Tibia Auction Market [BETA] - Looking for testers

**Furpan** · 10-16-2014, 03:01 AM

Originally Posted by DarkstaR

Regardless, it is bad. You are storing world names as a string field in inventory item, which is inefficient. There should be a table of world names with an integer primary key that is used to reference them from the inventory table.

Also, the BETA panel may just be BETA, but if there is a way for users to select what world their item is on, the flaw will always exist (given your current database structure).

True, fixed that

**DarkstaR** · 10-16-2014, 05:17 PM

Originally Posted by Furpan

True, fixed that

Why can I still use the world name "Balls", then?

My original proposal meant the worlds table should be read-only. The values in your drop-down should be like 1-n, where 1 is AMERA and n is the last world in the list. Your worlds table should look something like this:

Code:

id PRIMARY KEY | name
1              | Amera
2              | Antica
...            | ...
n              | Zanera

The query should look something like this

Code:

SELECT * FROM auctions LEFT JOIN worlds ON auctions.worldId = worlds.id WHERE worlds.name NOT NULL and (whatever other criteria here)

There are 2 major reason to do this:

It reduces your possible attack surface by reducing the amount of data users are allowed to place raw inside your database.
It makes the database more space-efficient, as there will not be duplicate strings for world names all over the place.

**DarkstaR** · 10-16-2014, 05:26 PM

9. I'm worried about the in-browser pagination. What happens when finished auctions becomes 10k+ auctions? Storing 1000 pages in the browser will be essentially DoSing the end-user's browser.

**DarkstaR** · 10-16-2014, 05:34 PM

10. I'm not sure what your database structure is, but you should, first and foremost, be hashing and salting passwords that are stored. I've done some timing attacks that show you're _probably_ not doing this. The reason you want to do this is that, in case your database every does get compromised, the hackers wont have direct access to the plain-text passwords of your users. Instead, they'll have to brute-force the hashes.

https://crackstation.net/hashing-security.htm
http://php.net/manual/en/faq.passwords.php
http://www.sitepoint.com/hashing-pas...d-hashing-api/

**Kociii** · 10-16-2014, 05:43 PM

@DarkstaR, you got alot of fun dont you?

**DarkstaR** · 10-16-2014, 05:45 PM

Originally Posted by Kociii

@DarkstaR, you got alot of fun dont you?

i like to break things geeezz

**Kociii** · 10-16-2014, 05:50 PM

Originally Posted by DarkstaR

i like to break things geeezz

Haha xD

**DarkstaR** · 10-16-2014, 06:17 PM

Originally Posted by DarkstaR

9. I'm worried about the in-browser pagination. What happens when finished auctions becomes 10k+ auctions? Storing 1000 pages in the browser will be essentially DoSing the end-user's browser.

Case and point: http://www.tibiatracker.com/deletions

This site uses the same table library as you and the same pagination. It take ~21 seconds to load just because it needs to pull that shitload of data down and fill the DOM before displaying anything.

**~~Pinnicle~~** · 10-17-2014, 05:00 PM

I was going to try to break something but I think Nick has it covered.

**Furpan** · 10-17-2014, 06:17 PM

Originally Posted by Pinnicle

I was going to try to break something but I think Nick has it covered.

I really appreciate that he broke the site, it helps me fix the flaws :] Keep on trying if you have the time
I'll try some versions of pagination so it might throw off some errors from time to time

User Tag List

Thread: Tibia Auction Market [BETA] - Looking for testers

Thread Tools

Display

Posting Permissions