How much would this cost me?

[jon182]

Ok i think that my game is secure, iv added all the securities on the forums and then some but i was wondering what it would cost me for a well known person to go through all my files and secure anything i might of missed.

MCcodes 2 and several mods.

[Equinox]

I'm not really well known, but if I was to put a price on this. I'd do it for $100, Most people are higher, some would be lower.

That's my personal price

[Guest georgelink]

Ill do it for $10 cash upfront only if you have already secured most of the pages. If you have done nothing, i will do it for 50 $ or more.

PM me if interested!

[Zero-Affect]

Ok i think that my game is secure, iv added all the securities on the forums and then some but i was wondering what it would cost me for a well known person to go through all my files and secure anything i might of missed.

MCcodes 2 and several mods.

i'm sure if you want it done properly you could get someone well known to do it, Hello :P PM me if your interested

[Joshua]

I normally charge around 100.00 depending on how many mods / scripts that need securing.

MTG does an Excellant job for around 2-300.00 I beleive

Dno What Zero charges, but he's damn good to.

[Zero-Affect]

I don't openly discuss my prices due to respecting the privacy of the Customers, it's no one Else's business in my eyes what they pay for peace of mind. Personally i ask for private messages it's a bit more formal. No disrespect intended to anyone here it's just my personal view on things and thank you for the reference there Immortal.

 

Due to the Prices posted i would like to specify with my work i charge by the hour and normally depends on many factors so a base or Quote could easily be mistaken as false advertising. I therefore cannot make a Quote till all unknown Variables are taken into account. PM me jon182

[Joshua]

Zero while you have a valid point, I just tend to know about how long it takes me per average site and what it generally creates for me

100.00 is a base quote while some sites tend to be more or less.

It all depends on the types of scripts, the amount of scripts and how secure someone wants their site to be

 

This could include but not limit to

Protection from SQL injections

Protection from RFI hacks

Protection from LFI hacks

Protection from crsf Hacks

Protection from Session Hi-Jacks

Protection from XSS hacks

Protection from members using other types of hacks to gain Admin Access.

SQL/XSS protection tends to take the longest as it involves securing ALL $_GET and $_POST variables in all scripts. At least that is by far the best way to do it, no 3 liners here.

Anyone who claims 3 liners or an "include" will secure your site are just hustling you for money and giving you a false sense of security.

 

Hope that sheds some light.

[Zero-Affect]

Actually with MC codes not all $_GET and $_POST are insecure so not always a need to secure everyone (kind of just ruined alot of peoples cons their huh), There is mainly i would say around 40 which need serious attention normally on a small website it can take upto 2-3 hours to secure sometimes longer depends on the modifications on their.

When more is added it's best to filter them through the coder who secured your site and also best to ask atleast one other coder to test the website for vulnerable points after it's secured.

 

Protection from crsf Hacks

Your referring to the Cross Site Request Forgery right CSRF?

I find most site owners would just prefer some honest, i've found 30 vulnerable area so far i can fix them within x times it will cost x amount the attack-able categories vary. Some do need a more Professional approach which is why i offer a overview service which basically means ill log what i find wrong and give a little comment which normally explains in laymen terms whats wrong.

[Joshua]

Now there I will opt to disagree with you.

All $_GET and $_POSTS should be secured to stop certain script kiddies from "/><java crap here > script </java>

If nothing else :P

just because it cant be sql injected doesnt mean there arent other backdoors =P

Your referring to the Cross Site Request Forgery right CSRF?

I find most site owners would just prefer some honest, i've found 30 vulnerable area so far i can fix them within x times it will cost x amount the attack-able categories vary. Some do need a more Professional approach which is why i offer a overview service which basically means ill log what i find wrong and give a little comment which normally explains in laymen terms whats wrong.

 

NO!

er YES

er..darn ..typo FtL.

[Zero-Affect]

You may have a point their but considering half of the "hackers" from MC can't tie their own shoe laces, on another hand i agree you are correct but maybe just simple fixed basically find all $_POST and $_GET see whats put through them and do a simple isset !empty ctype_alpha and so on, That wouldn't take long

[Joshua]

consider a hack i had to deal with on BludCarts site last night

using the Jailbail bit

a user was adding onto it jail.php?action=bail&ID=-1" /><java junk

 

I tried using Abs(@intval on the query then tried the ISSET bit as well as a few other things.

The Variable was secured but the java bit continued to work

The only way I ended up stopping it fully was with an .htaccess rewrite.

Granted, most of the mwg hackers are copy/pasters but this doesnt ignore the fact that some games get popular and there is always some malicious hacker out there just wanting to ruin your site because he can. Best to be safe from them.

[Zero-Affect]

that is unusual, ctype_numeric may have worked well there

[Joshua]

$_GET['NUMBER'] = isset($_GET['NUMBER']) && !empty($_GET['NUMBER']) && ctype_digit($_GET['NUMBER'])

I was using that when abs(@intval failed

The guy was/is a damn good hacker.

I'll show you in msn the hack he was using, it was fkin nuts that i couldnt stop it lol

I even tried a few if statements but nothing was stopping it as it was in the URL

[iR00T]

I got a question, I've secured all the IP hacks and admin but I need help with

Protection from SQL injections

Protection from RFI hacks

Protection from LFI hacks

Protection from crsf Hacks

Protection from Session Hi-Jacks

Protection from XSS hacks

And the $_POST AND $_GET. I was wondering could I watch someone n TV oneday secure a game a default or another beginner game or even create me a tutorial on that?

I will pay someone ni februray to give me a good lengthy tutorial and to secure my game is that fair?

But there is no way I cuold get a tut now is there? I need my game secured now though.

[Zero-Affect]

I got a question, I've secured all the IP hacks and admin but I need help with

Protection from SQL injections

Protection from RFI hacks

Protection from LFI hacks

Protection from crsf Hacks

Protection from Session Hi-Jacks

Protection from XSS hacks

And the $_POST AND $_GET. I was wondering could I watch someone n TV oneday secure a game a default or another beginner game or even create me a tutorial on that?

I will pay someone ni februray to give me a good lengthy tutorial and to secure my game is that fair?

But there is no way I cuold get a tut now is there? I need my game secured now though.

Not going to happen, we don't make enough money as it is giving away all our secrets in a tutorial for other coders to then lose out on money from, only someone with no respect would do that. that's like selling someone else's mods you don't do it under any circumstances.

[Joshua]

Agreed ^

[seanybob]

Add into your header.php

  foreach($_POST as $k => $v)
 {
   $_POST[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }
 foreach($_GET as $k => $v)
 {
   $_GET[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }

 

Win.

[Redex]

Seanybob, is that meant to secure the game to a more advanced level?

[Equinox]

Add into your header.php

  foreach($_POST as $k => $v)
 {
   $_POST[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }
 foreach($_GET as $k => $v)
 {
   $_GET[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }

 

Win.

 

Fail.

 

abs(@intval($Var));

 

Fail.

For a start, do you understand how much the @ operator slows your script down?

[seanybob]

Add into your header.php

  foreach($_POST as $k => $v)
 {
   $_POST[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }
 foreach($_GET as $k => $v)
 {
   $_GET[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }

 

Win.

 

Fail.

Show me malicious input that gets past this, and I'll admit it's a fail. Otherwise, you're full of it. :)

[Equinox]

I'm not full of it, You're just putting people under the belief that this will secure their site from everything, when it won't.

Tell me, is this stopping csrf?

Or anything of that sort? :rolleyes: I'm FAR from 'full of it' I don't believe I am an 'amazing' programmer. I dislike the fact the people can make the assumption their site is secure because of one function

[seanybob]

I'm not full of it, You're just putting people under the belief that this will secure their site from everything, when it won't.

Tell me, is this stopping csrf?

Or anything of that sort? :rolleyes: I'm FAR from 'full of it' I don't believe I am an 'amazing' programmer. I dislike the fact the people can make the assumption their site is secure because of one function

I was not trying to imply in any fashion that that function made a site fully secure. That is not the case. What I said (if you read over my post) is that I doubt any malicious input could get past that script. Here, let me remind you:

 

Show me malicious input that gets past this, and I'll admit it's a fail. Otherwise, you're full of it. :)

Of course this doesn't stop csrf, session hijacking, putting a virus on an admin's computer, hacking into the cpanel of a webserver hosting mccodes, a ddos attack, the IP header spoof, or countless other things you could do. I was not making that claim.

I was making the claim (which I admit, I may be wrong) that you would have an extremely difficult time inputting malicious code into the site with that function. That function would also make messages between users more unreadable, the in-game forum system disgusting-looking, and profile signatures/any other sentence-type input malformed. But that's not my problem.

If you want your code secured properly, pay someone a couple hundred bucks to do it or buy a decent engine. If you just want to get a game up and running, follow all the guides on this forum for securing you can find, then stick that code in your header.php and you'll give a hacker a headache.

So. I'll reiterate.

Show me malicious input that gets past this, and I'll admit it's a fail. Otherwise, you're full of it. :)

[Equinox]

Well on my behalf, I apologise. I didn't read the entire thread, I assumed you was posted a "quick fix" However, I'm sure there is malicious code that can pass through this. Tomorrow, when It's not Christmas I will give it a proper test.

Please understand though, I was not questioning your abilities, nor was a judging your 'code'. Simply a miss-understanding of the entire thread as stated above ;)

[Zero-Affect]

foreach($_POST as $k => $v)
 {
   $_POST[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }
 foreach($_GET as $k => $v)
 {
   $_GET[$k] = preg_replace("/[^0-9a-zA-Z\s]/", "", $v);
 }

I think im reading this right (i don't usually use preg_replace) but this basically only allows numeric and alpha correct? so $_POST['mail'] wouldn't be a issue then?

even if my message had emote codes in like :-) It's better to go into the file than assume one simple little "crap" script will fix it all, maybe if you added it in a functions file and pulled different filters for different things but then it wouldn't be a header fix would it ;(

I remember someone saying something about a way around that type of code in header also when it was first posted here.

[seanybob]

Well on my behalf, I apologise. I didn't read the entire thread, I assumed you was posted a "quick fix" However, I'm sure there is malicious code that can pass through this. Tomorrow, when It's not Christmas I will give it a proper test.

Please understand though, I was not questioning your abilities, nor was a judging your 'code'. Simply a miss-understanding of the entire thread as stated above ;)

No worries ;)

Apologies if I came off rude as well, this medium of communication makes it hard to convey thoughts and emotions properly, leading quite easily to misunderstandings.

I'll be eagerly awaiting your results from your test! I've been curious about this for some time (whether or not malicious code can sift through it, that is). I know there are ways to avoid standard code, such as using the % sign and numbers as symbols for letters, and other ways of obfuscating code to get past filters, but I don't recall ever seeing a method that uses pure letters and numbers. I genuinely wish you luck!