Help needed for dropcalc testing.

Post by **msknight** » Tue Sep 05, 2006 11:44 am

law wrote:hm i dont know if this nesting stuff afflects the result.
I try this this evening

Apparently I've used the count(*) code in a good number of places. dbutils, delete, givegm, statistics and checkdb. Looks like I've got a busy night ahead of me.

law · Post by **law** » Tue Sep 05, 2006 11:49 am

msknight you can change the php.ini values for the local session if php is not in save mode

Post by **msknight** » Tue Sep 05, 2006 12:05 pm

law wrote:msknight you can change the php.ini values for the local session if php is not in save mode

Ah. That could be handy ... in the long run I will still need to change the code, though, as it looks like they will stop supporting that method, probably with PHP 6. How do I change that value for the local session?

In the mean time, I have corrected the code in all but, "dbutils," and I will do that tonight and upload the fully corrected version, (except the telnet fix) when I get home from work.

If you spot anything else, please let me know.

law · Post by **law** » Tue Sep 05, 2006 12:41 pm

Here is a short tutorial for you.

Thereâ€™s only one function for setting an option and it is ini_set() it is also aliased as ini_alter(). There is also a function that restores the original value and it is ini_restore().

How to use these:

Code: Select all

ini_set('display_errors', false);
ini_set('arg_separator.input', ';');
...
ini_restore('display_errors');

Note: in the first call to ini_set() you can also use any type of variable it will be converted to boolean before setting the option.

Paul_Atrides · Post by **Paul_Atrides** » Tue Sep 05, 2006 1:11 pm

thx its work.

The small request to make so that the name of an account, and position on a map was not visible at a level of access 0.

Post by **msknight** » Tue Sep 05, 2006 1:37 pm

Paul_Atrides wrote:thx its work.

The small request to make so that the name of an account, and position on a map was not visible at a level of access 0.

Cool. Many thanks Law. I'll build that in when I get back. I presume that should go in the common, presumably at the start of the wrap_main ? Or does it need to be at the very start of every script that uses telnet?

Paul, I am having trouble understanding your request. Would you be kind enough to re-word it for me please.

law · Post by **law** » Tue Sep 05, 2006 1:40 pm

This needs to be done at the start of a each file in which you want to use a function that needs altered php settings.

Maybe you try to catch if php is in safe_mode cause when its in safe mod you will get an error which causes that the script dies.

Paul_Atrides · Post by **Paul_Atrides** » Tue Sep 05, 2006 2:11 pm

This uzers not GM and Admins, and this users should not see info or Accaunt name and position characters on maps.

Post by **msknight** » Tue Sep 05, 2006 2:39 pm

Paul_Atrides wrote: This uzers not GM and Admins, and this users should not see info or Accaunt name and position characters on maps.

This was originally done so that players could identify trouble players more easily. That way, players can fend for themselves when there are no GM's around.

Eg. player A uses character 1 and causes trouble. Everyone knows character 1 is bad. Player A then re-logs as character 2 - no one knows it is the same person, unless they can see the account information.

eg. Player A creates character 1. They cause trouble, then delete character 1 and create character 2. If people can only complain against the character, then how can the GM track the person who is causing the trouble? The character info is gone!

With the account showing, people can complain about an account - much quicker than complaining about a character which could have been deleted.

You are the second person to ask, however, so I will think how to do it, as it does make the "account search" quite difficult. Also, "Welcome <account>" is the users own account. Why should this be hidden?

Why do you say that normal players should not see which characters belong to which account? Why is this important to you?

Paul_Atrides · Post by **Paul_Atrides** » Tue Sep 05, 2006 2:58 pm

Yes but so can and steal accounts because knowing the name accounts it already 80 % of success.

law · Post by **law** » Tue Sep 05, 2006 3:15 pm

edit: please stop using google translator ^^

how you can steal the account when you only know the account name ?

If someone is so stupid to use a password which is the same as there login name its the users fault.

Also on my system i build a gameserver - website bridge. That means that the login info (acc name and pass) for the gameserver and the website is the same.

I dont think that this is a problem, and if you dont want that normal users can see thoose infos then just customize the dropcalc in that way.

If you are not able to do this , ask msknight and maybe she / he Â¿? does it for money ^^

Post by **msknight** » Tue Sep 05, 2006 3:30 pm

Paul_Atrides wrote:Yes but so can and steal accounts because knowing the name accounts it already 80 % of success.

I would argue the 80% rating, but I take your point.

I think the real place for account security is with the logon server - lock an account after (x) failed logons, or freeze it for (x) minutes and flag the failure in the logon error file. If it concerns you that much, I would suggest opening a ticket on the server board. Regular watching of the errors should show hacking taking place.

The drop calc does allow users to change their account passwords, so players can be encouraged to change their password regularly.

I will make an option to hide the account names ... but it will take a few days as I will be on holiday soon.

Post by **msknight** » Tue Sep 05, 2006 3:39 pm

law wrote: how you can steal the account when you only know the account name ?

I understand what Pauls concerns are. When I was young (15+ years ago) I used to be a hacker. Once an account name is known, then an automated process can try repeated passwords.

It is up to the logon server to place restrictions on wrong attempts. A five minute lockout after five wrong attempts does put a significant spoke in the wheels of an automated hacking system; long enough for an admin to see the logs ... but even then ... what action can be taken? Only firewall the IP of the hacker, who is usually using a forged/hijacked IP anyway.

There isn't really too much that can be done against someone wanting to hack an L2J game account. Knowing an account name is a good start, but it is only the begining.

Yes, I will code what he asks for ... it will restrict the drop calc quite a lot, but it is then up to those who want to use it.

Paul_Atrides · Post by **Paul_Atrides** » Tue Sep 05, 2006 3:47 pm

Thanks

Post by **msknight** » Tue Sep 05, 2006 3:55 pm

Paul_Atrides wrote:Thanks

You're welcome.

I have to admit, however, difficulty in believing that a L2J gameserver is a valid hacker target. I have found the actual hosting server itself to be more commonly the target of attack.

Have you expreience of serious hacking, and if so, what damage have they done? I would be very interested to learn.

Michelle.