StarGateWars Forums

I'm not sure if anyone has mention this before or I am posting in the wrong area.
Over the past the weeks or months there has been news about hacking into websites. As a member of this game and forum I like know if our accounts details are safe even if someone decide to hack for money (paying support states), bring this site down or changing the contents of the site.

If the security side of this game hasn't change for a while maybe we should think about it.

Let's say you will have three attempts to log on, if fail after third attempts the account will be lock for a period of time.

Have a system of where you enter your location (town, country) and if someone tries to login to your account outside of that location. The game will inform the user and ask him/her if the person in question is you. If that person is not you, the game will kick that person out of your account and lock it intill the right owner informs the admin.

interesting idea, but security can be easily increased with converting passwords to SHA-1 digests (if admin is storing as plaintext, or md5), and using a decent password. Its mostly up to the user how secure they want to be.
And news reports of hacking have been going on for ages, its nothing new.
I would think its somewhat secure anyway, considering this is game is apart of a company.

Look at Playstation, thier network had to be close down due to a hack. They are a big company in the game industry. I think it is importent just to remind (once a while) people about keeping thier acocunt safe.

Kesl wrote:Look at Playstation, thier network had to be close down due to a hack. They are a big company in the game industry. I think it is importent just to remind (once a while) people about keeping thier acocunt safe.

Lol, playstation was hacked because the retards stored ALL the info as plaintext, only fledgling programmers do idiotic things like that, and above all they infiltrated using an SQL injection, which is practically the first thing in a hackers toolbox.
So the whole playstation scene programmers, web designers, and their whole online team look like an utter joke now.

I would hope at the very least admin doesn't store the passwords as plain text and uses his own one-way cryptography, or MD-5 hash digests. As i said above, SHA-1 would do nicely. If someone did happen to gain entry to the database, users login info would be the last of admins worries.
Again this all relies on the user creating a good password not some crap like 123456 or abcd.
And yes i would like to know what admin stores the passwords as.

Plaintext since day 1.
SQL-injection is prevented by the nice little tidbits within the code known as 'escape'.


Or something. I wouldn't know. I don't know jack about what `SQL` and all that jazz is.. all secrets and technicalities to me.

Juliette wrote:SQL-injection is prevented by the nice little tidbits within the code known as 'escape'.

o.0 i guess you could call it that in a way, but it sounds weird, escaping is an act on a piece of code, not a piece of code.
its easier just using regular expressions, instead of removing certain characters, remove everything that is not in a certain list of characters, like ^[0-9] if you only wanted numbered input, so anything that is not a digit from 0-9 will be removed, they can get messy though, like validating an email address can look something along the lines of....
^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$

But anyway, admin uses some anti-SQL injection barriers, you can see this when you broker people or name things, and its why sending messages to people have backslashes after the speech mark character " (appears like: chicken\'s are yummy to eat). When you broker someone try using a '@' character as well.

Thanks. That's the thing I meant. All I know, hope you find someone with more knowledge.

Wait. What you just posted was an alternative, right, not the actual escape thing?

Juliette wrote:;) Thanks. That's the thing I meant. All I know, hope you find someone with more knowledge.

Wait. What you just posted was an alternative, right, not the actual escape thing?

*edits post*

when you 'escape' something you essentially kill off its ability, but it gets harder because you have to escape escapes to prevent SQL injections etc. To generally escape characters you use the backslash. so take this example, when you want to output something you generally use " " as well as invoking a method, but what if you want to use the " in the thing you want to output? hence escaping was born, so essentially escaping kills whatever function the thing does, take for instance this:
"hello world says me!"
but i wanted to actually use speech marks in there, i would have to then do this for the code to actually output the wanted words, and in some cases compile correctly:
"\"hello world\" says me!"
Ok so what if you wanted to print out the backslash? well you would have to do something like..
"backslash is \\"
Php provides many functions to help with this anyway, when i code i just find it easier to use regex patterns.

I gave an alternative to stave off SQL injection attacks, and was just pointing out your sentence about escaping didnt really make much sense xD

lol.. I know.

Juliette wrote:Plaintext since day 1.
SQL-injection is prevented by the nice little tidbits within the code known as 'escape'.


Or something. I wouldn't know. I don't know jack about what `SQL` and all that jazz is.. all secrets and technicalities to me.

You joking Julitte? I think the admin should look at this post and make sure the password are not in plain text. I also agree with you, it is the user responsibility to make sure their password is strong.

P.S Julitte are you suppose to be working and not playing. You bad woman lol

Kesl wrote:

Juliette wrote:Plaintext since day 1.
SQL-injection is prevented by the nice little tidbits within the code known as 'escape'.


Or something. I wouldn't know. I don't know jack about what `SQL` and all that jazz is.. all secrets and technicalities to me.

You joking Julitte? I think the admin should look at this post and make sure the password are not in plain text. I also agree with you, it is the user responsibility to make sure their password is strong.

P.S Julitte are you suppose to be working and not playing. You bad woman lol

Waiting for some people who are supposed to fix my house. Apparently they are late.


Anyway. Admin already knows. He's done something about it back in '08, but I have no clue what.

If someone hack here I will send my fleets and army to take them down

Kesl wrote:If someone hack here I will send my fleets and army to take them down

Test his security then.

Do we have any measures to prevent against packet editing?

I think we can tell from at least the last Server War, titled "Game Over",

that inputting more data than the game is willing to accept will crash the server...

which seems very much like the results of a denial-of-service attack...


although I am not aware of any threats beyond a crashed server...


i.e. I don't think you can further harm the computer or its contents
because the computer has totally stopped responding,
or has shutdown...