DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • August 25, 2019, 01:53:47 AM
Home Forums News Downloads Login Register Advanced Search
* *
DragonPrime Menu
Login
 
 
Resource Pages
Search

  Show Posts
Pages: [1] 2 3 ... 5
1  Core Code Development Discussions / Core Development Discussion / Re: LOTGD improved (IDMarinas) on: July 03, 2019, 05:55:30 AM
@Zelgadiss

Nightborns version can be checked over here : https://github.com/NB-Core/lotgd
2  Core Code Development Discussions / Core Development Discussion / Re: LOTGD improved (IDMarinas) on: July 03, 2019, 05:51:12 AM
This version is extremely similar to nightborn's version ...

Hey, ChesireCat, my antivirus is reporting malware from the Image that you have in your footer. It claims to be infected with URL:Blacklist, so you might want to know.
3  Core Code Development Discussions / Core Development Discussion / Re: Compressing the SQL traffic on: June 24, 2019, 03:20:42 AM
I still stand by that sentence. Your point is of course correct,  i myself ran into those issues at least one time and the solution was mostly to cache stuff, use other DB engines etc..

But we are talking about lotgd here.

- servers can indeed handle much more, we all know that. Its Lotgd that cannot scale up that easily due to the way it works.
- most people have their code and the mysql server on the same machine, so we are adding CPU overhead for no big gain.
- rarely there is a lotgd site this days that has more than 20 users online at the same time .. so , traffic will stay low
- and besides, i dont think 4Mb/s is that much.  If you run a lotgd site with that much users, you should know what you are doing and therefore have a better infrastructure in place rather than the normal hoster
- if performance is a thing, why not go with mariaDB's page compression, etc , session caching with REDIS etc.. .. it all would speed things immediately, but i am not sure if LOTGD would benefit from it due to the codebase state.

That was my point.
There are other ways to get an increase in performance rather than introducing more complexity to the code.

I might be wrong in some points, but its what i would do if i had to optimize the lotgd experience for more users.
But given the general user numbers on an average lotgd server, all this would probably be overengineering and microoptimization.

i have not much experience in LOTGD hosting, so maybe someone can correct me. I would appreciate it even.

:-D
4  Core Code Development Discussions / Core Development Discussion / Re: Compressing the SQL traffic on: May 20, 2019, 06:08:49 AM
no problem :-) - its not about being right or wrong ( i might be wrong as well ), just to save you some time.
Of course as a learning experience its more than ok. After all thats the way we learn what works best and not.

 Wink
5  Core Code Development Discussions / Core Development Discussion / Re: Compressing the SQL traffic on: May 19, 2019, 07:40:57 AM
Why do this at all ? i mean.. nowadays, servers can handle a lot more, broadband internet is more widespread  and lotgd is not that demanding anymore in comparison with other apps. Why complicate the whole more ?
6  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 05:38:25 PM
maybe you have to post a minimum amount of messages until you can do that. i remember having that issue too, was common in Forums years ago. Maybe it applies here too
7  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 03:29:00 PM
Totally agree with Aeolus here.
8  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 08:42:53 AM
well. right now, i am sort of diving a bit into the old lotgd codebase, i am not really used to it as of now, but intend to in the future. maybe i could take a look at it. Will give me some practice. mind to chat once ?
9  Coding Support / Coding Support Desk / Re: Looking for Light Coding Help on: February 27, 2019, 07:30:52 AM
What kind of bugs ? hosting related ?
10  Coding Support / Coding Support Desk / Re: Seeking a coder on: February 25, 2019, 02:37:12 PM
hey RaynDarren, i sent you an email :-D
I would be interested, to help a bit out ( from time to time ) if you would be interested.

:-)
11  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 24, 2019, 01:36:05 PM
you see, the thing with the hashing ( of the username and the comparison to the db in my earlier post ) was the fastest approach given the state of the lotgd login functions and preventing an open sql injection method.
Someone maintaining the LOTGD codebase should close that gap.

I totally agree with you on the prepared statements and escaping ( although escaping is not that trivial ) and that .. well,  lotgd is not safe against it.

As far as  hashing of passwords goes , salt and pepper are obsolete in the password_hash() function. PHP 5.5 + handles this natively and to be fair its much safer too probably.


12  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 23, 2019, 07:02:37 PM
I dont think that httppost does anything to secure what is passed by the  user.  ( this is from the 1.1.2 Version )
Sure, there are some stripslashes() here and there in the login code, but that is not security.

The change from md5 to a better algo is a good thing, of course, but pretty useless if the rest stays as it is ( no prepared statements in the db queries, no https:// , no real protection against sql injection... )
That small change is not a golden bullet.

-https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
https://phptherightway.com/


Code:

function httppost($var){
global $HTTP_POST_VARS;

$res = isset($_POST[$var]) ? $_POST[$var] : false;
if ($res === false) {
$res = isset($HTTP_POST_VARS[$var]) ?
$HTTP_POST_VARS[$var] : false;
}
return $res;
}



13  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 20, 2019, 04:46:26 PM
from the top of my head, this could be a safer login approach ( assuming you added a username hash and encrypted the password at user creation )



Code:

//  get the name and password
    $name = httppost("name");
    $password = httppost("password");
   

   
//  hash the passed username , effectively neutralizing any potential fabricated unescaped content ( of course, you should always escape it first , one never knows )     
    $hashedName = hash('sha256', $name );

//  now look explicitly for it in the DB ( and for the locked flag ) , nothing else
    $sql = "SELECT * FROM " . db_prefix("accounts") . " WHERE hashedName = '$hashedName' AND locked=0";

//  process result
    $result = db_query($sql);
    $SomeNameVariable = db_fetch_assoc($result);


//  check content
    if ( !empty($SomeNameVariable) )
    {
    #   the passed username exists and we found a hashed version of it -> lets check if the password matches ...
        if ( !password_verify( $password , $SomeNameVariable['password']))
        {
        #   password does not match, revoke user here
            $session['user'] = FALSE;
        }
        else
        {
        #   password did match
            $session['user'] = $SomeNameVariable;
        }
    }
    else
    {
    #   nothing found
        $session['user'] = FALSE; 
    }

14  Coding Support / Coding Support Desk / Re: Going from md5 to password_hash function on: February 20, 2019, 04:21:14 PM
The bigger issue here is the fact that [ login = '$name' AND password='$password' ] is a receipt for disaster. I dont have the whole escaping code in that section in front of me, but it is a quite inviting attack vector right there, since you are querying the DB using what is passed by the user and not having any control about the format of what to expect, thus opening yourself to all sorts of attacks. I dont see anything in that code that is going to protect the DB against sql injection.

Now, since you must alter the login / user creation process in order to achieve better hashing / encryption anyway ( you have to save the password at creation in the new desired encrypted format ) , why not adding a couple of lines more and have it a bit more secure ?

My advice :

- when creating the user , encrypt the password with password_hash()
- create another hash using the username ( you can use whatever hash algorithm you want, but of course if possible skip md5() and sha1() and save it to that users row
- now, every time a user logs in, hash its username first, and then look for the same value in the DB ( if evil code has been passed , it is now harmless since it has been hashed and the query is "safe" )
- since the hash should be unique ( you really should not have 2 users with the same username ) , you load all the needed data from the found row
- at this stage, you can compare the real username and the password within the array, without querying the DB ( since you did that already )
- if all matches, go ahead and validate the user, if not ( or if a malicious code was passed as the username, nothing will really happen , maybe an warning ) just ignore the user and revoke access

This is not a thorough explanation or a fail safe golden sword that will solve all your problems, but since you are willing to touch that code section, it adds reasonable security.

Oh, and for gods sake, while you are at it, and if you need to compare hashes at any point ( that is not a password ) use hash_equals() ->  http://php.net/manual/de/function.hash-equals.php
15  Modules, Themes and other customizations for your game / Themes / Re: Template: Hypertext - A basic foundation for building more modern templates on: February 08, 2019, 05:25:00 AM
i miss the graphics there ( i know that there are of course accessability concerns with graphics , but i still miss them thou )  ... looks a bit too dark. Do you have any others ?
Pages: [1] 2 3 ... 5

*
DragonPrime Notices
Version 1.1.2 is the current supported version and is available for download.

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
104 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search