world.Export()

BYOND Forums

Announcements · BYOND Help · Bug Reports · Feature Requests · Beta Testers · Beta Bugs · Developer Help · Design Philosophy · Demos & Libraries · Tutorials & Snippets · Art & Sound · Classified Ads · Game Updates · Contests & Events · Linux Talk · On Topic · Off Topic

world.Export()

ID:146730 Mar 6 2005, 7:25 pm
Blaz3	Code: world.Export("http://score.h3ath.com/score.php?act=set&pre=blaz3&code=code_taken_out&key=[src.key]&score=[src.score]") Problem description: I don't think the whole url is being sent. Is there a certain length that is sent or a certain amount of parameters that can be sent?

Mar 7 2005, 11:13 am
Lummox JR	I think the main problem is that src.key may not be a URL-friendly value. To include it in a URL, use url_encode(key) instead. Lummox JR

Mar 7 2005, 12:22 pm In response to Lummox JR
Blaz3	That isn't working either. The way my script works is that if the security code in the url isn't right then it counts it as a hacking attempt and logs it. When I try to update a score from Byond, I get a log saying I was trying to hack.

Mar 7 2005, 1:49 pm

In response to Blaz3

Lummox JR

Blaz3 wrote:

That isn't working either. The way my script works is that if the security code in the url isn't right then it counts it as a hacking attempt and logs it. When I try to update a score from Byond, I get a log saying I was trying to hack.

You should record the actual security code received, then, and compare it to the one you're trying to match it against. Look for any obvious errors there. And again, url_encode() might not be bad there either.

Of course one reason I didn't notice you were doing the security code thing is that you put in "code_taken_out", but there are no brackets for a var as with src.key, leading me to believe you've hard-coded the security code. That's really not a good idea, since theoretically that URL could be intercepted, and then your security code is blown. Instead I'd recommend hashing an internal security code along with the name and score, using something like md5(). The nice thing about that approach is that if your remote server has access to an MD5 hashing function, it can verify the key and score by recreating that same hash.

Lummox JR

Mar 7 2005, 1:50 pm (Edited on Mar 7 2005, 1:57 pm)

In response to Lummox JR

Blaz3

I like that idea and my server does support md5. I'll get the code and all the other paramenters that are being sent.

edit:

The info:
sec code: taken out| account: blaz3 | key: Blaz3 | score: 1000
A hack attempt has been done from 68.116.212.140 on Mon Mar 7 17:54:59 CST 2005. Key: Blaz3, Score: 1000

The sec codes are the same and everything seems right. I'll look through my code, use the md5 hashing and all and just look over my coding. Thanks anyways.