Hi there,

three friends of mine have lately released a great indie game called Jaques Roque. While the name of this puzzle game is a little hard to spell, the game has a very nice appeal with 100 handmade compelling levels of pure fun.

Stockpile your …

Continue reading »]]>

Hi there,

three friends of mine have lately released a great indie game called Jaques Roque.
While the name of this puzzle game is a little hard to spell, the game has a very nice appeal with 100 handmade compelling levels of pure fun.

Stockpile your treasure while experiencing tombs of the great pharaos and the mystic islands of Atlantis. Try the demo at the official website! (and please buy the game if you like it )

Share/Bookmark

The Rough Sea Games team wishes you a Happy Halloween 2009!

When I am surfing, I often see websites that have big security leaks in the communication between Server and Client. I know to avoid this, and will describe it here.

The most common way for a web server and client to communication is through HTTP Variables. This …

Continue reading »]]>

When I am surfing, I often see websites that have big security leaks in the communication between Server and Client. I know to avoid this, and will describe it here.

The most common way for a web server and client to communication is through HTTP Variables. This means that values are stored in the URL (GET) or in the header of the request (POST).
I will give an example for a GET parameter: news.php?id=4. The GET variable “id” has the value 4. This is not a random example; I deliberately used one with the keyword ID.
Databases usually identify records through a number. If a new data record is added, the number is incremented.
If you change the value of the variable “id” to 3 or 2, the website will display the contents of the article with the id 3 or 2. Many websites are built in this way. This is a small security leak and not really dangerous. But think about a message system or a community where somebody can read the messages of another. This would be a really delicate issue. Luckily, it can be avoided in several ways.

Modifying the GET or POST data of an http request can also cause a issue called SQL injection. Hackers can concatenate your variable with an SQL query, executing the query when the request is sent. For example, they could change the GET parameter to “site.php?id=3; DROP DATABASE mydatabase”. Boing! Data is gone.

Here are some tips to avoid this problems:

1. Newer database systems support GUIDs (global unique identifiers). These are 128 bit keys, and hence “more unique” as an id. They can be generated simply by counting, beginning with 000000-000000-00000… . But the big size of the data type will increase the size of your database.
2. Create a user which only has read privileges. Web pages often only need to output data, not to modify it.
3. Have your code validate http vars before using them. Checking string or enum values will increase the source code size, so use a checksum for this. A lot of server side application languages support some kind of checksum function, like a MD5 hash. This works as follows: create a keyword, like “MM3banana13″. Now take your variables id, id2 and id3 and concatenate them with the keyword as prefix or suffix (note that the order is important). Use this string to generate the md5. The destination site receives the GET variables “id”,”id2″,”id3″ and “check” which includes the generated hash. The destination site now also concatenates the id’ s and the keyword in the same way. After that the destination site compares the generated and the received hash. If the data was modified the generated hash will differ. You can improve security by changing the keyword every day. This is a established method for communication with an e-payment service.
4. Use SSL connections for sensitive data. This will keep your data private and inaccessible to third parties.

I think these four things will help to keep a website secure (on the software side).

The basic idea is to expect data that you don’t expect.

Share/Bookmark

Hello! I am a programmer from Augsburg (Germany). I have worked in the software industry since 1998. My knowledge includes several programming language like C#, C++, Visual Basic, and Delphi. I have a lot of experience in PHP, ASP, JS, CSS, HTML and several other web technologies. I …

Continue reading »]]>

Hello! I am a programmer from Augsburg (Germany). I have worked in the software industry since 1998. My knowledge includes several programming language like C#, C++, Visual Basic, and Delphi. I have a lot of experience in PHP, ASP, JS, CSS, HTML and several other web technologies. I also have experience in creating company websites, e-commerce/e-payment systems, Web security, handling huge data masses and optimizing databases.

Beside my job as C#/database programmer in a financial management company, I am very interested in computer games. Most of my free time was, is and will be invested in playing and creating computer games. I worked for one year in a game studio in Darmstadt, and learned a lot about game programming. I learned how to create well-though-out, consistent, reusable, secure and efficient code. Currently, I am developing a commercial casual game in my free time with a small team. We want to release it this year.

Share/Bookmark