Page 2 of 2
Posted: Sun Apr 23, 2006 6:24 pm
by Christopher
Dear R4000, I don't know who you are or what you know, but web security is a fairly mature body of knowledge. If you are some hot-shot enterprise developer with years of experience developing web apps, then we could probably learn a thing or two from you. However, if I posted some code and Jcart had some serious concerns about it I would first search the internet to find out as much as I could about what he was talking about. I would then I pick his brain to find out more and hopefully learn something.
Posted: Sun Apr 23, 2006 7:06 pm
by d3ad1ysp0rk
R4000 wrote:Allthough i totaly agree with the fact it is not needed, and does not really have and real protective value.
These projects are using it to stop the simple things like i said before... what if you code with register_globals off? (as i do), but then some IDIOT with it on, installs your project. yes you could code around that.
hmm?
When you develop the right way (register globals off, state checking, etc), turning register globals ON wouldn't matter.
It's when the opposite happens (bad coding + having it on to begin with).
Posted: Mon Apr 24, 2006 12:37 am
by Burrito
why don't you seed your encode with some salt and then md5 it to make a random hash, that hash would only last the lifetime of that page load so if they refreshed it, it's gone. That should take care of your concerns. You could also add the player's unique ID (from session?) to the hash so other users couldn't hit the same url to boost their 'stats'.
Posted: Mon Apr 24, 2006 3:49 am
by Maugrim_The_Reaper
The base64 acrobatics (and I agree that a few people swear by them) don't add anything extra. Though I'm a fan of stating that security by obscurity is a valid security practice, in this case the benefit is minimal. You should focus instead on the state checks and other logic behind the how and why of the action to ensure it's valid. You should also keep in mind that coding errors should NOT be obscured - let them hang out there for users to find and report so they can be fixed. That hard to accept for some people when you're talking about a game where bugs can equate to cheats for players to exploit - but its the fastest way to finding issues.
Step by step navigation checks:
I've debated this one a few times on my own game project. For the moment it's not in use, but definitely if your game is an RPG style where players must be restricted to a preset sequence/map of actions, then use it. It depends a lot on the design of the game IMO whether its needed. There are opinions that it can indirectly lead to a lack of proper state checks for such actions which if the nav check system failed would allow players cheat more easily, and others to exploit the system. I'm of two minds about using it - but its worked in Legend of the Green Dragon (other OS RP) for a while without issues...
Watch your signup bonuses or freebies :
Be careful of freebies or signup bonuses or referral rewards or...(long list). Many have been exploited in the past with numerous well exercised methods. Some games have lost the plot completely and legitimised the exploitation of their bonus systems. A classic example is "Kings of Chaos" where a "clicker" app (three at last count) can exploit the referral system to grant you large numbers of bonus troups. I have a friend at college who studied the phenomena of KoC's legitimised clicker policy and discovered it's quite easy to reach high rankings using the exploit with a minumum effort in-game managing your resources.
Of course, KoC is still hugely popular...
Lesson from this is that many games eventually get plagued by bots or automated player scripts which perform actions (sometimes to a schedule) in place of real user interaction. This is another body of information related to security in PHP - I've barely scratched the surface of those specifically for PHP and more specifically PHP games.
A game without limits is a game without challenge.

Posted: Mon Apr 24, 2006 9:07 am
by R4000
I agree with you mate, its not the only method of security, and certainly shouldn't be used on its own... but as you said, it does add an extra level of security. And yup, the KoC thing is true... but take for instance, if that clicker had been made when there was only 100 players playing... Then nobody else would have signed up because all the other players could wipe them out without thinking
Posted: Fri Apr 28, 2006 7:42 pm
by a94060
what game are you making? i read gold etc,sounds a little like runescape? is it up yet?
sorry for going off topic