He posted a new file in the post just before yours. :rollseyes: :D

Basically, in older versions of tetris.php people could add a "get" string in the header of the page.

i.e. tetris.php?action=reg&points=10000000&userid=1

In the new file, a piece of code refuses to accept any point values in the header.

And the zip has also been updated - did any get the update email? The hack updater is playing up...

Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.

First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:

It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.

Secondly, the comment system here is very open to abuse. For example, as your comment, try:

And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.

Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.

I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).

If you could update the existing tetris.php and email it to me, we'd all be grateful.

Actually, it's possible to do it without knowing the userid (by setting s=something in the querystring). I don't have time to fix it tonight, but I'll see what I can do for you tomorrow... in the mean time, I updated my little example so it doesn't need the userid.

Tried it with sessions - sometimes, for some unknown reason the user doesn't have a sessionhash. Meaning they can't get to it at all... :s

Yeah, sometimes the session hash isn't present in the querystring, sometimes it is (never bothered to find out exactly why)... but that doesn't solve our problem anyway... I'll hopefully get back to you tomorrow with an updated version of the script.

You could use sessions for that.

When they are going to the play action (tetris?action=play) then you can set a session name for example:

Then by the code of reg (tetris?action=reg) you can check if the user has a session named test by the following code:

Quite right, but as far as I can see, the cheat0r could just start a game, and then while it's playing, submit the form. The session still exists, but it wasn't submitted by the script... the leaderboard would be none the wiser. $_SERVER["HTTP_REFERRER"] could always be checked to see if the user is indeed coming from the playfield, but there's no reason that can't be poisoned either....