Jump to content
MakeWebGames

How Can I Secure A Game?

M0B2

By M0B2
in Game Support

 Share

Recommended Posts

M0B2 Newbie

M0B2

Posted
Posted

Can someone help me secure a game, like the cystal market and everything. And also how can i secure the login and other files?

wolfe Newbie

wolfe

Posted
Posted

Re: How Can I Secure A Game?

Im starting to think that the search feature should be removed since so many of these people do not use it.

(i like the die() idea as well)

Cetwar Newbie

Cetwar

Posted
Posted

Re: How Can I Secure A Game?

I provided him simpliest explanation he will understand, plus, I gave him link so he can read more about it.

Your post has no value Dawg, so keep comments like that for yourself.

Thank you

Rainbow Newbie

Rainbow

Posted
Posted

Re: How Can I Secure A Game?

I find the problem in the question itself, I mean personally if I was serious about something like it I would work my ass off to find out about it. There is no definite answer to this so all I can tell you is firstly take your time to learn how SQL injection attacks work and once you know the basics move onto constrainining inputs to prevent SQL injections, use type safe SQL command parameters to prevent SQL injections and probably a quite basic method of using a least privileged account to connect to the database to reduce the risk and damage. To put it in simple words to counter SQL injections you need to constrain and sanitise input data aswell as check for known good data by validating for type, length, format, and range. However that will not come to by a brainwave - you need to put some effort into this.

sqlr.png

 

Make sure you use mysql_real_escape_string and htmlspecialchars when you can.

 

Well mysql_real_escape_string simply escapes all the "dangerous" characters in the string provided and returns the escaped string such that it may be safe to put into a MySQL query. However, if you do not sanitize input prior to passing it to mysql_real_escape_string() function you still may have SQL injection vectors. For example; mysql_real_escape_string would not protect against an SQL injection vector such as the following:

 

$result = "SELECT fields FROM table WHERE id = ".mysql_real_escape_string($_POST['id']);

 

The back-slash never actually makes it into the data, so if your data is being modified in some way, it is likely due to something else or the way you are later outputting the data after retrieving it from the database. Works pretty similar in how magic quotes since they both act as a process that automagically escapes incoming data to the PHP script. Although I believe the mc command has been deprecated and removed on PHP 5.3.0 + so its not worth relying on that.

 

Make sure you use mysql_real_escape_string and htmlspecialchars when you can.

Ummm the last I knew of the htmlspecialchars() command is simply for filtering outputs that are to be sent to the browser, and for data to be output via SQL to a database you want to use a function that escapes certain characters that are "special" to SQL, preferably one specific to the DBMS in question, such as the one you mentioned - mysql_real_escape_string().

 

I provided him simpliest explanation he will understand, plus, I gave him link so he can read more about it.

Your post has no value Dawg, so keep comments like that for yourself.

Thank you

His post has value in a sense that it is not misleading and outlines the facts of how people go about securing a game. It is not a simple function that you learn to use, there are many more steps required... You provided him with an explanation that will only be beneficial for a few days until he gets round to reading it and after that he wont have a clue on what to do next. Ofcourse atleast you are helping unlike most of the others but point being is that preventing hackers from exploiting your website is much harder than what it seems. :-)

Back to answering the question. Some more information:

http://www.tizag.com/mysqlTutorial/mysq ... ection.php

http://msdn.microsoft.com/en-us/magazine/cc163917.aspx

http://www.codeproject.com/KB/database/ ... tacks.aspx

http://www.wwwcoder.com/main/parentid/2 ... fault.aspx

http://www.silksoft.co.za/data/sqlinjectionattack.htm

http://si.php.net/manual/en/function.my ... string.php

From my personal experience as a web developer I learnt to stop writing dynamic queries when not needed and prevent the user supplied input which may contain malicious SQL from affecting the logic of the executed query. Wether it is to use prepared statements, use of stored prodecures or just escaping supplied input.

However do keep in mind that SQL Injections is only one method of "hacking" thus you need to do more research on other dangers and how to deal with them. I have PM'd you with a list of links regarding some tutorials etc... so if you ever need some more help do contact me. Sorry for a vague explanation, but these are the basics that you will need for now. :lol:

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...