DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • March 23, 2019, 09:29:46 AM
Home Forums News Downloads Login Register Advanced Search
* *
DragonPrime Menu
Login
 
 
Resource Pages
Search

  Show Posts
Pages: [1] 2 3 ... 5
1  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 05:38:25 PM
maybe you have to post a minimum amount of messages until you can do that. i remember having that issue too, was common in Forums years ago. Maybe it applies here too
2  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 03:29:00 PM
Totally agree with Aeolus here.
3  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 08:42:53 AM
well. right now, i am sort of diving a bit into the old lotgd codebase, i am not really used to it as of now, but intend to in the future. maybe i could take a look at it. Will give me some practice. mind to chat once ?
4  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 07:30:52 AM
What kind of bugs ? hosting related ?
5  Coding Support / Coding Support Desk / Re: Seeking a coder on: February 25, 2019, 02:37:12 PM
hey RaynDarren, i sent you an email :-D
I would be interested, to help a bit out ( from time to time ) if you would be interested.

:-)
6  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 24, 2019, 01:36:05 PM
you see, the thing with the hashing ( of the username and the comparison to the db in my earlier post ) was the fastest approach given the state of the lotgd login functions and preventing an open sql injection method.
Someone maintaining the LOTGD codebase should close that gap.

I totally agree with you on the prepared statements and escaping ( although escaping is not that trivial ) and that .. well,  lotgd is not safe against it.

As far as  hashing of passwords goes , salt and pepper are obsolete in the password_hash() function. PHP 5.5 + handles this natively and to be fair its much safer too probably.


7  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 23, 2019, 07:02:37 PM
I dont think that httppost does anything to secure what is passed by the  user.  ( this is from the 1.1.2 Version )
Sure, there are some stripslashes() here and there in the login code, but that is not security.

The change from md5 to a better algo is a good thing, of course, but pretty useless if the rest stays as it is ( no prepared statements in the db queries, no https:// , no real protection against sql injection... )
That small change is not a golden bullet.

-https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
https://phptherightway.com/


Code:

function httppost($var){
global $HTTP_POST_VARS;

$res = isset($_POST[$var]) ? $_POST[$var] : false;
if ($res === false) {
$res = isset($HTTP_POST_VARS[$var]) ?
$HTTP_POST_VARS[$var] : false;
}
return $res;
}



8  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 20, 2019, 04:46:26 PM
from the top of my head, this could be a safer login approach ( assuming you added a username hash and encrypted the password at user creation )



Code:

//  get the name and password
    $name = httppost("name");
    $password = httppost("password");
   

   
//  hash the passed username , effectively neutralizing any potential fabricated unescaped content ( of course, you should always escape it first , one never knows )     
    $hashedName = hash('sha256', $name );

//  now look explicitly for it in the DB ( and for the locked flag ) , nothing else
    $sql = "SELECT * FROM " . db_prefix("accounts") . " WHERE hashedName = '$hashedName' AND locked=0";

//  process result
    $result = db_query($sql);
    $SomeNameVariable = db_fetch_assoc($result);


//  check content
    if ( !empty($SomeNameVariable) )
    {
    #   the passed username exists and we found a hashed version of it -> lets check if the password matches ...
        if ( !password_verify( $password , $SomeNameVariable['password']))
        {
        #   password does not match, revoke user here
            $session['user'] = FALSE;
        }
        else
        {
        #   password did match
            $session['user'] = $SomeNameVariable;
        }
    }
    else
    {
    #   nothing found
        $session['user'] = FALSE; 
    }

9  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 20, 2019, 04:21:14 PM
The bigger issue here is the fact that [ login = '$name' AND password='$password' ] is a receipt for disaster. I dont have the whole escaping code in that section in front of me, but it is a quite inviting attack vector right there, since you are querying the DB using what is passed by the user and not having any control about the format of what to expect, thus opening yourself to all sorts of attacks. I dont see anything in that code that is going to protect the DB against sql injection.

Now, since you must alter the login / user creation process in order to achieve better hashing / encryption anyway ( you have to save the password at creation in the new desired encrypted format ) , why not adding a couple of lines more and have it a bit more secure ?

My advice :

- when creating the user , encrypt the password with password_hash()
- create another hash using the username ( you can use whatever hash algorithm you want, but of course if possible skip md5() and sha1() and save it to that users row
- now, every time a user logs in, hash its username first, and then look for the same value in the DB ( if evil code has been passed , it is now harmless since it has been hashed and the query is "safe" )
- since the hash should be unique ( you really should not have 2 users with the same username ) , you load all the needed data from the found row
- at this stage, you can compare the real username and the password within the array, without querying the DB ( since you did that already )
- if all matches, go ahead and validate the user, if not ( or if a malicious code was passed as the username, nothing will really happen , maybe an warning ) just ignore the user and revoke access

This is not a thorough explanation or a fail safe golden sword that will solve all your problems, but since you are willing to touch that code section, it adds reasonable security.

Oh, and for gods sake, while you are at it, and if you need to compare hashes at any point ( that is not a password ) use hash_equals() ->  http://php.net/manual/de/function.hash-equals.php
10  Modules, Themes and other customizations for your game / Themes / Re: Template: Hypertext - A basic foundation for building more modern templates on: February 08, 2019, 05:25:00 AM
i miss the graphics there ( i know that there are of course accessability concerns with graphics , but i still miss them thou )  ... looks a bit too dark. Do you have any others ?
11  Village Square / General Discussion Area / Re: looking for ppl that have writing / storytelling skills on: October 06, 2018, 05:43:37 AM
Anyone besides Wolfsbanewillow and TGTarheel ?

12  Village Square / General Discussion Area / Re: looking for ppl that have writing / storytelling skills on: October 01, 2018, 11:00:38 AM
Ok, noted :-)
13  Village Square / General Discussion Area / Re: looking for ppl that have writing / storytelling skills on: September 29, 2018, 11:12:43 AM
Ok. Anyone else ?
14  Village Square / General Discussion Area / looking for ppl that have writing / storytelling skills on: September 28, 2018, 07:28:17 PM
Hello ppl

I am looking for a people that would like to collaborate with their storytelling skills for a project based on LOTGD that has been in the making for some time now.
There are somethings that are of course different to LOTGD, but it would be great if it would remain faithful to the LOTGD world.

It is not an official LOTGD sequel like Daenerys aims to be ( or is ).
It is a private project born out of the love for LOTGD and it has not a "release date" around the corner, yet, it has reached a point ( 60% ) where it makes sense to start looking for content.

The type of writing i am looking for should be light hearted, not heavy on the lore like, say, Lord of the rings and fit the mood of LOTGD. Some things are set in stone ( in order for game mechanics to work ) , some are roughly defined ( certain characters that are needed here and there ) but there is still room for own stuff .

So its as simple as that...

If anyone has interest , time and patience, i would be glad to hear from you ( one or more persons ) , and i will try to answer questions the best i can.

:-)


15  Village Square / General Discussion Area / Re: Sound in lotgd on: September 15, 2018, 05:10:25 PM
i occasionally ask this questions because i myself am working on a private project that is inspired by good old LOTGD. It has now reached the point where such things as  music , audio in general and support for graphics matter. Of course the accessibility part must be in there somewhere, but as things are, this will boil down to some predefined keys that can be pressed to execute all actions in the game, since well .. its a game and not a "webpage" per se.
Pages: [1] 2 3 ... 5

*
DragonPrime Notices
Play LoGD on Dragonprime

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
24 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search