Djkanna Posted February 6, 2010 Posted February 6, 2010 Hey everyone, I've been talking with Mdshare and I pitched an idea to get a small group of people to write an article or two on securing Mc Codes for PHPGameSpace and MakeWebGames. We both agree that it's a good idea, but I'd like to hear your thought's too. What I would like to know, would there be any interest in these articles from a game owners point, and would anybody be willing to contribute to the articles? (Sorry it's short I haven't slept yet, I'll post more about it later on tonight however I would like to hear your thought's on the basic idea (nothing's wrote in stone just yet :) )) Thank you Djkanna. :) Quote
(((TOLK))) Posted February 6, 2010 Posted February 6, 2010 I, for one, would indeed be interested in a well written article on securing MCcodes. I'm not an expert, but I could also contribute if need be. I think you should outline what does secure a PHP script, and what doesn't (For example, the speculation of sprintf() securing scripts) So, I would like to see an article on it, and I think it's an excellent idea. :) Quote
Djkanna Posted February 6, 2010 Author Posted February 6, 2010 Thanks Tolk for you reply, I'm thinking of maybe a two part article one part being more focused on securing the exploits within the Mc Codes script and the second about securing the script itself then maybe a disscusion on the functions provided to help the security of your game as with each new modification you add to your game you're risking an attack even more. Again nothings wrote in stone at this moment so it's all debatable :) Quote
(((TOLK))) Posted February 6, 2010 Posted February 6, 2010 Maybe an article on securing MCcodes exploits and another article on securing PHP scripts as a whole? Quote
Djkanna Posted February 6, 2010 Author Posted February 6, 2010 That most likely would come under the article that discusses functions that help with security as no-one can actually teach how to secure PHP scripts as a whole because not every PHP script is the same so it's hard to say what would need securing within a PHP script without knowing the PHP script. But yeah ways to help secure your game allthough the function's wouldn't and arn't just for a game and can be used (under the right circumstances) on any PHP script :) Quote
(((TOLK))) Posted February 6, 2010 Posted February 6, 2010 Well then, all I have to say now is good luck, and call if you need me :) Quote
Zeggy Posted February 6, 2010 Posted February 6, 2010 I don't mean to be advertising, but... my site Web Game Wiki (link in sig) is a wiki about web games (duh), and it's got a section for developers, and a sub-section specifically on security. I've written some articles on security already, mainly the user input, sql injection and xss articles. Since it's a wiki, everybody is free to edit it, and add more articles. So if you're interested... maybe you'd like to think about using my wiki as a platform, or even just as a reference? :P If not, then I'll volunteer myself anyways to help write your articles. Quote
Jordan Palmer Posted February 6, 2010 Posted February 6, 2010 I'm with zeggy.. Â @zeggy; Good idea with you're site.. I checked it out a few weeks back and I actually liked it. :) Â I'll be happy to forward some tutorials I've written if the idea goes forward Quote
Djkanna Posted February 6, 2010 Author Posted February 6, 2010 Thank you Zeggy, I think your site could come in handy allthough I don't want a simple C+P job if you know what I mean but used as references could be a good we'll have to have a talk sometime later on. :) also thanks for wanting to help I wasn't too sure if anyone would actually be interested in it. Thank you Jordan :) same again I don't think it'll be best C+P but maybe a reference or two :) I'll have to have an in depth talk with Mdshare about it after all it's for his network :P Thanks again both of you :) Djkanna. Quote
Djkanna Posted February 6, 2010 Author Posted February 6, 2010 I've just read that back to myself and it wasn't supposed to sound the slightest bit rude sorry :) Quote
Jordan Palmer Posted February 6, 2010 Posted February 6, 2010 Thank you Zeggy, I think your site could come in handy allthough I don't want a simple C+P job if you know what I mean but used as references could be a good we'll have to have a talk sometime later on. :) also thanks for wanting to help I wasn't too sure if anyone would actually be interested in it. Thank you Jordan :) same again I don't think it'll be best C+P but maybe a reference or two :) I'll have to have an in depth talk with Mdshare about it after all it's for his network :P Thanks again both of you :) Djkanna. Who saying that I c+p -.- Quote
Djkanna Posted February 6, 2010 Author Posted February 6, 2010 No-one it was meant as I don't want to just Copy and paste of off you :) for the articles but references to your articles is a good way of going about it not you've copy and pasted yours :) Quote
Jordan Palmer Posted February 6, 2010 Posted February 6, 2010 Ahh, I took that the wrong way. Sorry Quote
Djkanna Posted February 7, 2010 Author Posted February 7, 2010 Possible ideas. I've come up with a few possible ideas for this collection of articles please let me know what you think. :) One article about securing Mc Codes exploits, Where we talk about and give ways to patch up said exploits. An article or two on functions provided that contribute to security. This will cover what functions can be used, how, why they should be used and talk a little bit about efficiency of said functions. I think this should go as in-depth as possible within the articles but still make it understandable to the beginners as well as the more advance people that may be reading them. This also may be a good place for references to separate sites (only if references are allowed within the articles).. Reference include but not limited to: http://www.php.net http://www.mysql.net http://www.webgamewiki.com http://makewebgames.io http://www.ha.ckers.org MakeWebGames members :) Any contribution to these articles is greatly appreciated. Personally I think it may help and could be used as a reference in itself. Again nothing is wrote in stone so please let me know what you think. Thank You Djkanna. Quote
Zeggy Posted February 7, 2010 Posted February 7, 2010 I have never used mc codes so I won't be able to help write anything for that article :P I could help with the functions article though, I've written one before. :) I believe an article or series of articles going in-depth on security is not something that would be easy. You could write a book (and there are a few) on just PHP security. I do have an idea though: (maybe as a side project) every week, you could ask for game owners who have had their game exploited to allow you to use their game in your article. In your article, you demonstrate whatever exploit they were victim to on their game (so include screenshots), explain why it happens and how, and then show how to fix it. You get a very good article with live examples, and the game owner gets a bug fixed for free! Quote
Djkanna Posted February 7, 2010 Author Posted February 7, 2010 That's a great idea Zeggy thank you. I realised that you cannot really go in-depth with PHP security with just one or two articles but we could break the surface which is a start. :) The only downside I see is if we inavertantly so how to use the exploit we may have wannabe gangsters (I use that term loosly) doing it on games that haven't managed to patch it up yet so in a way, we may be causing more problems. Or have I just it totally wrong?!? (Djkanna isn't with it today :P) Quote
Zero-Affect Posted February 9, 2010 Posted February 9, 2010 I know this probably isn't the best place to post but MC V2 does have a item issue, i have known about it for quite awhile but considering most people wouldn't of even thought about it and most that know, know from me. itembuy.php you can buy items which are buyable but set at price 0, this obviously is very rare but happens alot in small games when people are creating mass items they sometimes forget to uncheck the item buyable check box. So guys remember to uncheck the box and maybe a little fix would work well. <?php /*----------------------------------------------------- -- Item Buy -- Patched by Zero-Affect -- Released @ MakeWebGames.com for free -----------------------------------------------------*/ include_once (DIRNAME(__FILE__) . '/globals.php'); $_GET['ID'] = (ctype_digit($_GET['ID']) AND !empty($_GET['ID'])) ? $_GET['ID'] : '' ; $_GET['qty'] = (ctype_digit($_GET['qty']) AND !empty($_GET['qty'])) ? $_GET['qty'] : '' ; if($_GET['qty']) { $id = $db->query("SELECT `itmbuyprice`, `itmid`, `itmname` FROM `items` WHERE `itmid` = {$_GET['ID']}"); if($db->num_rows($id) == 0) { echo " This item does not exist. Click [url='index.php']here[/url] to go home. </p> "; } else { $r = $db->fetch_row($id); $price = abs(@intval($r['itmbuyprice'] * $_GET['qty'])); if( $price > $ir['money'] ) { echo " You can only buy what you can afford. Click [url='index.php']here[/url] to go home. </p> "; } else { item_add($userid, $r['itmid'], $_GET['qty']); $db->query("UPDATE `users` SET `money` = `money` - {$price} WHERE `userid` = $userid"); $priceh = money_formatter($price, '$'); $item_name = ( $_GET['qty'] == 1 ) ? ''.$r['itmname'].'' : ''.$r['itmname'].'s' ; echo " You bought {$_GET['qty']} {$item_name} for {$priceh}. Click [url='index.php']here[/url] to go home. </p> "; $db->query("INSERT INTO `itembuylogs` VALUES ('', $userid, {$r['itmid']}, $price, {$_GET['qty']}, unix_timestamp(), '{$ir['handle']} sold {$_GET['qty']} {$item_name} for {$priceh}')"); } } } else if($_GET['ID']) { $ckitm = $db->fetch_row($db->query("SELECT COUNT(`itmid`) AS `check_itm`, `itmname`, `itmbuyprice` FROM `items` WHERE `itmid` = {$_GET['ID']}")); if( !$ckitm['check_itm'] ) { echo " This item does not exist. Click [url='index.php']here[/url] to go back. </p> "; } else { echo " Please specify the amount of {$ckitm['itmname']}s you want to buy. Note: it costs ".money_formatter($ckitm['itmbuyprice'], '')." {$set['primary_currency']} per {$ckitm['itmname']}. </p> <form action='itembuy.php' method='get'> <input type='hidden' name='ID' value='{$_GET['ID']}' /> <table class='table' align='center' cellspacing='1' cellpadding='1' width='55%'> <tr> <th> Quantity: </th> <td> <input type='text' name='qty' value='' /> </td> </tr> <tr> <td colspan='2'> <input type='submit' value='' id='submit_box'> </td> </tr> </table> </form> "; } } else { echo " This item does not exist. Click [url='index.php']here[/url] to go back. </p> "; } $h->endpage(); ?> Sadly i don't have the time to update it to recent standards but im sure there will be a error since i changed afew things in my items table and so on with KC, If any errors just post and ill try and help. The code itself could do with a update also if anyone's got time (this is very old code). Quote
rulerofzu Posted February 9, 2010 Posted February 9, 2010 That's a great idea Zeggy thank you. I realised that you cannot really go in-depth with PHP security with just one or two articles but we could break the surface which is a start. :) The only downside I see is if we inavertantly so how to use the exploit we may have wannabe gangsters (I use that term loosly) doing it on games that haven't managed to patch it up yet so in a way, we may be causing more problems. Or have I just it totally wrong?!? (Djkanna isn't with it today :P) This is the issue with all php software suites that release security updates/patches etc. That people then go looking for unpatched versions. Quck easy way for systems such as phpbb , mambo etc is to google by version number as they are most likely not to be patched :S Best way ive seen around that is for a rss feed to be in place. A ecom suit I use has a rss feed from the dev team who then give you a status update when a security issue has been discovered. As this is sent to the admin end of the suite then its kept from public knowledge for a limited time to allow for install of the patch/fix whatever. Maybe a feed from here into the staff admin for mc would do the same? Quote
Djkanna Posted February 9, 2010 Author Posted February 9, 2010 Thank you Rpmb, That certainly gives me a lot to think about, aswell as others.. Djkanna is having a think now lol Quote
Zero-Affect Posted May 4, 2010 Posted May 4, 2010 <?php /*----------------------------------------------------- -- File: itembuy.php -- Edited by: CrimGame/ZeroAffect -- Released for: MakeWebGames.com -----------------------------------------------------*/ include_once (DIRNAME(__FILE__) . '/globals.php'); $_GET['ID'] = ( isset($_GET['ID']) && ctype_digit($_GET['ID']) ) ? $_GET['ID'] : '' ; $_POST['qty'] = ( isset($_POST['qty']) && ctype_digit($_POST['qty']) ) ? $_POST['qty'] : '' ; if( !$_GET['ID'] || !$_POST['qty'] ) { echo 'Invalid use of file'; } else if( $_POST['qty'] <= 0 ) { echo 'You have been added to the delete list for trying to cheat the game.'; } else { $q = $db->query("SELECT * FROM items WHERE itmid={$_GET['ID']}"); if ( $db->num_rows($q) == 0 ) { echo 'Invalid item ID'; } else { $itemd = $db->fetch_row($q); if ( $ir['money'] < ($itemd['itmbuyprice'] * $_POST['qty']) ) { echo 'You don\'t have enough money to buy '.$_POST['qty'].' '.$itemd['itmname'].'!'; die($h->endpage()); } if ( $itemd['itmbuyable'] == 0 ) { echo 'This item can\'t be bought!'; die($h->endpage()); } $grab_shop = $db->query('SELECT `shopID` FROM `shops` WHERE `shopLOCATION` = '.$ir['location']); while ($list_shop = $db->fetch_row($grab_shop)) { $shots .= $list_shop['shopID'].','; } $shots .= 0; $result_sID = explode(",", $shots); $grab_sITEM = $db->fetch_row($db->query('SELECT COUNT(`sitemID`) AS `sITEM_CNT` FROM `shopitems` WHERE `sitemSHOP` IN('.$shots.') AND `sitemITEMID` = '.$_GET['ID'])); if ( $grab_sITEM['sITEM_CNT'] == 0 ) { echo 'You can\'t buy items from other cities.'; die($h->endpage()); } $price = ($itemd['itmbuyprice'] * $_POST['qty']); item_add($userid, $_GET['ID'], $_POST['qty']); $db->query("UPDATE `users` SET `money` = `money` - $price WHERE `userid` = $userid"); $db->query("INSERT INTO `itembuylogs` VALUES ('', $userid, {$_GET['ID']}, $price, {$_POST['qty']}, unix_timestamp(), '{$ir['username']} bought {$_POST['qty']} {$itemd['itmname']}(s) for {$price}')"); echo 'You bought '.$_POST['qty'].' '.$itemd['itmname'].' '.(($_POST['qty'] > 1) ? 's' : '').' for '.money_formatter($price); } } $h->endpage(); ?> Quote
SHAD Posted May 4, 2010 Posted May 4, 2010 If someone actually wrote an article, on securing the whole mccodes engine, i will be willing to buy it, if i have to, as i can learn quite alot form it. Quote
Danny696 Posted May 4, 2010 Posted May 4, 2010 Why not get someone to secure your game, then read the codes and learn Quote
Djkanna Posted May 4, 2010 Author Posted May 4, 2010 You have to understand this would be a article based on PHP security, sure we may point out flaws within the McCode script and give solutions on how to fix the flaw in question. However with recent events this probably won't happen any time soon, unless someone(or some of you) feel like contributing towards the series of articles I'll spare some time and we'll do it for PHPGameSpace and here. Off course it will be freely available to you as in my opinion this is something that should be sold after all we're a community for helping others ^^ Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.