Php Abuse

[Fenrir Greycloth]

Okay, I do not claim to be a php or mysql expert, but what stops somebody from using scripts to change character stats, querying passwords, or other such behaviours? I know there we those o us with som experience, albeit not much in my case, that will be testing these limitations.

What kind of security precautions are there going to be pretecting md?

[Pipstickz]

[quote]<!-- IMPORTANT WARNING: Any atempt of cheating, exploitation, abuse, hacking or any kind
of unauthorised intervention with the game functionality detected by our security systems
will result in immediately and unwarned ACCOUNT BANNING and closure. -->
[/quote]

Does this answer your question?

[Fenrir Greycloth]

That doesn't mean I still can't drop entire charts off tables or inject strings into pages and cause havok.

I would like to see a way to limit what we can do(won't hear that often) so that I(and others) can sleep soundly at night...

[Pipstickz]

Side effects of MD do not include loss of sleep when not playing. See your doctor.

Seriously though, if something real real bad happens, don't you think Mur would do all he could to undo that? You can't prevent everything, but you can try to fix it when it happens.

[Chewett]

[quote name='Fenrir Greycloth' date='30 October 2009 - 06:07 AM' timestamp='1256882872' post='46113']
I would like to see a way to limit what we can do(won't hear that often) so that I(and others) can sleep soundly at night...
[/quote]

Thats already in place, Its not php its MDScript, Its run through a parser that checks the functions and it will only allow the ones MDscript has been programmed to understand. The language is Php, but there is a big Chunk of it missing

You cant access variables from Md since you can only use pre-allowed ones, so no session vars or anything, and only certain functions have been allowed, So no database operations for us.

Its 99% fullproof, And i make this point. Anyone who can access it will not want to drop the entire whatever table. They are smart enough not to do that.

Magicduel has survived sql injections and the users responsible were not banned because they then helped Mur to fix them. There has only been once incident in the entire history of MD where something was done maliciously and that was to the previous forum.

I think there is no reason to worry about the MDScript

Edited October 30, 2009 by Chewett

[Muratus del Mur]

regardless how much i try to secure things, there will always be something to abuse or exploit. Thats why, as i said in the editor window, i am placing a bounty for your findings. When you find something you could abuse put in balance that plus sure banning of all your accounts and ips for a short period of exploited , godmoded account , with a reward that could be significant if you use your discovery to help me fix it for the future.

In general who is clever enough to crack/hack the site is also clever enough not to be a complete imbecile and just do damage, unless, his main target was that from the start.

I want to mention i will not restore backups and move md back in time unless the damage involves a higher percentage of md population and not just a few individuals. If you manage to erase your character somehow, reset it or whatever other permanent damage, you won't get a backup restore of entire MD.

We managed to survive so many years without such incidents. We never had one, the forum issue was about the forum not the game. This is not because md is secure, because ITS NOT, but because people in it understand to do more with their skills than destroying for fun.

[smartalekrj]

[quote]regardless how much i try to secure things, there will always be something to abuse or exploit[/quote]

This is true not just in MD but all games. There is always a way to find an exploit, or coincidently run into a bug. The vets of the game have accidently run into bugs in the past. I'm not much of a bug finder, but, like for instance there was the dead bird bug. I knew something was off when dst attacked me so i looked at it again and figured it out. I asked dst if it was reported at the time and she said yes. Couple days later i found out it wasn't. Another instance ummm heads contest. Shoeps(back in the day when points were first implemented) found that if you didn't have any living cheatures then you couldn't lose heads. That was reported but alot of people didn't know it was at the time. Thats just 2 examples of bugs in the past. Both problems were handled in different ways. The ruling used to be "If you find a bug you have to report it right away, THEN afterwards you could use that bug until it is fixed" But for this that ruling shouldn't be the same. scripting is delicate(as i'm finding out) honestly if i were to find a bug in scripting i would report it, not on here, directly to mur's pm, so others can't use it, and then DELETE it. My topic would be Script Bug, so Mur knows it's about scripting. I would suggest if anyone finds themself in that situation they would take that action. I hate making long posts.

[dst]

Sorry to disappoint you Smarty but back then I reported all bugs. Not to mention that I was the one saying it's a bug (aloud). You never asked me anything. You were to good to talk to a new person like me. And one question: how did you check that i did not report it? So try not to throw accusations before checking the truth.

[smartalekrj]

it wasn't reported... i got pm's that old to prove you wrong. and there's only one way to know the bug wasn't reported so who do you think i talked to?

[dst]

No idea who you talked to. And may I see the PMs please?

[Pipstickz]

Old PMs tend to get deleted...especially, I'd assume, with everyone spamming RJ for draches x3

[smartalekrj]

no actually they dont... they get pushed past the limit and i have to delete them to get to older ones... its a pain

[dst]

I have patience.

[I am Bored]

and an exploit has been found and reported.

[No one]

[quote name='smartalekrj' date='31 October 2009 - 05:22 AM' timestamp='1256959364' post='46159']
no actually they dont... they get pushed past the limit and i have to delete them to get to older ones... its a pain
[/quote]
Off topic:
Lets make it short RJ and to solve the problem between you and dst:
The "Romanian Mafia" works differently (you know: phone calls, secret meetings, emails).
In other words: we told Mur a lot of stuff, but he tends to forget about them if you don't push him a bit (see the alliance takeover last year).
Also ... as I remember ... there were very few bugs reported (and ... i don't remember any from you). Most of them we found just by checking the forum and recognizing the pattern.

As for who was abusing, back then, there were some ways to check. Please don't tell anyone that you reported all that you found. It is pointless to lie like that (not that you didn't do that before or that anyone care).


On topic:
Anyway, abuses and bugs will be for as long as MD will exist. The main point, as Mur said, is to use them within limits. If you want to do it ... fine, do it ... but take the responsibility for your actions.