Thread: Events System
View Single Post
  #6  
Old 08-11-2011, 11:13 PM
cbk1994 cbk1994 is offline
the fake one
cbk1994's Avatar
Join Date: Mar 2003
Location: San Francisco
Posts: 10,718
cbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond reputecbk1994 has a reputation beyond repute
Send a message via AIM to cbk1994
The first thing I noticed: you're using one space to indent instead of two. I give you points for at least being consistent, but doing this just makes it a pain for others to work with your scripts. Everybody else on Graal uses two spaces.

The second thing I noticed: you're not doing any checks serverside, which means that a 'hacker' can easily give out EC or host their own events or warp themselves anywhere.

The key to writing secure scripts is to assume that everything you write on clientside can be edited by a player (because it can be, to an extent).

For example, you should store the event warper location on serverside (probably as a database NPC flag or a server. flag).

Then, instead of this:
PHP Code:
if(params[0] == "WarpPlayer"){
 player.setLevel2(params[1],params[2][0],params[2][1]);
 player.guild "";

do this:
PHP Code:
if(params[0] == "WarpPlayer"){
 player.setLevel2(EventDB.warpLevelEventDB.warpPos[0], EventDB.warpPos[1]);
 player.guild "";

Any kid with Cheat Engine could use the first block of code to warp to any level on your server since you're trusting that the client's input is what it should be. Never trust user input.

The same goes for the leave trigger. Why accept the player's values when they're constants that you could have just defined on serverside?

On a related note, you should verify that the player is actually wearing the proper staff tag on serverside before allowing them to host or give EC.

PHP Code:
 if(params[0] == "GiveEC"){
  if(findPlayer(params[1]).account != NULL){
   if(findPlayer(params[1]).account != player.account){
    EC_Database.(@params[1]) += params[2]; 
With the above code, all I'd have to do is search with Cheat Engine for a command that I can easily trigger, such as "WarpPlayer", replace it with "GiveEC", replace the event level with a friend's account, optionally change the number of EC, and click to warp, which would actually send a "GiveEC" trigger.

The proper way to implement that feature would be to check that the player is, in fact, on the proper tag first and is allowed to give EC. It's only a couple extra lines of code to fix. This is also an issue with kicking, etc.

The "max EC" limit should also be implemented serverside, since I could use the same technique to avoid that.
__________________
Reply With Quote