[PHP]Secure your game

[stefans]

Hello all,
I want to tell you something about how you can secure your game and why you should..
So the two dangerous things i know are mysqlinject and xss (Cross site scripting)

Let's talk about mysqlinject first..
So what is mysqlinject?
Mysqlinject is code used by someone who want's to do bad stuff XD
they get stuff out of your database just by simple code
this can happen via all ways
e.g index.php?id=1, the user can put whatever he wants after ?id=, because you will read the id, and get it (maybe) out of the database,
also this can happen via simple login or register forms so in a login form if your code is
$mysql_query = ("SELECT * FROM users WHERE username = '".$_POST['username']."' AND password = '".$_POST['password']."'");
if someone enters something like ' OR '' or something (i can't mysqlinject so..) he can log in to any account

How do i protect my site?
use mysql_real_escape_string
How do i use it?
$username = mysql_real_escape_string($_POST['username']);

now i'm going to talk about XSS (Cross site scripting)

What is xss?
XSS is inserting any other code (mostly javascript i think) into a text box or something
and this could really have bad results.. like when a user registers his username as a javascript code that links to another site..
Everytime your username is on a page it will redirect everyone on that page to the other website..
because the javascript code will be included on every page where the username stands..

How do i protect my site?
Well actually it's really easy,
htmlentities($_POST['username']);
so what does it do?
It converts all the html characters to plain text
so when you enter like <b>Hello</b> it will print it out as <b>hello</b> and will not execute the script (hello)
and the more you secure the better

I hope this helped you a little bit =)

[Jackolantern]

Nice info!

[Zettiee]

You can do so much more to secure a game

Heres some other things to stop cheaters:

When ever they are inputing a number for stats/money/ or just a number.
Use abs();

how to use:
$_POST['amount'] = abs($_POST['amount']);


You can also addslashes();

this adds slashes (/) when ever they input a (').

But. the user will see these's slashes. to solve that on the ouput of data in vars use stripslashes();

[Jackolantern]

There is volumes and volumes of knowledge out there on securing web applications, so obviously one forum post could never cover it all. However, determining what security to use is a balancing act between security and usability (and sometimes efficiency). You can close up your application and server like Fort Knox, but it can make it so mind-numbing for users to deal with it that it can become a turn-off.

For making simple PBBGs, your best weapon is a good, all-purpose scrubbing function. It should clean the text of SQL-injection attempts, be able to take input and clean it for output to the page to prevent XXS, take in a variable as well as a range (the range could be optional parameters) of possible values and only return the variable value if it is indeed within that range, to prevent buffer overflow attacks (no, PHP is not immune to them, regardless of what some say), etc. A clever dev could put all this in one function and make it multi-purpose through IF/ELSE structures, optional parameters and more.

The easier your scrubbing function is to use, the more liable you are to use it. So you should aim for it to all be in one include file, and ideally, all contained in one or a handful of functions. If you make a huge tool chest of functions for every possible purpose, you will probably tell yourself "Well, I don't want to go through it now to remember what to use and how to use it, so I will add the security later", and we all know that will never happen.