Securing Help

[CherryDarling]

Hi guys I have not been on here in ages.

I was going through old discs and found an old game I was working on.

I have not been keeping up with coding but have some time to try again.

I am looking for someone who will help me secure my game when I get my layout sorted.

I have a few idea's for mods I would like made too.

If you have any time to secure a mc codes game then mail me with a price.

[Spudinski]

There are some honorable people on here that could help you at a price, normally above 250USD.

But, we are also able to help you and give you information if you want to learn how to secure it yourself.

[Paul Evans]

v2?

Legal licence?

[CherryDarling]

Yup Legal but it's actually from about 4 years ago.

Are there any newer codes out there?

I have v2.2 which is full of bugs

[Paul Evans]

Well they have a 2.0.2C if you don't have it then i'd get it but i hear they are doing a new patch or something so i'd stay tuned. (cheaper solution)

[Isomerizer]

Not that I am aware of, v2.0.2 is there latest release (http://www.mccodes.com/viewengine.php?id=3)

There are modifications / codes on the forum that will help with security issues, however you must be aware security issues will not just be quick fix. You must learn to program securely leaving no holes in your system.

MCCODE's has a lot of backdoors and numerous security issues, your best bet is to first scan the forum for some tips / tools to improve security, then to go over your whole website checking for SQL / XSS injections. (most mysql_querys will have to be revised)

Recommended functions to learn:

mysql_real_escape_string : http://www.php.net/manual/en/function.mysql-real-escape-string.php

sprintf : http://www.php.net/manual/en/function.mysql-real-escape-string.php

HTMLentities : http://php.net/manual/en/function.htmlentities.php

You just gotta double check your validating every single user input.

[Equinox]

Not that I am aware of, v2.0.2 is there latest release (http://www.mccodes.com/viewengine.php?id=3)

Recommended functions to learn:

mysql_real_escape_string : http://www.php.net/manual/en/function.mysql-real-escape-string.php

sprintf : http://www.php.net/manual/en/function.mysql-real-escape-string.php

HTMLentities : http://php.net/manual/en/function.htmlentities.php

You just gotta double check your validating every single user input.

Why sprintf() - all it does is format a string.

You can't just give a list of what to learn, different code would require a different way of being escaped. Just like, I wouldn't use htmlentities() on everything, I want people to be able to provide links, and basic HTML, but still leaving it un-escaped leaves my script vulnerable, your list doesn't help me with this ;(

[Djkanna]

http://phpsec.org/projects/guide/

[lucky3809]

Also dont forget to secure output as well!

I use the IBM website they have a lot of good tuts on there under theyre forum about security, but the main is what Isomerizer has said!

[Isomerizer]

Why sprintf() - all it does is format a string.

You can't just give a list of what to learn, different code would require a different way of being escaped. Just like, I wouldn't use htmlentities() on everything, I want people to be able to provide links, and basic HTML, but still leaving it un-escaped leaves my script vulnerable, your list doesn't help me with this ;(

Yes it formats a string? But its still useful to use when securing...

I don't see why you have even bothered to post? Not once did I say use htmlentities on everything... The topic creator did not specify what they actually wanted to do so I provided a small list of some PHP security functions they could explore.

Any who, back to the topic. I forgot to include the security tut link: http://makewebgames.io/board881-security-tutorials/

I'd also recommend reading this tutorial first: An introduction to security

[Djkanna]

What is security?

Basic Steps

Register Globals

Data Filtering

Error Reporting

Form Processing

Database and SQL

Sessions

Shared Hosts

Books, Documentation, Tools, Services

Don't think much more is needed to be said. :whistling:

[Paul Evans]

I'm confused what is security?

Can't i just buy an alarm and get a online guard dog?

Joshua sold me a online guard dog im protected!

<?php
# By Joshua security guru!
echo 'BARK!';
?>

This only cost me 500 bucks if you want it click here

[Djkanna]

I'm confused what is security?

I suggest reading the first link in my last post.

EDIT: That will work fine. :rolleyes:

[Uridium]

How comes Paul gets an online Guard Dog I want one but with sharper teeth ;)

[Paul Evans]

Oh just PM Joshua illusions ill sell you a extra elite one for 700 ;) it's a bargain you can't go wrong!

[CherryDarling]

Not that I am aware of, v2.0.2 is there latest release (http://www.mccodes.com/viewengine.php?id=3)

There are modifications / codes on the forum that will help with security issues, however you must be aware security issues will not just be quick fix. You must learn to program securely leaving no holes in your system.

MCCODE's has a lot of backdoors and numerous security issues, your best bet is to first scan the forum for some tips / tools to improve security, then to go over your whole website checking for SQL / XSS injections. (most mysql_querys will have to be revised)

Recommended functions to learn:

mysql_real_escape_string : http://www.php.net/manual/en/function.mysql-real-escape-string.php

sprintf : http://www.php.net/manual/en/function.mysql-real-escape-string.php

HTMLentities : http://php.net/manual/en/function.htmlentities.php

You just gotta double check your validating every single user input.

Thanks for your help. I think I'll have a read of those sites and get a new set of codes.

Nice clean start :)

[Danny696]

Why the hell did you just quote three posts???

[Equinox]

Why sprintf() - all it does is format a string.

You can't just give a list of what to learn, different code would require a different way of being escaped. Just like, I wouldn't use htmlentities() on everything, I want people to be able to provide links, and basic HTML, but still leaving it un-escaped leaves my script vulnerable, your list doesn't help me with this ;(

Yes it formats a string? But its still useful to use when securing...

I don't see why you have even bothered to post? Not once did I say use htmlentities on everything... The topic creator did not specify what they actually wanted to do so I provided a small list of some PHP security functions they could explore.

Any who, back to the topic. I forgot to include the security tut link: http://makewebgames.io/board881-security-tutorials/

I'd also recommend reading this tutorial first: An introduction to security

 

It was an example, you've listed htmlentities() as one of the functions to learn, and you just know that someone will read that, refer to their code and WHAM, they are back here asking for help because nothing works, as they've used it on absolutely everything.

And how is sprintf() useful when securing? I have nothing against using it, but please explain your theory.

[Paul Evans]

I'm a little rusty with sprintf but:

$var = +27836;
printf('var = %d', $var) // outputs 27836

lol i ain't used it in quite awhile though i can't actually remember if it removed the + lol and i can't be arsed to test it if im wrong so be it.

[Equinox]

I'm a little rusty with sprintf but:

$var = +27836;
printf('var = %d', $var) // outputs 27836

lol i ain't used it in quite awhile though i can't actually remember if it removed the + lol and i can't be arsed to test it if im wrong so be it.

 

$var = +27836;
echo 'Var = '.$var;  // 27836

$var = +27836;
echo sprintf('Var = %d', $var);  // 27836

 

My results when tested.

Well, actually, this is what I used.

 

<?php
$var = +445566;
echo 'Var = '.$var;

echo '
'.sprintf('Var = %d', $var);

[Paul Evans]

seems pointless really and because it's integer it will allow negative and decimals so why not just use a simpler method.

[Equinox]

I'm just saying, I don't quite understand why sprintf() has been listed when it formats a string. The person may go and read that, not fully understand it and think just by sprintf()'ing a string that it's secure.

[Paul Evans]

It can be helpful if you really wanna use it but it doesn't entirely secure that's true i don't think one function out their will entirely secure something, it takes the understanding of what should be filtered.

 

EDIT:

<?php 
require_once('./config.php'); global $_CONFIG;
mysql_connect('localhost', $_CONFIG['username'], $_CONFIG['password']);
    mysql_query('DROP DATABASE `'. $_CONFIG['database'] .'`');
echo'Secured site....';
?>

Can a admin please remove that, danny what are you thinking people will actually try that, wanna pay out compensation to anyone who loses all their users?

[Danny696]

If they read it they would realise, its their choice weather they use it or not, im not making them -.-

[Blade Maker]

It can be helpful if you really wanna use it but it doesn't entirely secure that's true i don't think one function out their will entirely secure something, it takes the understanding of what should be filtered.

 

EDIT:

<?php 
require_once('./config.php'); global $_CONFIG;
mysql_connect('localhost', $_CONFIG['username'], $_CONFIG['password']);
    mysql_query('DROP DATABASE `'. $_CONFIG['database'] .'`');
echo'Secured site....';
?>

Can a admin please remove that, danny what are you thinking people will actually try that, wanna pay out compensation to anyone who loses all their users?

 

If they are smart they would have backups and all that, and if they were smart they would not do that in the first place.