Securing.

Renkia · February 3, 2010

Securing game

I Haave just started to learn how to secure before about 2 Houers from now. And i was just wondering was all this right.

Its what im think will this secure it? But i need help from masters so tell me any problems. =D

$IP = ($_SERVER['HTTP_X_FORWARDED_FOR'])
? $_SERVER['HTTP_X_FORWARDED_FOR']
: $_SERVER['REMOTE_ADDR'];

in login register header authenticate.php

And replace with

$IP = mysql_real_escape_string($_SERVER['REMOTE_ADDR']);

Cmarket.php

Normal:

<?php
include "globals.php";

Secured i think?

<?php
$_GET['ID'] = abs(@intval($_GET['ID']));
include "globals.php";

Tell me if anythink is wrong.

Thanks Rasheed Saeed. :D

Danny696 · February 3, 2010

$IP = mysql_real_escape_string($_SERVER['REMOTE_ADDR']); Why mres it???????????????????????????????????????

Jordan Palmer · February 3, 2010

I use the same method danny. MRES(); isn't really ''needed'' however I do tend to use them lol

Danny696 · February 3, 2010

I dont really see the point.

Jordan Palmer · February 3, 2010

I don't think there is one. However I do use that.

Renkia · February 3, 2010

Really?

But its secured?

If so. Yahoo go me. =D

Jordan Palmer · February 3, 2010

Yes.

If it took you 2 hours to find that out you have issue's.It's plastered all over the net/forum

Anyhow - Good luck :)

Renkia · February 3, 2010

Is it?

Ohh god i didnt even think of looking. But any more ideas were i need to secure?

Jordan Palmer · February 3, 2010

You need to secure everything and yes it is..

Magictallguy · February 3, 2010

The IP address is normally inserted into the database - users table, lastip* column.

It's a string that can be changed by the user who knows what they're doing.

Escaping the incoming data would be a good practice ;)

* = lastip, lastip_login, lastip_signup

Karlos94 · February 3, 2010

Why not use some MySQL functions?

INET_ATON()

INET_NTOA()

Renkia · February 3, 2010

Thanks guys. :D

Redex · February 3, 2010

Rasheed, it's a good start and be positive about this :). Though you still got a lot to learn, remember copy pasting bits of code into pages will not secure your game to a preferable extent. I'm no master but i do know you got to secure data which is inputted and outputted, becuase if not then your leaving your game open to lots of vulnerabilites by which the bad users can take control of the game and perform actions which will have a negative impact on your project.

Renkia · February 5, 2010

Cheers bud,

So one of the most important parts of securing is the database?

Joshua · February 5, 2010

No, most important part is securing the INPUT and OUTPUT on every page

Making sure info into the database is safe, then checking it on output to the page making sure it's safe.

:P

Jordan Palmer · February 5, 2010

I think as long as the output is secure you're fine...In some eye's I'll be wrong in my own I'm correct

Renkia · February 5, 2010

Ok.

Secure. INPUT & OUTPUT. Thats secures the database and them im fine. ON EVERY PAGE.

CrazyT · February 5, 2010

No, most important part is securing the INPUT and OUTPUT on every page
Making sure info into the database is safe, then checking it on output to the page making sure it's safe.

:P

Every page? LOL

Didn't know i had to secure every file :P

Renkia · February 5, 2010

XD lol.

Joshua · February 6, 2010

er file page you know what i meant.

I dont wanna hear it from you, you didnt know that %u / %s %d do not NEED sprintf to operate ^_^

Jordan Palmer · February 6, 2010

er file page you know what i meant.

[..] I dont wanna hear it from you, you didnt know that %u / %s %d do not NEED sprintf to operate ^_^ [/..]

No offence, But you didn't -.-

Zero-Affect · February 6, 2010

neither did you till someone told you, Who cares it's a filter FFS do it manually it's much easier and at least you know what your doing, what exactly does %u do? Google time kiddies :)

if your going to do something like

$var = '231'; // doesn't have to be a set var i just thought i'd set one
$var = ( isset($var) AND ctype_digit($var) ) ? $var : '' ; // check it
if ( empty($var) ) {
echo 'error'; // error
} else {
echo '$var'; // could be anything here from echo's to mysql queries
}

So are you going to use your "new found" way or stick to the longer but most understanding way, Bet most people never even knew SprintF was a filter (notice the F in sprintF, printF, vsprintF).

CrazyT · February 6, 2010

er file page you know what i meant.

I dont wanna hear it from you, you didnt know that %u / %s %d do not NEED sprintf to operate ^_^

LMFAOOOO!

Here from me? Why are you on theses forums then? I've been on this forum for alot longer than most people on here.

you didnt know that %u / %s %d do not NEED sprintf to operate ^_^

LMFAO!

Wow, i think you need to go back to the manual, because mysql_query() only takes two [2] parameter's. N00B!

And even if you did try it, it will error.. something like "Wrong parameter count for mysql_query()..."

So, get your fact's right before you think your clever enough.

I'll even be kind even linking you to the manual: http://php.net/mysql_query

:D

Joshua · February 6, 2010

Yes, you've been hacking and manipulating people the longest out of anyone, congratulations!

If it didnt work, then why is it working on my queries?

Zero-Affect · February 6, 2010

Yes, you've been hacking and manipulating people the longest out of anyone, congratulations!
If it didnt work, then why is it working on my queries?

post a example query ill take a look, i never tried MySQL but im sure it's not possible.

Sign In

Securing.

Recommended Posts

Renkia

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Danny696

Jordan Palmer

Danny696

Jordan Palmer

Renkia

Jordan Palmer

Renkia

Jordan Palmer

Magictallguy

Karlos94

Renkia

Redex

Renkia

Joshua

Jordan Palmer

Renkia

CrazyT

Renkia

Joshua

Jordan Palmer

Zero-Affect

CrazyT

Joshua

Zero-Affect

Join the conversation

Browse

Activity

Hosting