virtualshogun Posted October 23, 2009 Posted October 23, 2009 also look into item dupeing as well, i know awhile back when i had a button in the inventory instead of doing it automatically one person was dupeing things thats not really that hard to do, make a stack of 10 items then have 1's below it 1 item 1 item 1 item 10 of that item sell the first one in the for the total price because the code thinks you have all the items up for sale and counts it as 13 when all you really sell is one item, if you dont have a item quantifier or something that automatically dose this for you then i have this inventory.php (open and find) <?php require_once "globals.php"; then under add : $used=array(); $q=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid"); while ( $r=mysql_fetch_array($q) ) { if ( ! in_array ( $r['inv_id'], $used ) ) { $currdel=array(); $used[] =$r['inv_id']; $currdel[]=$r['inv_id']; $amount=$r['inv_qty']; //grab sellers others $q2=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid AND inv_itemid = {$r['inv_itemid']} AND inv_id != {$r['inv_id']}"); while ( $r2 = mysql_fetch_array($q2) ) { $used[]=$r2['inv_id']; $currdel[]=$r2['inv_id']; $amount+=$r2['inv_qty']; } $db->query("DELETE FROM inventory WHERE inv_id IN(".implode(",",$currdel).")"); $db->query("INSERT INTO inventory VALUES('', {$r['inv_itemid']}, $userid, $amount)"); } } simple easy auto quantifier in moments and they dont have to be honest, it wont let them dupe items but theres also the sell items input field that you can use to cheat as well check that, and should be right as rain hope this helps, Quote
Gator Posted October 24, 2009 Posted October 24, 2009 make sure you patch the change display pic function in the preferences file, that is a sure way for them to gain access to your staff panel when you click on their profile. Quote
adivirus Posted October 25, 2009 Posted October 25, 2009 make sure you patch the change display pic function in the preferences file, that is a sure way for them to gain access to your staff panel when you click on their profile.? Quote
Joshua Posted October 26, 2009 Posted October 26, 2009 It is an Xss Injection By inserting a few hack codes into the Display Pic via their Preferances they are Auto Admin'd on Some games when an admin views them. Some Advice: I took my Staff_Special.php (and a few others) Completely Renamed them. Stuck them in a folder in my filemanager password protected that folder. Then put a Staff Password query into my Database users Then had a mod added that If a user somehow manages to become an Admin, and his IP address and Password in the database isnt what I have set for the Admins I allow, he is auto fedded. Secure---ALL form data. Just about every game out right now is vulnerable to <meta tag> injections. Some idiot tried this on my game last night. learn to use mysql_real_escape($_POST) for form data entries Places to look Bug Report ---Form Data. Player Ads ---Form Data Staff Apps ---Form Data Display Pic----Form Data Signature---IF you dont have BBcode enabled, get it. Forum Avatar/Sig---Form Data Stocks ---Form Data Forum SUBJECT and TITLE---Form Data. I'm sure there are more, but that will get you started. Quote
CrazyT Posted October 31, 2009 Posted October 31, 2009 also look into item dupeing as well, i know awhile back when i had a button in the inventory instead of doing it automatically one person was dupeing things thats not really that hard to do, make a stack of 10 items then have 1's below it 1 item 1 item 1 item 10 of that item sell the first one in the for the total price because the code thinks you have all the items up for sale and counts it as 13 when all you really sell is one item, if you dont have a item quantifier or something that automatically dose this for you then i have this inventory.php (open and find) <?php require_once "globals.php"; then under add : $used=array(); $q=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid"); while ( $r=mysql_fetch_array($q) ) { if ( ! in_array ( $r['inv_id'], $used ) ) { $currdel=array(); $used[] =$r['inv_id']; $currdel[]=$r['inv_id']; $amount=$r['inv_qty']; //grab sellers others $q2=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid AND inv_itemid = {$r['inv_itemid']} AND inv_id != {$r['inv_id']}"); while ( $r2 = mysql_fetch_array($q2) ) { $used[]=$r2['inv_id']; $currdel[]=$r2['inv_id']; $amount+=$r2['inv_qty']; } $db->query("DELETE FROM inventory WHERE inv_id IN(".implode(",",$currdel).")"); $db->query("INSERT INTO inventory VALUES('', {$r['inv_itemid']}, $userid, $amount)"); } } simple easy auto quantifier in moments and they dont have to be honest, it wont let them dupe items but theres also the sell items input field that you can use to cheat as well check that, and should be right as rain hope this helps, Are you kidding, why would you use a stupid code like that? lol Quote
Zero-Affect Posted October 31, 2009 Posted October 31, 2009 I maybe incorrect here but are you allowed to give out a member of your sites IP without his/her permission. Ever heard of a little thing called Privacy Laws, now even if this user hacked your game he could by rights be immune from all charges and sue you. Quote
a_bertrand Posted November 1, 2009 Posted November 1, 2009 As I said before, IP doesn't seems to fall under most privacy laws as anyhow you could "find" IP by just guessing them. Specially if you don't put any real name near the IP. Quote
gurpreet Posted November 1, 2009 Posted November 1, 2009 Not sure how or who did it, but someone managed to delete my files, wipe the sql DB and redirect to meatspin. They didn't login to the Cpanel though :S Quote
Joshua Posted November 1, 2009 Posted November 1, 2009 Sounds like you have a Shell in your filemanager. Quote
Zero-Affect Posted November 2, 2009 Posted November 2, 2009 As I said before, IP doesn't seems to fall under most privacy laws as anyhow you could "find" IP by just guessing them. Specially if you don't put any real name near the IP.Really, that is not what i heard but he/she did say the attacker is running that ip, so lets say someone believes that is a hacker and "gives him what he deserves" by hacking his computer from the information provided by the original post. who would be in the wrong the forum or the user posting, i would say the forum would be in the wrong as the administration obviously have no issue with it when it was brought to their attention. could be quite interesting contacting a lawyer about this. if you were the so called attacker. Quote
a_bertrand Posted November 3, 2009 Posted November 3, 2009 Attacking back an hacker is certainly not smart ;) and would put the person attacking in troubles. Not a forum where somebody wrote a number on it. Also even if you provide what you think is the correct IP for a person, honestly it doesn't mean much as anybody could use proxies or other things to actually hide the real IP. Finally, an IP is like a telephone number, you could write up a random number and you have an high chance to find somebody, is just the number sensitive? No, but if you give phone number AND name, then yes. Also, if you are so convince that just an IP is a sensitive information, then try to find a law article about it. I did searched the net and found nothing about privacy and IP. Here is some of my own results: http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2244 http://www.theregister.co.uk/2008/01/22/eu_ip_numbers_personal/ http://www.huntonprivacyblog.com/2009/07/articles/online-privacy/washington-court-rules-that-ip-addresses-are-not-personally-identifiable-information/ So basically IP doesn't seems to be related to "Personally Identifiable Information" and therefore are not covered by privacy laws. Of course now if you link the IP with the real name of a person things change. But this wasn't the case. So warn that somebody did something wrong while using a certain IP, well sorry but this is certainly NOTHING again any of the current laws I saw. Quote
Haunted Dawg Posted November 3, 2009 Posted November 3, 2009 As I said before, IP doesn't seems to fall under most privacy laws as anyhow you could "find" IP by just guessing them. Specially if you don't put any real name near the IP.Really, that is not what i heard but he/she did say the attacker is running that ip, so lets say someone believes that is a hacker and "gives him what he deserves" by hacking his computer from the information provided by the original post. who would be in the wrong the forum or the user posting, i would say the forum would be in the wrong as the administration obviously have no issue with it when it was brought to their attention. could be quite interesting contacting a lawyer about this. if you were the so called attacker. I would actualy like to see some one with the knowledge of hacking another person's "IP" on these forum's :whistling: Quote
adivirus Posted November 4, 2009 Posted November 4, 2009 also look into item dupeing as well, i know awhile back when i had a button in the inventory instead of doing it automatically one person was dupeing things thats not really that hard to do, make a stack of 10 items then have 1's below it 1 item 1 item 1 item 10 of that item sell the first one in the for the total price because the code thinks you have all the items up for sale and counts it as 13 when all you really sell is one item, if you dont have a item quantifier or something that automatically dose this for you then i have this inventory.php (open and find) <?php require_once "globals.php"; then under add : $used=array(); $q=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid"); while ( $r=mysql_fetch_array($q) ) { if ( ! in_array ( $r['inv_id'], $used ) ) { $currdel=array(); $used[] =$r['inv_id']; $currdel[]=$r['inv_id']; $amount=$r['inv_qty']; //grab sellers others $q2=$db->query("SELECT * FROM inventory WHERE inv_userid=$userid AND inv_itemid = {$r['inv_itemid']} AND inv_id != {$r['inv_id']}"); while ( $r2 = mysql_fetch_array($q2) ) { $used[]=$r2['inv_id']; $currdel[]=$r2['inv_id']; $amount+=$r2['inv_qty']; } $db->query("DELETE FROM inventory WHERE inv_id IN(".implode(",",$currdel).")"); $db->query("INSERT INTO inventory VALUES('', {$r['inv_itemid']}, $userid, $amount)"); } } simple easy auto quantifier in moments and they dont have to be honest, it wont let them dupe items but theres also the sell items input field that you can use to cheat as well check that, and should be right as rain hope this helps, i`m using it :-) is there another fix with the inventory problem ? Quote
Zero-Affect Posted November 5, 2009 Posted November 5, 2009 no one figured out the other issue with item hacking yet then? oh well good luck guys sure you'll crack it eventually (check item files) 8o Quote
iR00T Posted December 23, 2009 Posted December 23, 2009 I have a question and I've heard this several times before. mysql_real_escape($_POST) Secure your post and mysql_real_escape($_GET) Well, could someone show me a few examples of security with these two methods like I know this is probably wrong but do I secure it like this mysql_real_escape(INFOHERE) or what? Quote
corruptcity || skalman Posted December 23, 2009 Posted December 23, 2009 there is 2 ways that you can do it $_get['tester'] = mysql_real_escape_string($_get['tester']); or $tester = mysql_real_escape_string($_get['tester']); and with that what you can also do is add like stripslash, abs, int, float, or whatever but just doing this $_get['tester'] = mysql_real_escape_string((abs(int) $_get['tester'])); but you can also use $db->escape(); if just using V2 i think hope this helps just ask if you need any other help Quote
iR00T Posted December 23, 2009 Posted December 23, 2009 $tester = mysql_real_escape_string($_get['tester']); To secure your crystals on the header it would be $crystals = mysql_real_escape_string($_GET['crystals']); Is that corect? And I'm going to post a couple of things and tell me if there right. $IP = mysql_real_escape_string($_SERVER['REMOTE_ADRR']); - This on the login, register and the header. Instead of the regular IP server requests? if($_GET['ID'] != abs(@intval($_GET['ID']))) - Use this in your header for the federal jail get ID thing Once again $IP = mysql_real_escape_string($_SERVER['REMOTE_ADRR']); on your register replacing your default IP server function ^^ i have that 2 times in my register at the far top and after the style when the page stuff is started. So far that is all I got, I would love for someone to go in-depth with securing that abs and $_GET and $_POST the IP stuff I got covered that's simple . That if($_GET['ID'] != abs(@intval($_GET['ID']))) - should I add this all over my game like this in my header if($_GET['ID'] != abs(@intval($_GET['ID']))) if($_GET['ID'] != abs(@intval($_GET['money']))) if($_GET['ID'] != abs(@intval($_GET['crystals']))) Should that be replaced with my current money crystals etc? Quote
Zero-Affect Posted December 24, 2009 Posted December 24, 2009 MRES simply adds slashes i use it on stuff like user notepad or where it's varchar 255 or so on text's but not really needed on strings which are secured by ctype_alnum or ctype_alpha because they restrict chars already, just a hint. Quote
Guest Null Posted January 3, 2010 Posted January 3, 2010 Anything with a number wont work with mres. Anything with a word usually you an mres it. but yea i tried mresing a number once and it didnt really work that well Quote
Magictallguy Posted January 4, 2010 Posted January 4, 2010 A hole in my code? I'm stunned! Must be an old code :P There was a hole in MTG's Cmarket. I got another one I had before (cant remeber which) and the exploits stopped. Quote
Zero-Affect Posted January 4, 2010 Posted January 4, 2010 isn't your forum down MTG, i think everyone's previous code will have bugs in it, look at Windows OS... you could strain tea with windows XP (lots of holes). Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.