BeastTheKidd Posted December 11, 2011 Share Posted December 11, 2011 Is there any secured version on sale, or do I need to get it secured? I want to make a game and someone told me I needed to get it secured? Quote Link to comment Share on other sites More sharing options...
lucky3809 Posted December 11, 2011 Share Posted December 11, 2011 All scripts need to be secured. As for any for sell of mccodes, I don't think there is, unless redux is secured, maybe someone can answer that who has used the redux upgrade?... The parts that need to be secured are forms, anywhere a user is typing in stuff into your database, and ALL queries in your scripts should be secured. Do not ever go for securing the header.php only, some people think a small code will secure all pages, when it does not secure EVERYTHING, ALL pages needs to be secured! Quote Link to comment Share on other sites More sharing options...
Curt Posted December 11, 2011 Share Posted December 11, 2011 The new version of mccodes V2 is more secure than the previous version, eliminating simple issues like the points market hack along with a few other issues. It is not completely secure though. Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2011 Share Posted December 11, 2011 The newest patches are much better on this front. v1 I am unsure about, however 2.0.3 has most of the problems fixed in terms of sql injections that can be found thought the web for mcc since it's actually checking the user supplied data. I have not done my own tests since there would be very little point in me doing so, but as fair as I'm aware it's a massive improvement. I have heard of some issues within the source, but it's more of a "this requires to check to insure they should be able to do this" rather then a hack e.g. one admin fedding another admin account. although the way the checks are done done is something people seem to dislike. More information here - http://makewebgames.io/showthread.php/38706-MCC-v2-0-3/ Redux is secured in the same way. You can find many threads on both versions, and their known issues. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted December 11, 2011 Share Posted December 11, 2011 V2.3 patches fixed some bugs that have been known for a while, Redux is taking a step backwards and reversed the fixes to some of those problems. So yeah if you cannot do it yourself you will need to get someone else to do it for you, in my opinion Lite is probably the one with the least amount of bugs (I think Danny's version is even better, but haven't looked into it nor do I know if it's still available). Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2011 Share Posted December 11, 2011 My opinion is from posts around this forum (since I don't have a copy of 2.03), and would be interested in having some kind of review of the more recent patch. May help people decide when looking to buy it. Just an idea if anyone cares to take the time... I'm sure Danny's Lite update could always be reposted. Quote Link to comment Share on other sites More sharing options...
Djkanna Posted December 11, 2011 Share Posted December 11, 2011 (edited) My opinion was formed from the first thing I saw in Redux if ( $_POST['username'] == "" || $_POST['password'] == "" ) { die(" <h3>{$set['game_name']} Error</h3> You did not fill in the login form!<br> <a href=login.php>> Back</a> "); } $uq = $db->query("SELECT `userid`,`email` FROM `users` WHERE `login_name` = '{$_POST['username']}' AND `userpass` = '".hash('sha256',$_POST['password'])."'"); if ( $db->num_rows($uq) == 0 ) { die(" <h3>{$set['game_name']} Error</h3> Invalid username or password!<br> <a href=login.php>> Back</a> "); } else { $_SESSION['loggedin'] = 1; $mem=$db->fetch_row($uq); $rand_num = rand(1,100000); $_SESSION['multi_login'] = md5($mem['email'].$rand_num); $_SESSION['userid'] = $mem['userid']; $IP = $db->escape($_SERVER['REMOTE_ADDR']); In the authenticate.php file. I'll be honest I've not had an in-depth look at Redux either, but from what I have seen it doesn't get much better. EDIT: Danny's Lite has been added as an attachment (permisson recieved from Danny to post it). Lite.zip Edited December 11, 2011 by Djkanna Quote Link to comment Share on other sites More sharing options...
Dominion Posted December 11, 2011 Share Posted December 11, 2011 I have a copy of Redux, and use it to offer support when people ask. Just the .03 I have never seen (or the v1 update if there has been one...). Quote Link to comment Share on other sites More sharing options...
Djkanna Posted December 11, 2011 Share Posted December 11, 2011 I don't believe there has been an update for V1 (but I could be wrong). Given my example above the .3 patch is the exact same, except using MD5 as the encryption method (oh and the -multi-login stuff). Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted December 11, 2011 Share Posted December 11, 2011 Dominion there is not much difference from 2.0.3 to Redux. Quote Link to comment Share on other sites More sharing options...
BeastTheKidd Posted December 11, 2011 Author Share Posted December 11, 2011 What is different about Danny's lite? is it secure? Im only asking about security because I am honeslty lazy and I dont want to go through all the files and secure them. I CAN secure any modifications though, or php in general. just too lazy to mess with all the others Quote Link to comment Share on other sites More sharing options...
BeastTheKidd Posted December 11, 2011 Author Share Posted December 11, 2011 Is Danny's Lite secured? If so thats amazing. Perfect for what i need Quote Link to comment Share on other sites More sharing options...
Danny696 Posted December 11, 2011 Share Posted December 11, 2011 It should be secure, but it was done a while ago, so I'm not 100% sure, but im about 90% sure it is Quote Link to comment Share on other sites More sharing options...
Dave Posted December 12, 2011 Share Posted December 12, 2011 My opinion was formed from the first thing I saw in Redux if ( $_POST['username'] == "" || $_POST['password'] == "" ) { die(" <h3>{$set['game_name']} Error</h3> You did not fill in the login form!<br> <a href=login.php>> Back</a> "); } $uq = $db->query("SELECT `userid`,`email` FROM `users` WHERE `login_name` = '{$_POST['username']}' AND `userpass` = '".hash('sha256',$_POST['password'])."'"); if ( $db->num_rows($uq) == 0 ) { die(" <h3>{$set['game_name']} Error</h3> Invalid username or password!<br> <a href=login.php>> Back</a> "); } else { $_SESSION['loggedin'] = 1; $mem=$db->fetch_row($uq); $rand_num = rand(1,100000); $_SESSION['multi_login'] = md5($mem['email'].$rand_num); $_SESSION['userid'] = $mem['userid']; $IP = $db->escape($_SERVER['REMOTE_ADDR']); This is enough to bring me to tears. You definitely need to hire someone to check over your site in any case because I wouldn't personally trust an unsecured version of McCodes on my servers. Quote Link to comment Share on other sites More sharing options...
Someone Posted December 22, 2011 Share Posted December 22, 2011 Raw post data in a query is very sad indeed. Helped someone using a another engine, not sure wich, its users table was named grpgusers, it has those all over the place :( Checked out mccodez.com thought Id save myself some time by not programming a game from scratch. Checked out their demo site, registered and logged in to this screen  Good thing I used a username and password combo that I dont use on other sites. 1 Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted December 23, 2011 Share Posted December 23, 2011 This is enough to bring me to tears. You definitely need to hire someone to check over your site in any case because I wouldn't personally trust an unsecured version of McCodes on my servers. I don't recall coding that. No script is 100% secure look at 2.0.0 compared to 2.0.3 and please tell me there is no security issues fixed and please if you say 2.0.3 is insecure mail me the issues rather than sitting here flapping your mouths and give me the issues. Everyone knows ill fix 100% of my code if there is a issue found but i can't read minds we are all developers are we not its a piss take when people sit there saying its insecure and not even report the issues. its nice when people return the favour isn't it... I would help any of you with free checks etc and you sit here saying it's insecure without even messaging me. Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted December 23, 2011 Share Posted December 23, 2011 No its a piss take charging money for code you have not tested. 1 Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted December 23, 2011 Share Posted December 23, 2011 i test my code anything i edited i test so please do tell what part you hacked which i edited. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted December 23, 2011 Share Posted December 23, 2011 Good thing I used a username and password combo that I dont use on other sites. You are just ignorant. @Paul: If this was because of your work, then you are to blame. And then stop being full of yourself and just admit defeat this once. Other websites with your code is also at risk then, and it could come down to you if they get hacked. Find the problem, and fix it man. 1 Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted December 23, 2011 Share Posted December 23, 2011 (edited) I give the floor to people with suggestions on how it may be better secured or to report such insecurities in the script it is true i spent about 2 weeks going through the script and even in that time im sure i never found every single little imperfection in the script although i can say i found more security holes in them 2 weeks than i even considered possible when i originally got the script. I patched outpput and input on many things as i recall i actually considered restructure a few times. Which is where i came up with the idea of redux to sort out the structure and basically make it easier for a developer to find things. Sadly some people did take this as a more difficult approach to the script and dismissed it. I really appreciate your time to write out your views and thank you for taking the time unlike other people who basically just said 'it\'s ****' and flamed it. NOTE: while restructuring redux i did a lot more work on the sql and sanitized a lot of stuff Edited December 23, 2011 by Paul Evans Quote Link to comment Share on other sites More sharing options...
Danny696 Posted December 23, 2011 Share Posted December 23, 2011 I give the floor to people with suggestions on how it may be better secured or to report such insecurities in the script it is true i spent about 2 weeks going through the script and even in that time im sure i never found every single little imperfection in the script although i can say i found more security holes in them 2 weeks than i even considered possible when i originally got the script. I patched outpput and input on many things as i recall i actually considered restructure a few times. Which is where i came up with the idea of redux to sort out the structure and basically make it easier for a developer to find things. Sadly some people did take this as a more difficult approach to the script and dismissed it. I really appreciate your time to write out your views and thank you for taking the time unlike other people who basically just said 'it\'s ****' and flamed it. You say you patched input and output on many things, I'm guessing you missed at least a major one, probably alot more. Now, you says its down to the community, Well your wrong. It is us who pays $100+ for McCodes, and $300 previously, why would be pay $400+ for something that isnt far enough advanced to make a useable game, nevermind the fact we have to go through each file, and secure it again, after we shelled out extra for someone to secure it. If I hired a programmer to make me something, and they said it was secure, why would then I need to point out security flaws in said product. Your going about this all wrong paul. Admit that you have missed something, take it on the chin. It not out fault that we paid for something advertised as secure, and didnt point out flaws when you as the programmer shouldn't have left them there in the first place. All the greatest people have made mistakes, what makes them different is that they admit it, try and find a way to fix it, and get back on with their job. You need to do the same. Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted December 23, 2011 Share Posted December 23, 2011 Spud i would never admit defeat its not over. Danny I missed something? I love this i really do i spent as i said 2 weeks on the project and in that time i found multiple issues people on MWG hadn't even known about because i know this due to helping multiple people in the past with security checks on their projects. I really don't mind if you guys say it's insecure. I don't see one case of people hacking a website using 2.0.3 and no ones even give a example of the insecurity in the script but yet they are complaining i mean Danny you personally provide me of one insecurity in the script and the way you'd hack it. ^only one mate should be easy considering the script is SO INSECURE. This is a community no it's not your place to secure the script but as a community you should better the script for other people it's quite selfish of someone to say it's insecure but to never give a example or even give suggestions to the developers of the script. Microsoft have a report a bug program and so does firefox, google, facebook should i go on? They depend on people reporting bugs as does MC but it seems the community has twisted in bitterness of the time between mc releases. They outsourced mc 2.0.3 to me which is a large improvement on 2.0.2b but i have been away lately yes and im sure alot of you were a little pissed i got the job and you didn't. I did my best at the time with limited time period and it actually works alot better than previous versions. Mc v3 is going to be released soon i hear and then you guys can go forth and complain about something else. Danny im sure your engine will be quite impressive ill be sure to pay special attention to it just as you have with .3 i always repay favours but like i said earlier 100% security is impossible i will find issues in your script just as you will with my project but the difference is you produced yours from scratch i worked with a already commercial script which already had many haters who even if they got the most secure script in the world would never be happy. I will although help with any insecurities in your script because im not the type of person to just say it's insecure i help. Quote Link to comment Share on other sites More sharing options...
bineye Posted December 23, 2011 Share Posted December 23, 2011 Microsoft have a report a bug program and so does firefox, google, facebook should i go on? Let's put this in perspective though. For the cost of the MCC engine, you could buy a legitimate copy of an entire operating system from Microsoft, not just a few scripts, and that's a hell of a comparison to make. And Google and Mozilla offer their apps (Chrome and Firefox) for free, and as such we cannot sit and make complaints about something we get for free. When you charge $100 when they charge $0, you cannot sit there and make comparisons to them. For $100 a license, you have to be open to criticism where it is due. Quote Link to comment Share on other sites More sharing options...
Spudinski Posted December 23, 2011 Share Posted December 23, 2011 @Paul, it is over - you lost. But whether you can continue with securing MCC is another part of it. I know you are a very talented programmer, I've seen your work before. I don't agree with people critisiing the way they do, but as Octarine said, there is no other way to communicate with the MCC developers. I myself have tried to contact ColdBlooded on a few occasions, and the only time he ever replied was when it was about something entirely different than the code. They aren't very responsive, and a approach towards fixing that aspect of MCCodes will benefit them. Octa made a good suggestion for a solution, a bug tracker. Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted December 23, 2011 Share Posted December 23, 2011 (edited) A thought however crosses my mind here. Were we, the community, to better the script, then it is the developers that ultimately gain, not the users who have paid and will probably keep paying for the privilige of an insecure script. Redux being a case in point here. Worrying statement that, by helping a developer of a script you help all buyers of the script including yourself. Updates are free actually 2.0.3 was free to all people who bough v2.0 up over so i don't see a single profit to developers on reporting bugs rather than new sales of the script but if a community was so nice to report bugs in a script they complain about then maybe there would be less complaining and more improvements made to the overall script in question. EDIT: spud yes a bug tracker is a very very good solution i will put the suggestion forward to CB myself. I have said a few times i would personally take bug reports via mail on here and sort them ready for a new release of mcc v2 patch. Edited December 23, 2011 by Paul Evans Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.