Contemplating buying mccodes v2, how hard is it to secure the existing code?

[uggae]

As the title says, I'm thinking about purchasing the 2.0 license.

How difficult would it be to convert the existing code to 100% hacker proof?

Can anyone list the known php exploits of version 2.0?

[Floydian]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

Nothing can be 100% hacker proof.

Ultimately, you're dependent on the security of all the software and hardware the game is running on.

I.e., apache http server, php, mysql, and anything else, perhaps even cpanel and send mail.

The mccodes engine itself is relatively easy to patch up for those in the know. Lost One has performed total mccodes securing and I normally refer people to him when they want the entire thing secured.

I've worked on coveofpirates.com securing it's mccodes version 1 scripts and the scripts they bought or had custom coded from other sources (like the free scripts area on this forum) and the number of edits I've had to make is extensive.

The biggest problem in my humble opinion, that should give people pause when considering purchasing mccodes is the fact that the source code is really not that good at all. Besides the known sql exploits that mccodes still ships with to this day (why don't they patch it?????), there are other problems that they have never fixed.

Extremely dirty code. Try putting that thing through an html validator.... Good luck....

Personally, I'd want an engine that comes ready to go and validates under either HTTP 4, or XTHML Transitional or Strict.

Want to change the layout? mccodes has a horrible structure with one massive table that contains the entire layout spread over at least three files. There's a header class (why you would put text that is output to a user in a class, and not even use any OOP style programing beats the heck out of me) that contains the header the body, and the footer.

There's the main menu file that contains the left hand menu (try adjusting that menu and you have to edit the header as well, and it's a pain...)

And then there's the actual scripts that include those two scripts which contain all the rest of the markup.

Personally, I'd prefer a css templated system that allows dragging and dropping the source code in order to change the layout. No tables at the top level of the DOM tree, but DIVs that divide up the page (that is what a div is for, i.e.: DIVIDER lol)

 

Then there's the php code itself. When you want to go in there and edit something as simple as a table layout for something like users online, you have to sift through all the php code with html embedded in it throughout. It's absolutely horrible.

Why they don't get all the data, format it, and then plug that data into a fully formatted table at the end of the script is beyond me.....

There's a general lack of php know how demonstrated throughout. For instance, why don't they protect against dual page loads? What do I mean? Well, suppose you have a lap top and a desk top computer side by side and you login to the game at the same time on both computers. On one computer, you set up an item transfer from you to a friend. Then, you setup an item transfer on the other computer to another friend. Alrighty, now suppose you only have one of that item. Then using your left and right hands at the same time, you click submit on both computers. If the timing is perfect, you will send that item you only have one of, to both of your friends.

:O:O:O Ack!! And there's at least 10 different spots in the game I can think of that suffer from dual query manipulations.

Once you do something like that, you now have -1 of the particular item. mccodes normally deletes where item_quantity = 0.

But once you go negative, well, you still have the item.

And if you install gangs, there's a great exploit, oh okay, I better stop, dun wanna teach too much.

 

Plain and simply, SQL injection is only the beginning of the problems here. There's all sorts of timing issues and a lack of programming standards, and a lack of patching the engine when things go bad.

But hey, if you really know what you're doing, all of those things are fixible. ;)

[Haunted Dawg]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

Floydian, no need for a long post... :lol:

The script is insecure, but get some one who knows how to code and could easily have your game exploit free in a weeks time.

[Haunted Dawg]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

I would generaly take 1 day or 2 to secure all file's from input's etc, but hell umm a week might be for others.

[Floydian]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

With all due respect killah, I'll post what I want, when I want, where I want!

:D:D

[Haunted Dawg]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

 

With all due respect killa, (what kind of name is that anyways, like, you never killed anyone :P) I'll post what I want, when I want, where I want, and I don't need advice from the likes of you (I've seen some examples of seriously lackluster code from you anyways).

Thanks anyways son ;P

Try harder next time....

Awww shame you took my post harsh, what i was trying to say is why waste so much to post so much when you can post, it can be secured & blah blah as he asked.

[Floydian]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

Oh snap, it wasn't meant harsh?

Well, one man's trash is another man's treasure. Of course in this gender neutral age, that saying is a bit outdated, but heheh it still applies ;)

[Guest Anonymous]

Re: Contemplating buying mccodes v2, how hard is it to secure the existing code?

I dont see anything wrong with a longer version...most people dont put much stock in "Its utter rubbish, dont bother with it!" personally I always like an explanantion...but then I can be long winded myself.

RAWR