It's a start...
It's a start...
So, I have a game I've been working on, and it is about ready for some testing. I don't have all systems up and running, but I would really appreciate if some people could take a look, and maybe try a bit of SQL injection and any other kind of exploits they can think of (Yes, I have a backup). Here is a clicky to the game: Clicky
Re: It's a start...
It's a great start indeed. I found an exploit check my file I've got infinite cash. You just enter a negative amount when putting cash in the bank. Nice job so far it is interestingOoZI wrote:So, I have a game I've been working on, and it is about ready for some testing. I don't have all systems up and running, but I would really appreciate if some people could take a look, and maybe try a bit of SQL injection and any other kind of exploits they can think of (Yes, I have a backup). Here is a clicky to the game: Clicky
I'll let you know if I find anymore exploits when I have time.
Last edited by Torax on Thu Jan 03, 2013 9:50 pm, edited 1 time in total.
Re: It's a start...
No problem. I've also got a little bit of advice. If it's possible you should make it so a visitor can't view work.php etc. while they are not logged in. I was working and it said I have 20 minutes left so I waited the 20 and by the time it was done my session expired and when I refreshed I got thisOoZI wrote:Well Thanks for that. I'll fix it ASAP.
because I was actually logged out but still able to view work.php.You are currently working as a . You have -22620803 minute(s) left.
Re: It's a start...
Yes, I was working on my authorization script, so that has been doing that to me as well. I also fixed the banking problem.
EDIT: auth.php has been fixed and restored.
EDIT: auth.php has been fixed and restored.
Re: It's a start...
Glad to hear it. If you need any testing for other exploits I will try to help in my free time when I'm not working on my own game.
Re: It's a start...
I tried to register and got this:
Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on 'mysql.hosting.zymic.com' (4) in /www/zzl.org/m/e/r/merchant-marine/htdocs/connect.php on line 3
Could Not Connect
??
Warning: mysql_connect() [function.mysql-connect]: Can't connect to MySQL server on 'mysql.hosting.zymic.com' (4) in /www/zzl.org/m/e/r/merchant-marine/htdocs/connect.php on line 3
Could Not Connect
??
- Jackolantern
- Posts: 10891
- Joined: Wed Jul 01, 2009 11:00 pm
Re: It's a start...
Looking good so far! I tried a bit of SQL injection to no avail, but I am definitely not an expert.
My main feedback concerning the game is a bit of a lack of activities to do in the beginning. When you first register and select a ship, really the only thing you can do is select to work within your class, and then wait out the 20 minute timer. I am not sure if a user who just registered to play the game will be patient to come back in 20 minutes. Perhaps allowing the player to select how long they want to work could help.
Aside from that, very neat idea and I like it
My main feedback concerning the game is a bit of a lack of activities to do in the beginning. When you first register and select a ship, really the only thing you can do is select to work within your class, and then wait out the 20 minute timer. I am not sure if a user who just registered to play the game will be patient to come back in 20 minutes. Perhaps allowing the player to select how long they want to work could help.
Aside from that, very neat idea and I like it
The indelible lord of tl;dr
Re: It's a start...
I did a bit of SQL INJECTION, but looks like I wasn't able to drop a table. However, I was able to login with "DROP TABLE" and no password (no registration with this attempt). What happened though was DROP TABLE became the user name.
What I would recommend is that you have Name Filter for user names to prevent not only SQL Attacks but also to prevent offensive words, as well as Spammers too. If you do not have one, I could dig mine up and let you modify to suit.
What I would recommend is that you have Name Filter for user names to prevent not only SQL Attacks but also to prevent offensive words, as well as Spammers too. If you do not have one, I could dig mine up and let you modify to suit.
Sign off,
Hamilton
Hamilton