Welcome To Web-Talks.com
The Webmaster Forum

Sarunas · 05-17-2008, 03:40 PM

Some of you may know about the ability for people to abuse such things as using two computers in concert to manipulate "checks" in PHP scripts.

Something as simple as:

Code:

if ($if['money'] < $_REQUEST['amount'] {
   die('You do not have enough money to send this amount.');
}

Can easily be bypassed if the script is loaded side by side on two computers with near perfect timing.

How does one prevent this?
There are complex and difficult ways to do this such as instituting a databased session which prevents someone from being logged in to the same account from two seperate computers or two seperate browsers for that matter at the same time. But suppose some one used a scripting program to submit two simultaneous page requests to the server using an AJAX script? Well, then you're dealing with someone that has a good level of knowledge and will be able to defeat your databased session security feature.

What then?

There is a way to craft your MySQL queries (or whatever db type you use) so that these things are rendered useless or perhaps you could even make it work to the player's detriment should they try it!

Consider the query required to send money from one player to another, and I'll just put the query string, not the entire line of code.

Code:

update users set money = money - {$_REQUEST['amount']} where userid = $userid
update users set money = money + {$_REQUEST['amount']} where userid = {$_REQUEST['userid']}

Well the problem isn't in subtracting the money, lol if they want to go negative by submitting a dual request (which will bypass the check noted above since the script will evaluate that check twice, once for each request, before anything is withdrawn from the player's money.

The problem is in the second person's money being added in twice...

Here's what you do:

Code:

$q_cash = mysql_query("select money from users where userid = {$_REQUEST['userid']}", $c);
list($them_money) = mysql_fetch_array($q_cash);
$them_money += $_REQUEST['amount'];
mysql_query("update users set money = money - {$_REQUEST['amount']} where userid = $userid", $c);
mysql_query("update users set money = $them_money where userid = {$_REQUEST['userid']}", $c);

And now, what happens is since $them_money will be the same in both instances of the script, adding in the sent amount each time results in the amount not getting added in twice, but only once as the first update is overwritten by the second one, instead of the second update adding to the first one!

It's a small difference, but doing this will effectively negate the possibly of players being able to manipulate things like banks, and sending money.

It's a different question entirely when you're dealing with an item market and one player removes the item they listed, and another player buys it at the same time. What then?

Your best bet at being able to prevent this, is to not even prevent it at all (this is about the best I can do without getting super complex and using buffers and crap like that to add in a delay time with cross checking the buffer for other requests and yadda yadda yadda, and all that jazz).

What you want to do, is add in a field to your item market for "bought" or call it whatever. You could call it "count".

Then, whenever an item is bought, or removed from the item market, don't delete the row!!! Just increment that column.

Start it out at 0, and then when it's removed, it's set to 1, and if someone buys it at the same time, it's incremented to 2.

This is the principle they use to bypass your checks for sending money, or pulling more money out of a bank than they have. You have to increment that counter in a mysql statement, NOT IN THE SCRIPT ITSELF.

If it's found that an item that has a "count" column of more than 1, you know that item has been duplicated. Your itemarket buy log should note when people remove items and the primary key of the item in question. Then you can cross reference the primary key of the item market item with the two logs (since you'll have a log for each time the "count" column is incremented) in the market buy/remove log.

Enjoy

05-17-2008, 03:40 PM	#1
Sarunas New Member Join Date: May 2008 Posts: 14 Credits: 1	Prevent Simultaneous Page Request Exploitations Some of you may know about the ability for people to abuse such things as using two computers in concert to manipulate "checks" in PHP scripts. Something as simple as: Code: if ($if['money'] < $_REQUEST['amount'] { die('You do not have enough money to send this amount.'); } Can easily be bypassed if the script is loaded side by side on two computers with near perfect timing. How does one prevent this? There are complex and difficult ways to do this such as instituting a databased session which prevents someone from being logged in to the same account from two seperate computers or two seperate browsers for that matter at the same time. But suppose some one used a scripting program to submit two simultaneous page requests to the server using an AJAX script? Well, then you're dealing with someone that has a good level of knowledge and will be able to defeat your databased session security feature. What then? There is a way to craft your MySQL queries (or whatever db type you use) so that these things are rendered useless or perhaps you could even make it work to the player's detriment should they try it! Consider the query required to send money from one player to another, and I'll just put the query string, not the entire line of code. Code: update users set money = money - {$_REQUEST['amount']} where userid = $userid update users set money = money + {$_REQUEST['amount']} where userid = {$_REQUEST['userid']} Well the problem isn't in subtracting the money, lol if they want to go negative by submitting a dual request (which will bypass the check noted above since the script will evaluate that check twice, once for each request, before anything is withdrawn from the player's money. The problem is in the second person's money being added in twice... Here's what you do: Code: $q_cash = mysql_query("select money from users where userid = {$_REQUEST['userid']}", $c); list($them_money) = mysql_fetch_array($q_cash); $them_money += $_REQUEST['amount']; mysql_query("update users set money = money - {$_REQUEST['amount']} where userid = $userid", $c); mysql_query("update users set money = $them_money where userid = {$_REQUEST['userid']}", $c); And now, what happens is since $them_money will be the same in both instances of the script, adding in the sent amount each time results in the amount not getting added in twice, but only once as the first update is overwritten by the second one, instead of the second update adding to the first one! It's a small difference, but doing this will effectively negate the possibly of players being able to manipulate things like banks, and sending money. It's a different question entirely when you're dealing with an item market and one player removes the item they listed, and another player buys it at the same time. What then? Your best bet at being able to prevent this, is to not even prevent it at all (this is about the best I can do without getting super complex and using buffers and crap like that to add in a delay time with cross checking the buffer for other requests and yadda yadda yadda, and all that jazz). What you want to do, is add in a field to your item market for "bought" or call it whatever. You could call it "count". Then, whenever an item is bought, or removed from the item market, don't delete the row!!! Just increment that column. Start it out at 0, and then when it's removed, it's set to 1, and if someone buys it at the same time, it's incremented to 2. This is the principle they use to bypass your checks for sending money, or pulling more money out of a bank than they have. You have to increment that counter in a mysql statement, NOT IN THE SCRIPT ITSELF. If it's found that an item that has a "count" column of more than 1, you know that item has been duplicated. Your itemarket buy log should note when people remove items and the primary key of the item in question. Then you can cross reference the primary key of the item market item with the two logs (since you'll have a log for each time the "count" column is incremented) in the market buy/remove log. Enjoy

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Are You a ClickBank Affiliate? Here's How to Link Directly to the Product	Kelevra	Marketing and Revenue	2	06-07-2008 12:15 AM

Welcome To Web-Talks.com The Webmaster Forum

Welcome To Web-Talks.com
The Webmaster Forum