Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[JanArve]

Hello all,

I bought v2 some time ago, but due to too many projects and too little time I just got around to looking at starting it up.

However, there is something that concerns me a lot! And that is the security of the script, when buying, obviously I expected the script to be as secure as possible as I've paid $300 for it, but everywhere I turn I read about more and more security flaws.

Personally I'm no expert in php and even less when it comes to securing the script.

I would be very interested in knowing exactly how the script is unsecure, and how to fix it. Now, I'm not looking for someone to do it for me, I'm asking for a guidance so I can know what to look for.

For example: "every page where the script does this or that opens it up for this type of attack".

If anyone can tell me such information I would be most gratefull.

Thank you all very much for your time.

[strats]

Yea I wasn't too happy with paying for V2 and getting so many problems

[Danny696]

Event Post and Get variable,  needs to be secured, The main problems are Cmarket, Forums, IP hack, and prefs hack.

[JanArve]

So you're telling me that not even POST and GET are secured?

Thanks for the main problems, do you know what the lesser problems are?

[JoshuaDams]

A list from me to you.

Secure the following

All $_GET and $_POST variables

If its an integer  abs(@intval

if it's a string   mysql_real_escape_string or $db->escape (use MRES)

Top Priorities
$IP above all else

1.  Cmarket.
2.  Forums.
3.  Userlist
4.  Preferances.
5.  Player Report
6.  Bug Report ( if you have )
7.  Viewuser
8.  Player Ads ( if you have )
9.  Item Shops / itemuse/itembuy.php
10. Use sprintf to clean and trim all data.
11.  Secure and Re-name all staff_.php files, stick em in a folder and lock em up.
12.  Secure your crons to keep people from running them twice.


If you are unwilling or unable to do all of the above and then some,  Delete public_html and get a new hobby or hire a professional, that's what we're for

Hope that helps.

cheers

[JanArve]

Thank you very much for that list!

And it does appear like I will never get enough time to actually secure the script myself, so if there are any guns for hire, feel free to PM me your quote for a full makeover on the basic script (If I do hire, I will most likly hire the same person again to go over the code another time when I've made the custom work on it, template and whatnot)

[JoshuaDams]

Sadly the McCodes engine should have came with a warning label titled

All Files Insecure: Please secure yourself or have someone do this for you.  Sincerely --Da dumbstew.

[JanArve]

I agree, had I known in advance the troubles involved in getting mccodes up and running I would have saved my money.

But as I have spent the money, and the script would be collecting dust anyways I would like to get a site running, but I do not care much for spending my time chasing cheaters and doing backups, so I'd rather spend some extra time (or dollars) to get it secure before I start.

Thanks for all that have replied and all those who have and will send me offer for securing the script.

Jan

[JoshuaDams]

Yep, Pm sent, go over it

[dominion]

i was like this paid for a script and went away for a while due to family stuff come back 3 years later(i think) and it sucks lol thank fully i had some php back round did plan on paying someone cos i was lazy but did not work out to well i think when it came out php4 was the best php thing so mccodes was good and kind of secure just as time went on anyways as this is not helping heres a nice list of links

cmarket-
http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/(mccode)-secured-crystal-market/

forums
http://www.cronwerks.com/forum/cronwerks-free-mccode-mccodes-mods/(mccode)-secured-advanced-forums/

ip hack fic
http://www.cronwerks.com/forum/free-user-created-mccode-mccodes-mods/secure-the-$ip-variable-on-your-game/

there is one more link however i have never tested it and your always better off fixing every file
http://www.cronwerks.com/forum/free-user-created-mccode-mccodes-mods/anti-sql-injection-function/

[dominion]

o yea and go and look at peoples posts on mwg that you know can code lol no idea how long i looked at peoples codes picking up ideas i like php self now saves updateing links

[JoshuaDams]

silly double poster you


only thing that sucks about starting on this board is my post count is that of a nooby :|

Gonna have to change that ><

There is far to much to do to secure your game.  You can do basic fixes as stated, but there are reasons people like magictallguy charges in excess of 800.00 to secure an engine ;P

and even that isnt "full proof"

There's just no such thing.

[dominion]

silly double poster you


only thing that sucks about starting on this board is my post count is that of a nooby :|

Gonna have to change that ><

There is far to much to do to secure your game.  You can do basic fixes as stated, but there are reasons people like magictallguy charges in excess of 800.00 to secure an engine ;P

and even that isnt "full proof"

There's just no such thing.

there i changed post 2 to something that may help lol (think i pressed f5 )
and nope but learning as you go can help but i dont think basic mccodes is good for that

[JoshuaDams]

Basic mccodes has more holes in it than swiss cheese

[Danny696]

Sprintf, doesnt not secure as much as you think, and will also slow down your script,