Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.
First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:
Code:
<form name="tetrischeat" method="post" action="http://yoursite/tetris.php?action=reg">
enter your score!
<input type="text" name="punteggio"><br>
and your userid (get from bbuserid field in cookie)<input type="text" name="userid"><br>
<input type="submit" value="What's tetris again?">
</form>
It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.
Secondly, the comment system here is very open to abuse. For example, as your comment, try:
Code:
<script>alert("i rock j00!")</script>
And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.
Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.
Originally posted by Stuwee Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.
First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:
Code:
<form name="tetrischeat" method="post" action="http://yoursite/tetris.php?action=reg">
enter your score!
<input type="text" name="punteggio"><br>
and your userid (get from bbuserid field in cookie)<input type="text" name="userid"><br>
<input type="submit" value="What's tetris again?">
</form>
It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.
Secondly, the comment system here is very open to abuse. For example, as your comment, try:
Code:
<script>alert("i rock j00!")</script>
And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.
Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.
I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).
If you could update the existing tetris.php and email it to me, we'd all be grateful.
I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).
If you could update the existing tetris.php and email it to me, we'd all be grateful.
Actually, it's possible to do it without knowing the userid (by setting s=something in the querystring). I don't have time to fix it tonight, but I'll see what I can do for you tomorrow... in the mean time, I updated my little example so it doesn't need the userid.
Originally posted by john.eovie Tried it with sessions - sometimes, for some unknown reason the user doesn't have a sessionhash. Meaning they can't get to it at all... :s
Yeah, sometimes the session hash isn't present in the querystring, sometimes it is (never bothered to find out exactly why)... but that doesn't solve our problem anyway... I'll hopefully get back to you tomorrow with an updated version of the script.
Originally posted by Lesane You could use sessions for that.
When they are going to the play action (tetris?action=play) then you can set a session name for example:
PHP Code:
session_start();
session_register("test");
Then by the code of reg (tetris?action=reg) you can check if the user has a session named test by the following code:
PHP Code:
if (session_is_registered("test")) {
echo "User has a session named test so he came from the play action";
} else {
echo "ooops, cheatterr";
}
Quite right, but as far as I can see, the cheat0r could just start a game, and then while it's playing, submit the form. The session still exists, but it wasn't submitted by the script... the leaderboard would be none the wiser. $_SERVER["HTTP_REFERRER"] could always be checked to see if the user is indeed coming from the playfield, but there's no reason that can't be poisoned either....