Xiona KO - PK/Very light farm * Lvl 83 *

[Rocket]

My point is that Warmonger's point was completely valid. You want to dispute and fight it, and act like it doesn't apply to you, because you have excuses. Sorry man, they're just excuses and pretty bad ones at that.

Instead of sulking and trying to deflect, why don't you sit down and learn something? Knowledge is power and will enable you to contribute far more as time progresses and your experience grows.

Ight, will do.

[Jonny]

All of the current private servers "devs" are leechers and nothing more, they just know how to edit the database which is just changing numbers to be honest.

This is the truth, these "devs" edit tbls, edit database tables, apply patches twostars has made for them.

They leech a website (panel) written by somebody else (probably twostars') and configure it...

There really is no reason for them to be called developers, at most they could be called operators? And even that is quite a stretch because whenever there's a problem they ask somebody else to fix it...

[coolboyp2]

Jonny, re-launch LSKO please! those were some of the best days in the private servers scene

[Jonny]

Jonny, re-launch LSKO please! those were some of the best days in the private servers scene

Haha, thanks man, that means a lot to me. Once you've been around KO for as long as I was, there's a lot of pressure as an administrator. Always people complaining, and it gets super annoying.

If I were to get involved again, things would be a little different :P.

[Warmonger]

Your responses are getting pretty hilarious now. If you knew anything about writing networking code (which, you don't -- as 'your' server is a cut down version of a popular open-source MUD server, tweaked to use the KO protocol), you'd realise how ludicrous you sound.

Point #1: Winsock is just that, Windows sockets; obviously it's tied down to the Windows platform, without a serious rewrite.
Point #2: "WSA functions" or no, the I/O completion port model is only used by Windows (or well, nothing exactly like it's found anywhere else -- [s]Solaris[/s] Slowaris (edit: pretend there's strikethrough, d'oh forums) is about as close as it gets). Other operating systems prefer alternate models, such as epoll (*nix) & kqueue (fbsd). (NOTE: I differentiated *BSD from regular old *nix!).
Point #3: You just realised it was heavily tied to Windows? By Winsock? What about MFC!? That's extreme Windows.

Regardless, although I only update that project infrequently, several major changes are in motion (some not yet pushed) to rework/stabilise their code. Removal of MFC is a priority, networking code rewrite also, but porting it to other operating systems -- highly doubtful (I can imagine it would only end badly for most users).

In addition: why the strong love for PDO? Saw someone else pressing its use? PDO isn't a must. It's great and all, but it's not a must - probably it's strongest argument for use is its emphasis on parameterization, but other drivers can handle that fine (even ODBC, in a limited form [i.e. no named parameters], which is still perfectly acceptable for use). The second strongest argument would be its use of exceptions, however exceptions are slow. For typical panel use, there's absolutely nothing wrong with raw odbc_*(), or mssql_*() functions. For larger applications sure, PDO is advisable.

Not that any of that matters to you, or this thread. I just wish you'd try to at least start reading up on things before you start spouting nonsense... it may sound like magical flying unicorns to the typical poster here, but to the seasoned programmer all you're saying is BS. Troll elsewhere!

Actually my source is written from scratch, I don't wish to base my source off someone else's. And I am using async BSD sockets for my project as they are cross platform capable (I explain in dept more below).

Point #1: Winsock is windows sockets, not sure how I couldn't collaborate more on that point (Winsock).
Point #2: WSA and the I/O completion port model is only used by Windows, if you use WSAsocket() instead socket(), or WSAAsyncSelect() instead select(), or WSASend() instead send() and so on. On *nix we use a completely different model (my KO emu uses Berkeley sockets). This way I only have to tell the compiler to use "close(socket)" instead of "closesocket(socket)" if the OS is Windows, and vise versa for the rest of the functions for cross platform capability.

select function (Windows)
select(2) - Linux manual page

Point #3: I just realized? No I knew it was tied down to Windows, as soon as I opened the source and looked at both the Send() and Recv() functions. It would take a huge effort for someone to rewrite the network base for the source for it to compile cross platform. Which isn't a big deal as Windows is a fine server OS, tho *nix is so much better (and much cheaper!).

I like using PDO as it's superior to the standard PHP library, when writing any secure website in PHP. With PDO input can be sanitized way before it even hits the SQL server. Most of your popular sites such as Facebook and others are written in PDO. It's just a superior library and something worth learning and using (even death ported his public KO panel to PDO for this reason).

PHP Code:

//Snippet By Warmonger
//Register The Account
$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:user, :pass);");
$dbh->bindParam(':user', $user, PDO::PARAM_STR, 12);
$dbh->bindParam(':pass', $pass, PDO::PARAM_STR, 12);
$dbh->execute(); 


What I don't get is, you respond in a sense of trying and prove me wrong (and at the end of your argument told me I was wrong). Yet you only collaborated on top of what I already stated. I'm not wrong, and I don't need someone trying to tell me im wrong. I think the whole purpose of your post is to make out that I am wrong, but no wheres in it have you proven it. I am acceptable to input and opinions, but I don't understand the "you're right, and wrong at the same time" criticism.

[twostars]

What I don't get is, you respond in a sense of trying and prove me wrong (and at the end of your argument told me I was wrong). Yet you only collaborated on top of what I already stated. I'm not wrong, and I don't need someone trying to tell me im wrong. I think the whole purpose of your post is to make out that I am wrong, but no wheres in it have you proven it. I am acceptable to input and opinions, but I don't understand the "you're right, and wrong at the same time" criticism.

You may need to brush up on your terminology and try to use it properly, as again, quite a bit of that post sounded quite ludicrous (see the top). This is all I'm trying to say: not that you're completely wrong, but not that you're completely right either (does that make more sense?).

As for PDO, there is no silver bullet to secure your website, but knowledge, and more importantly, data validation help a lot. Yes: PDO is great for parameterization (as stated above), but its use alone still doesn't force application developers to write good, secure code (i.e. code which doesn't trust input at all). Yes, it allows the data to be passed directly to the server (as does your typical ODBC driver, and MSSQL, FYI), but despite that, application devs could still:
- not make use of this feature (and have their query broken anyway) or
- (as you haven't equally stressed upon) not validate input, causing unwanted and potentially abusable data in the database (leaving room for say, an XSS attack, or indirect SQL injection).

I like PDO! I think it's neat, but implying it's a magical library that one can do no wrong with isn't the way to go to stress good programming habits, IMO. Also, as above, you can produce equally secure code using your typical drivers - so it's really not that huge a deal.

[Warmonger]

You may need to brush up on your terminology and try to use it properly, as again, quite a bit of that post sounded quite ludicrous (see the top). This is all I'm trying to say: not that you're completely wrong, but not that you're completely right either (does that make more sense?).

As for PDO, there is no silver bullet to secure your website, but knowledge, and more importantly, data validation help a lot. Yes: PDO is great for parameterization (as stated above), but its use alone still doesn't force application developers to write good, secure code (i.e. code which doesn't trust input at all). Yes, it allows the data to be passed directly to the server (as does your typical ODBC driver, and MSSQL, FYI), but despite that, application devs could still:
- not make use of this feature (and have their query broken anyway) or
- (as you haven't equally stressed upon) not validate input, causing unwanted and potentially abusable data in the database (leaving room for say, an XSS attack, or indirect SQL injection).

I like PDO! I think it's neat, but implying it's a magical library that one can do no wrong with isn't the way to go to stress good programming habits, IMO. Also, as above, you can produce equally secure code using your typical drivers - so it's really not that huge a deal.

Of course it does rely heavily on the person writing the webpage, to know how to write it properly while minimizing attacks. Tho that's common sense with any type of language there is. All of us for that matter are just recipe writers, the compiler/interpreter is the real chef. Something like exampled below shouldn't be injectable (as you can parametize your queries with PDO, removing the need to escape any included variables).

PHP Code:

//Post Variables
$user = $_POST['user'];
$pass = $_POST['pass'];

//Register The Account
$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:user, :pass);");
$dbh->bindParam(':user', $user, PDO::PARAM_STR, 12);
$dbh->bindParam(':pass', $pass, PDO::PARAM_STR, 12);
$dbh->execute();
$return = $dbh->rowCount();

//Code Snippet By Warmonger 


Tho if you are like me and want to double make sure. You could always just add a function to sanitize your input like so (no way, shape, or form can this be injected).

PHP Code:

//Sanitize Input
function anti_inject($input)
{
    $input = preg_replace("/[^a-zA-Z0-9]/", "", $input);
    return $input;
}

//Post Variables
$user = anti_inject($_POST['user']);
$pass = anti_inject($_POST['pass']);

//Register The Account
$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:user, :pass);");
$dbh->bindParam(':user', $user, PDO::PARAM_STR, 12);
$dbh->bindParam(':pass', $pass, PDO::PARAM_STR, 12);
$dbh->execute();
$return = $dbh->rowCount();

//Code Snippet By Warmonger 


I highly recommend using PDO over PHP's standard library. Not only is it safer (if used properly) but its also faster (plus porting the same code to another SQL server is easy). There is no "silver bullet" for web security, tho there are things like PDO there to help! Plus the code syntax is much more enjoyable on the eyes.

[Jonny]

Of course it does rely heavily on the person writing the webpage, to know how to write it properly while minimizing attacks. Tho that's common sense with any type of language there is. All of us for that matter are just recipe writers, the compiler/interpreter is the real chef. Something like exampled below shouldn't be injectable (as PDO escapes on the fly).

PHP Code:

//Post Variables
$user = $_POST['user'];
$pass = $_POST['pass'];

//Register The Account
$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:user, :pass);");
$dbh->execute(array(':user' => $user, ':pass' => $pass));
$return = $dbh->rowCount();


//Code Snippet By Warmonger 


Tho if you are like me and want to double make sure. You could always just add a function to sanitize your input like so (no way, shape, or form can this be injected).

PHP Code:

//Sanitize Input
function anti_inject($input)
{
    $input = preg_replace("/[^a-zA-Z0-9]/", "", $input);
    return $input;
}

//Post Variables
$user = anti_inject($_POST['user']);
$pass = anti_inject($_POST['pass']);

//Register The Account
$dbh = $db->prepare("INSERT INTO bg_user (user_id,passwd) VALUES(:user, :pass);");
$dbh->execute(array(':user' => $user, ':pass' => $pass));
$return = $dbh->rowCount();

//Code Snippet By Warmonger 


I highly recommend using PDO over PHP's standard library. Not only is it safer (if used properly) but its also faster (plus porting the same code to another SQL server is easy). There is no "silver bullet" for web security, tho there are things like PDO there to help! Plus the code syntax is much more enjoyable on the eyes.

PDO most definitely does not escape input on the fly, that's outrageous. It uses parameterization to send parameter data separate from the query avoiding the possibility of an sql injection. Concatenating a string together using user input will still allow the query to be manipulated...

[Warmonger]

PDO most definitely does not escape input on the fly, that's outrageous. It uses parameterization to send parameter data separate from the query avoiding the possibility of an sql injection. Concatenating a string together using user input will still allow the query to be manipulated...

My bad, fixed.

[Decerto]

This sunday,watch "Coding wars" on XionaKO. :P

[MyDestiny]

I wish I could understand something.... :X

[Rocket]

Free bumps is all it is...nothing to understand

[Oscar]

[ReesesPieces]

Why pick an argument with someone who clearly is more knowledgeable..

XIONIS <3

[Decerto]

twostars and jonny might as well speak alien...like 10 posts and I couldn't understand shit.