Trusting user input in settings - Forum

dindon on 10:48, 5. Jan, 2011

#1

You seem to be overly trusting of user input in the settings page, so someone can set their Gender/Country/Status to something not among the dropdown options, and mess stuff up. This should throw an error message.

(This is why I have next to my name in the players page a white box, or a bit of text saying "status flag", depending on which browser you use. P.S. Can I keep it?)

Mojko on 11:29, 5. Jan, 2011

#2

Yes, it seems there is no check in select options. Fortunately everything is escaped, so no real damage can be done. I'll add this to my TODO list.

Mojko on 08:37, 8. Jan, 2011

#3

dindon wrote:
(This is why I have next to my name in the players page a white box, or a bit of text saying "status flag", depending on which browser you use. P.S. Can I keep it?)

I would prefer if you corrected your status to normal.

dindon on 08:42, 8. Jan, 2011

#4

I just wanted to be special! ;_;

Fiiine, fixed.

Mojko on 08:46, 8. Jan, 2011

#5

Very good :)

Lord Ornlu on 17:00, 8. Jan, 2011

#6

Cookie????? He needs a reward now :P

Mojko on 18:46, 8. Jan, 2011

#7

Very well.

* gives cookie *

:P

dindon on 01:07, 9. Jan, 2011

#8

Yay!

It's Username=dindon; expires=Sun, 16-Jan-2011 01:05:49 GMT SessionID=21362*****; expires=Sun, 16-Jan-2011 01:05:49 GMT flavoured!

DPsycho on 03:41, 9. Jan, 2011

#9

I see what you did there.

Lord Ornlu on 06:21, 9. Jan, 2011

#10

We should design awards for people finding flaws in the game :P

the COOKIE AWARD.

I'm hungry, i'll go get a cookie...

clever btw ;) kudos to dindon :D

dindon on 06:36, 9. Jan, 2011

#11

Or you could be like Google and pay $500+ per bug found.

(Applied retroactively, of course.)

DPsycho on 15:18, 9. Jan, 2011

#12

I feel the need to disclose that I am eating cookies RIGHT NOW.

If anything, dindon certainly deserves an award for the accomplishment of being banned the most times by the host while trying to investigate site weaknesses.

Lord Ornlu on 16:15, 9. Jan, 2011

#13

we could pay 500 cookies!!!!!

theultramage on 21:05, 10. Jan, 2011

#14

Nice one :)
Tell me, did you find that out with a TamperData-like plugin, or by actually reading the source code?
(noone but us seems to want to read the source code :(
EDIT: maybe I should go and clean it up sometime

dindon on 22:42, 10. Jan, 2011

#15

Both (mostly the former).

By the way, I read the source code. It actually looks pretty nice to me. It's certainly made huge improvements since the days when card effects were all stored in a big switch statement :P

The only big thing I don't like about it is all the raw SQL queries. It would be so much easier to use an ORM.

Mojko on 08:27, 11. Jan, 2011

#16

dimitris suggested to use PDO, which is a good idea as well.

MArcomage

Free multiplayer on-line fantasy card game

Support > Trusting user input in settings

Support > Trusting user input in settings