his config.php. You got lucky, this was an easy fix. It could have been much, much worse. Especially if (as I would presume) you don't make daily backups of your database. :)

pwned...

Can you tell me a bit more about that? I haven't heard that before. I think I'll probably just end up doing that.

What I have found is that all the cookie info stored by the default login.php for mccodes seems completely superfluous. Completely unnecessary, and on my default site weren't even created. The only cookie created was the sessionid cookie, and that was created by session_start() on the authenticate page. So my next question... how to make the session last longer? I would prefer being able to dynamically choose how long the session lasts, but would accept just being able to set the session to last for 7 days. Any info on that?

RE: Need some help with this code I hope you don't mind, but I rewrote this sucker. My eyes started burning when I looked at the poor torture you were doing to this php code. I see a couple problems, one being you are abs((int)) a string, and another that several variables have the same basic name (which is confusing). $_GET['stat'] is a string, correct?   <?php include_once "globals.php"; $statid = abs((int) $_GET['statid']); $stat = mysql_real_escape_string($_GET['stat']); $amount = abs(@intval($_GET['amount'])); $statid=$db->query("SELECT * FROM implants WHERE statid=$statid and userid=$userid"); if($db->num_rows($statid)==0) { print "Invalid stat ID"; $h->endpage(); exit; } else { $stid=$db->fetch_row($statid); } if($stat != 'strength' && $stat != 'agility' && $stat != 'guard' && $stat != 'labour' && $stat != 'IQ') { print "Invalid stat"; $h->endpage(); exit; } print"You use the implant and you gained $amount amount of $stat "; $db->query("UPDATE userstats SET $stat=$stat+$amount and userid = {$ir['userid']}"); ?>

Not too shabby. Being horrid at regular expressions, I would always have trouble with img tags in bbcode when I created my bbcode engine, and I see you took care of those quite nicely.

Yes, I usually see it called 'Add-On Domains'. Most web hosting services have them. (I know lunarpages does)

Perhaps. But I have very little experience with cookies, and I though I did try to find the error in the mccodes cookie script, I was unable to do so (even after much testing). My strength is not in javascript.

Come now, someone must have resolved the mccode cookie problem by now. This engine has been out for years. ;)

RE: Help   <?php switch($_GET['action']) { case 'testfunction': test_function(); break; } function Test_function() { if ($_POST['test']==1) print "Ze test works!!!"; else die ("Ze test isn't working"); } print "<form action='file.php?action=testfunction' method='post'> <input type=hidden name=test value=0> <input type='submit' value='Fail button' /></form> <form action='file.php?action=testfunction' method='post'> <input type=hidden name=test value=1> <input type='submit' value='Win button' /></form> "; ?>   Stick that in a php file, run it. See what happens. Look at the code. Learn ;)

Anybody else have some input on this issue?

Just something I've noticed about the mccodes engine... It seems the 'remember me' option for logging in doesn't (and never has) worked. I've always had users report their cookie dying after a specific amount of minutes on the site, then having to re-login again. I have very little experience with cookies - anyone redone the mccodes cookie? Any tips/hints from people familiar with this part of the mccodes for me? Anyone else have this prob?

RE: Re: Game Template [$10] Sorry to bring up an old thread, but this one was linked to in another post. Just wanted to comment on this screenie of your computer Peter. I see that uTorrent icon... Me has a feeling Peter is downloading some illegal stuff!!! ;)

I don't see any errors, persey... But on line 72, you don't need that extra slash. \{$_POST['deposit']} should be {$_POST['deposit']}

Oh gosh... Twilight is coming to a McCodes near you soon!