Jump to content
MakeWebGames

help with securing my game...

Curt

By Curt
in General Discussion

 Share

Recommended Posts

Curt Newbie

Curt

Posted
Posted

I have been all through these forums and learned a lot about securing my game..I have started to secure my site but one thing is throwing me off a bit...

Ive been using Optimus Prime's tutorial as reference, located here : How to secure a few things!

now the thing that is throwing me off a bit is this : the "$c" at the end of the query...

$db->query("UPDATE users SET crystals=crystals + 1 WHERE userid=$userid", $c);

can i remove that and things will be ok ?...this is how I would do it:

$query1=sprintf("UPDATE users SET crystals=crystals + %u WHERE userid= %u ", 1, $userid);

$db->query($query1)

will the above be good ?...this query came from a free v1 mod i converted to v2...

thanks for any help

Jeff.S Newbie

Jeff.S

Posted
Posted

Should be ok to remove the $c (depends on the database class for Mccodes which i havn't used in a while)

If its not the why not use $db->query($query1); like you said by add in the $c at the end: $db->query($query1,$c); ?

Curt Newbie

Curt

Posted
  • Author
Posted

im aware that sprintf only formats (like i said ive been all through these forums and read everything relating to security)..but doesnt the adding the query to a vairable then using the %u for the values secure it ?...if im wrong at doin this please let me know...I started last night and spent a few hours securing pages and if im doing it wrong, then im just wasting my own time....

The_Past

ok, im gonna simply remove the "$c" and if i get an error, ill try doing the "$c $db->query($query1,$c);" method that u mentioned...lol...and if that dont work...ill be back :P

thanks for the help guys

Jeff.S Newbie

Jeff.S

Posted
Posted
$c $db->query($query1,$c);"

Sorry, re worded that as it wasn't clear. What i meant for you to try is:

$db->query($query1,$c);

 

If it is set up as i've used an seen some Mccode owner have there database class, then it will except the $c as the second pram but you should be fine without it. Not many people will be connecting to multiple databases within a single script as far as Mccodes goes.

Jeff.S Newbie

Jeff.S

Posted
Posted
Sprinf DOES NOT SECURE. FULLSTOP.
I disagree.

sprintf(); formats strings. Formatting strings can be important part of security (its important understand what is does and therefore how it can aid security).

Say you formatted a value as an integer, it is then safe to say the value is an integer and therefore you could output that value to a page knowing it could not contain html or JavaScript that could make up and xss attack. In the same way you could be sure an integer was being entered into a database. In these cases sprintf is being used to improve security - you do not have to use sprintf, there are many functions and tricks that could do the same, but this is example.

Now in another case say we have a variable input by the user as a string that we want to pass to the database. In this case formatting the variable to a string would not add any security because a string can contain everything you need to make an sql injection. Therefore we should pass this variable though mysql_real_escape_string();.

sprintf formats a string and the values within the string.

Formatting values can be part of security.

Formatting values does not always lead to security.

sprintf itself (as a single function) is not security

When used correctly and as intended it can add/be part of security.

I say this in the same was as you can argue mysql_real_escape_string(); is not security, but it does add to security when used as its designed to be used and in the right situations (e.g. it will not help stop an xss attack but could help prevent a mysql injection). There is no one method or function to security. At the end of the day, a function only does what its designed/programmed to do, so understand what it does and use it for that.

CrazyT Newbie

CrazyT

Posted
Posted

You don't need to use $c on the $db->query("somequery", $c); because it already does that in the database class. So it will work fine just like $db->query("SOME QUERY");

  • 3 months later...
Guest Null

Guest Null

Posted
Posted

Someone told me (Not mentioning their name) that even tho sprintf formats, its slows down scripts and is pretty much useless. Care to ellaborate?

Zeggy Newbie

Zeggy

Posted
Posted

sprintf can be extremely useful, as The_Past has been saying. It can be used to enforce data types when you want to concatenate variables to a string such as in queries.

Djkanna Apprentice

Djkanna

Posted
Posted

Removing all forms of HTML, Javascript etc from user submitted forms can help with security (won't do it all by it's self though).

And say you want to allow a few HTML tags such as you could always define a whitelist.

Functions that can be used to improve security to my knowledge

Preg_replace()

Mysql_real_escape_string()

Htmlspecialchars()

Htmlentities()

Html_entity_decode()

Stripslashes()

^ ^ Obviously there is a lot more that's just to name a few that will help you :)

Zero-Affect Newbie

Zero-Affect

Posted
Posted
Sprinf DOES NOT SECURE. FULLSTOP.
I disagree.

sprintf(); formats strings. Formatting strings can be important part of security (its important understand what is does and therefore how it can aid security).

Say you formatted a value as an integer, it is then safe to say the value is an integer and therefore you could output that value to a page knowing it could not contain html or JavaScript that could make up and xss attack. In the same way you could be sure an integer was being entered into a database. In these cases sprintf is being used to improve security - you do not have to use sprintf, there are many functions and tricks that could do the same, but this is example.

Now in another case say we have a variable input by the user as a string that we want to pass to the database. In this case formatting the variable to a string would not add any security because a string can contain everything you need to make an sql injection. Therefore we should pass this variable though mysql_real_escape_string();.

sprintf formats a string and the values within the string.

Formatting values can be part of security.

Formatting values does not always lead to security.

sprintf itself (as a single function) is not security

When used correctly and as intended it can add/be part of security.

I say this in the same was as you can argue mysql_real_escape_string(); is not security, but it does add to security when used as its designed to be used and in the right situations (e.g. it will not help stop an xss attack but could help prevent a mysql injection). There is no one method or function to security. At the end of the day, a function only does what its designed/programmed to do, so understand what it does and use it for that.

i agree SprintF can aid security but it isn't the 'wonder function' everyone considers it to be.

Faz` Newbie

Faz`

Posted
Posted

I've been away from action for a long time, but its nice to see people are actually using that thread I made a while back :) I know sprintf() does not secure, it formats, but formatting ultimately helps make it more secure. I'm still getting back into PHP but I learnt a few tips when I was in my prime :P I'll hopefully make another thread like that, updated with maybe a bit of advice from a few more knowledgable people to help you guys that are still learning. I'll keep you informed, nice to see people are actually TRYING to secure things themselves :)

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...