Thread: Denial HCs Round 27
View Single Post
Unread 22 Jun 2008, 13:07   #21
Phil^
Insomniac
 
Phil^'s Avatar
 
Join Date: May 2003
Posts: 3,583
Phil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus wouldPhil^ spreads love and joy to the forum in the same way Jesus would
Re: Denial HCs Round 27
Quote:
Originally Posted by Mzyxptlk
Agreed. The previous eta never bug was also caused by a complete lack of server-side checking.
It sounds like a nasty pattern. I wonder what else isnt checked server-side.

Hint to whoever coded it.
When you recieve a post form for production orders ( or indeed anything ), you dont trust anything that is submitted.
You find out *yourself* from the database for anything that is needed, such as number of factories that the person has.
You check *yourself* from the database that there are enough resources to build the requested ships
You check *yourself* to see if there are enough production slots
You never ever ever accept verbitem anything that is sent from the client, and absolutely never ever ever ever ever assemble an sql string directly from data submitted without doing checks on it or you open yourself up to sql injection attacks if not using prepared statements, which i doubt you are.
__________________
Phil^
Phil^ is offline   Reply With Quote