Insecure Files

[Kieran-R]

Hello.

Well im still working on my new game, and im ready to hire someone to secure it. However, to keep the budget as low as possible for the security, I was wondering if someone could assist me to tell me what parts/files of MCCodes are insecure. (Please. I know its nearly all insecure lol...)

Also, If someone could tell me what parts of a PHP code are most vulnerable to attack/exploit.

Please be as detailed as possible!

Thanks Alot!!!

Glucose...

[Dave]

In my personal opinion I wouldn't just secure the potentially vulnerable files, I'd secure every single file including any modification you install. This way if another bug is ever discovered you will be protected.

[ColdBlooded]

A introduction to secuity

Check that topic, It may help ;)

[Dominion]

There are so many posts on this now your best bet is to look around mwg for the "known bugs" things like forums, cmarket and display picture "hack" will pop up. What you can do is do up a file that has been done before (e.g. cmarket/prefs) and compare them to the secure copy OR post and allow us to do it.

Which Pages to Secure your game---A must read---

- http://www.webcheatsheet.com/php/regular_expressions.php

Learn about regular expressions.

- http://www.phpro.org/tutorials/PHP-Security.html

A little more security.

- http://php.robm.me.uk/

A lot more security.

- http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html

Learn about php filters can help with most parts of security.

- Session Hijacking Protection

A little stop gap for session hacking for mccodes.

[Danny696]

The one thing i wouldnt do a DIY job on would be security.

[Dominion]

The one thing i wouldnt do a DIY job on would be security.

Not a 1/2 done DIY job, however I think learning yourself is so much better than paying someone. Helps you learn and when bugs pop up you can fix it without waiting for someone else.

[Uridium]

Loads of helpful advice here but the one thing everyone here forgot to mention is How to hack it in the first place..

before you learn security you need to understand how it got hacked in the first place so my suggestion would be learn to hack and find vulnerabilities in your script then you can understand how to fix them..

[Kieran-R]

Thanks for the advice guys. Well after looking at a few tutorials, I'm thinking mabe I should really be securing my game on my own. I'm looking at many tutorials, and I think I now understand how to secure mysql querys. Do you think that they are the most vurnreable to attack? And the other ways of exploiting, is there any clear tutorials for them that I could follow?

Thanks again.

[Spudinski]

Your main concers with a game engine(in specific) is XSS(Cross-Site Scripting) and as you said, SQL injections. There are many other ways to "break" a website, but they are a bit more complex to explain.

What you will probably need to know about XSS and SQL injections are that;

XSS is the name for a vulnerability where someone injects HTML or Javascript into the page itself. This is mainly caused by not filtering the global variables.

This is the most common, and most easy to fix. You can read up on html_special_chars for this, there is also regex filters which I would rather recommend looking into.

SQL injections are very common, but they are much harder to detect. This is because a good "hacker" does something called a Blind injection, this simply means that they mask the injection so that it looks like a normal query in the logs, but is devastating to the database itself. I would recommend you read up on MySQL itself first, and also mysql_real_escape. Afterwards you nay delve deeper into SQL injections.

Another thing I would like to mention that are very common are LFI's and RFI's. This simply stands for local/remote file inclusion. This is a very stupid mistake a programmer makes at some point. The simplest way to avoid this is by setting a variable called open_basedir within the php.ini file. You may read more on securing your PHP configuration here.

 

Security is is common sense, really.