Jump to content

[SOLVED] Help me Secure this script.

Gayner

By Gayner
in PHP Coding Help

Recommended Posts

Gayner Advanced Member

Gayner

Posted
Posted

I have a poker php script, and when right before u play a hand u bet 1,2,3,5,6 amount of Gold you have.

 

But when people can simply use tamper data plugin for firefox and just edit the amount betted and just win all that 632463246346Gold, is there a way to stop this?

 

THanks.

 

 

Thanks....

Link to comment
https://forums.phpfreaks.com/topic/174867-solved-help-me-secure-this-script/
Share on other sites
shane18 Regular Member

shane18

Posted
Posted

Your saying they can edit the data sent to your php server? the POST data? if so... use http://www.php.net/pcre to make sure there input is what you want... for tutorials there is a GREAT one which is the one that thought me... right on phpfreaks tutorials page

shane18 Regular Member

shane18

Posted
Posted

Not sure what your asking

 

LIKE do i have to use mysqlreal escape string around each thing that get's updated so people can't edit post data form... ?? if so can u show me.

 

well first of all you always wana mysql real escape string, and second you can't really protect whats sent.. you can only check what is recieved to see if they messed with it.. i can explain more if thats what you want to learn how to do

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

Not sure what your asking

 

LIKE do i have to use mysqlreal escape string around each thing that get's updated so people can't edit post data form... ?? if so can u show me.

 

well first of all you always wana mysql real escape string, and second you can't really protect whats sent.. you can only check what is recieved to see if they messed with it.. i can explain more if thats what you want to learn how to do

 

If I use mysql realescape and when they try to edit data will it still be sent?

shane18 Regular Member

shane18

Posted
Posted

ok... if your gona insert data into a database use mysql_real_escape_string cuz it puts \ in front of any thing that can allow then you edit your query..

 

 

in your case.. you can't stop then from editing what they send.. but you can check what they sent...

 

for example.. they enter then e-mail in a form and submit it... then will check to make sure its a e-mail..

 

if(preg_match("/^[a-z0-9_\-]+@[a-z0-9_\-]+(\.[a-z0-9_\-]+)+[a-z]{2,4}$/i", $e_mail)){

 

in your case.. you can make sure its 1-6

 

if(preg_match("/^[1-6]$/i", $test)){

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

ok... if your gona insert data into a database use mysql_real_escape_string cuz it puts \ in front of any thing that can allow then you edit your query..

 

 

in your case.. you can't stop then from editing what they send.. but you can check what they sent...

 

for example.. they enter then e-mail in a form and submit it... then will check to make sure its a e-mail..

 

if(preg_match("/^[a-z0-9_\-]+@[a-z0-9_\-]+(\.[a-z0-9_\-]+)+[a-z]{2,4}$/i", $e_mail)){

 

in your case.. you can make sure its 1-6

 

if(preg_match("/^[1-6]$/i", $test)){

 

Yea I know, i just want them to not beable to have more then 10 in the bet field possible to make it so

 

If they input higher number then 10.  it just says something else?

 

Also, why use "'" .mysql_real_escape_string($values) . "'" this?

 

I thought "'" .mysql_real_escape_string($values) . "'" would make it so they can't edit values??

shane18 Regular Member

shane18

Posted
Posted

only mysql_real_escape_string a variable if its gona be inserted into mysql table....

 

for your case bro do...

 

if(preg_match("/^[1-10]$/i", $GOLDAMOUNT)){
//They didn't hack
}else{
//They edited there gold so give error message or IP ban them
}

 

the code above will make sure that $GOLDAMOUNT = 1-10

 

.. let me know if this solved the problem...

shane18 Regular Member

shane18

Posted
Posted

Well that firefox extension looks like an add-on that should be banned lol

 

Just installed it and makes it way to easy to alter... glad I always validate what is being POSTED before I do anything with it  :examine:

 

same here bro, i always validate my input data before letting it be used... lol most of the time im lazy and do a whole site then go back through and safe guard it all...

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

Well that firefox extension looks like an add-on that should be banned lol

 

Just installed it and makes it way to easy to alter... glad I always validate what is being POSTED before I do anything with it  :examine:

 

same here bro, i always validate my input data before letting it be used... lol most of the time im lazy and do a whole site then go back through and safe guard it all...

 

Isn't there a way I can validate everything, so they cannot edit post data? Only data from php? I dont feel like going throw 4k lines of this code to validate all the pieces of inserts to mysql, lmao through POST.

ozestretch Member

ozestretch

Posted
Posted

I would assume using SSL would help this further... but at a cost (both $dollars and speed).

 

But yes, anything that is being retrieved from one page by another.. should be examined before using

(I'd never pay child support without proof of purchase  8))

shane18 Regular Member

shane18

Posted
Posted 

if(preg_match("/^[1-10]$/i", $betd)){
echo "Good Boy $betd";
}else{
echo "Why u hacking? $betd";
}

 

My input is 3, and it's showing Why U hacking?

 

 

This script not workin right u gav me, lol

 

oh ya that's wrong lol mybad.. it would be 1-9 but then it still don't help you... try using if statements if($betd >= 1 && $betd <=10);

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.