Difference between revisions of "Talk:LlGetMyAccountBalance"

From Second Life Wiki
Jump to: navigation, search
(Security issues from scripts within vendor machines etc.)
 
Line 10: Line 10:
  
 
:Perhaps the functionality of such a script command could be limited to the balance of the person owning the script? That way, creators of scripted objects could use the functionality in products, but when testing they could only see their own balance, and when they sold copies of the product, the new owners would only be able to see their own balance in whatever the script was doing. This then does allow a vendor object to verify that a purchaser has paid the correct amount of money by comparing the vendor owner's balance before and after a transaction, while still preventing the owner of a script from accessing information about anyone else's balance. --[[User:Reynard_Baroque|<span style="background:red;">&nbsp;&nbsp;</span><span style="color:red"> <b>&yen;</b> </span><span style="background:red;">&nbsp;&nbsp;</span><span style="color:gold;background:navy;">&nbsp;<b>Reynard</b>&nbsp;</span>]] 21:17, 8 April 2011 (PDT)
 
:Perhaps the functionality of such a script command could be limited to the balance of the person owning the script? That way, creators of scripted objects could use the functionality in products, but when testing they could only see their own balance, and when they sold copies of the product, the new owners would only be able to see their own balance in whatever the script was doing. This then does allow a vendor object to verify that a purchaser has paid the correct amount of money by comparing the vendor owner's balance before and after a transaction, while still preventing the owner of a script from accessing information about anyone else's balance. --[[User:Reynard_Baroque|<span style="background:red;">&nbsp;&nbsp;</span><span style="color:red"> <b>&yen;</b> </span><span style="background:red;">&nbsp;&nbsp;</span><span style="color:gold;background:navy;">&nbsp;<b>Reynard</b>&nbsp;</span>]] 21:17, 8 April 2011 (PDT)
 +
::But there's nothing to stop an unscrupulous creator of vendor software from having the script check the balance of the script's new owner and then IM the creator, who has hard-coded his uuid in the script, with this information, though. 
 +
::I don't really see why comparing my balance before and after someone buys something from my vendor is a more reliable way of verifying I've been paid the right amount than is checking if (amount == price) in the money event.  And, while I can see how the script knows to call llGetMyAccountBalance when someone pays the vendor and the money event fires, I'm not sure how it knows to check my balance just before I'm paid, which it would have to do if I am to compare the two amounts. [[User:Innula Zenovka|Innula Zenovka]] 18:20, 9 April 2011 (PDT)

Latest revision as of 18:20, 9 April 2011

Name of Function

Maybe, to match the current nomenclature of LSL, this should be called "llGetOwnerAccountBalance" or "llGetOwnerMoney"
Cron Stardust 14:25, 21 March 2007 (PDT)

Possible security issues

I just noted that with this function it would be possible to detect when the owner paid money to another person/object or received funds by recording the current amount of money, then testing again after a period of time and comparing the values. This would allow a malicious script to siphon money away from the owner to another player slowly and at each transaction so as to hide traces of it's activity.
Cron Stardust 14:25, 21 March 2007 (PDT)

Security issues from scripts within vendor machines etc.

Such functionality will bring new security issues. Vendor software, which is often not editable by customers using them, might contain spyware functionality to spray account balance information around in SL and into the internet. This is a seriuos issue related to privacy!

Perhaps the functionality of such a script command could be limited to the balance of the person owning the script? That way, creators of scripted objects could use the functionality in products, but when testing they could only see their own balance, and when they sold copies of the product, the new owners would only be able to see their own balance in whatever the script was doing. This then does allow a vendor object to verify that a purchaser has paid the correct amount of money by comparing the vendor owner's balance before and after a transaction, while still preventing the owner of a script from accessing information about anyone else's balance. --   ¥    Reynard  21:17, 8 April 2011 (PDT)
But there's nothing to stop an unscrupulous creator of vendor software from having the script check the balance of the script's new owner and then IM the creator, who has hard-coded his uuid in the script, with this information, though.
I don't really see why comparing my balance before and after someone buys something from my vendor is a more reliable way of verifying I've been paid the right amount than is checking if (amount == price) in the money event. And, while I can see how the script knows to call llGetMyAccountBalance when someone pays the vendor and the money event fires, I'm not sure how it knows to check my balance just before I'm paid, which it would have to do if I am to compare the two amounts. Innula Zenovka 18:20, 9 April 2011 (PDT)