DougK

I saw that Zend is based on the PDT platform for Eclipse. I haven't played around with it yet though. Crimson Editor has served me well for PHP. In fact, the question I posted had nothing to do with PHP or even programming really.....rather fixing a data file that had too many decimals for a program to handle.

This is a site for sharing knowledge, though I will admit there are some that seem to lord what they know over those who are still learning. Everyone has to start somewhere. Semicolons can be killer. I don't feel ashamed admitting it, but I sometimes make the same mistake, though forgetting a semicolon or using a directive that is used by the proprietary code of my company's software. FYI, by adding whitespace, that error became readily apparent. Glad to help

I REALLY don't like the idea of pushing every bit of input you get through a filter and thinking it is good enough. First of all, there may be some cases where you want to be able to use certain characters that would be escaped otherwise. Second, this wouldn't prevent some of the other exploits that are out there. Third, this doesn't in any way verify the input. It is MUCH better, IMO, to check each input as you get it and to sanitize it as needed on an individual basis. Consider the following.... You are using this script to "secure" your site. You don't verify the inputs for preferences.php because you think this "magic script" handles all of that for you and your game is now secure. A malicious user changes their display pic to http://www.yoursite.com/logout.php Now anyone looking at this user's profile is logged out of your game. This script wouldn't prevent that. Likewise, if you had a script that used a posted variable that expects an integer, if you don't verify that the integer entered is valid, you can run into problems. Consider the following..... attack.php sends the weapon you will use (using the item id) in a post variable. You have a super-weapon that is item id 99. A malicious user with no weapons intercepts the post data before it is sent to the server and changes this weapon variable to 99. You don't check the input because you assume this magic script is keeping everything safe. Now this user is attacking with a weapon they don't actually own. In the former case, I would at the very least make sure that the input matched a regular expression that insured that the value was an acceptable image file, and not a script with a query string ending in what looks like and image filename. (http://www.imageshack.us/blahblah/blah.jpg would be OK, but http://www.imageshack.us/blahblahblah/maliciousscript.php?fakeval=blah.jpg would fail) In the latter, I would verify that the user does have the item in question before continuing, and punishing anyone that doesn't have the item.

I wouldn't consider any thread where someone comes away saying they learned something a failure. What someone who is looking to start their own game would get from a thread like this is the knowledge that you can't rely on a single method to ensure a user has the proper permissions to perform privileged functions.. Multiple point authentication is one method. Cross-checking is another. Either way, ensuring that someone cannot get into an area of your game (or any web app) that they shouldn't is a good idea.

YUCK! First of all, I would suggest making better use of whitespace. Cramming everything together does NOT make it run any faster. Here is a copy of your first snippet with additional whitespace:   if($odata['hp'] <= 0) { $odata['hp']=0;$_SESSION['attackwon']=$_GET['ID']; $db->query("UPDATE users SET hp=0 WHERE userid={$_GET['ID']}"); print " [b]What do you want to do with {$odata['username']} now?[/b] <form action='attackwon.php?ID={$_GET['ID']}' method='post'> <input type='submit' STYLE='color: white; background-color: red;' value='Mug Them' /></form> <form action='attackbeat.php?ID={$_GET['ID']}' method='post'> <input type='submit' STYLE='color: white; background-color: green;' value='Hospitalize Them' /></form> <form action='attacktake.php?ID={$_GET['ID']}' method='post'> <input type='submit' STYLE='color: black; background-color: white;' value='Leave Them' /> </form> NB:If you not choose any of the option above you lose all your EXP point ! If you and the enemy beaten are on the same battle ladder mug them to get points added to the ladder table !";   See how much easier that is to read? Now, on to the actual problem. You have a semicolon after your second else   }else if ($odata['hp'] <= 0 and ($youdata['strength']+$youdata['guard']+$youdata['agility']) < ($youdata['level']*60000)); <== Here is your problem   Get that out of there. PHP does accept inline conditionals, so you could have   if ( $var == 1) print "$var is one.";   or   if ($var == 1) { print "$var is one." }   and both are valid.

All the votes for Zend Studio.....too bad its a paid IDE... So far, the editors mentioned that I am aware of (Crimson and N++) use the Scintilla Regex engine, which is a little more restricted than the full specs. Vim is a little more comprehensive, but they changed some of the notation. All 3 were able to do what I was after with just a little bit of digging. It's kind of frustrating when a Regex you know is correct isn't quite right in a different program.

vim does have regex search to a degree, but it is a limited set, that or it requires special notation. (I'm still learning how to use it and I've been using it for 3 years now! :p) it could find a digit, followed by a decimal point, followed by a digit (/\d\.\d), or any literal combination of (/\d\d\.\d\d\d\d) but when I tried looking for 1 or more digits (/\d*) it always found the next character. It is entirely possibly that I did something wrong and gvim could do what I was after. I do know it can replace with a backreference. Same is true of Crimson Editor and Notepad++, both could find the pattern I was after if I kept it literal, but when I added the bits to make it variable, the search failed. I am not sure if either of them allow a backreference replacement either. I will have to look into Zend IDE, considering 2 people have already mentioned it. PS....here's a fun vim command: g/^/m0 :p Anyone else have any other good text editors they use?

Do you not have the paypal details from when you bought? You should be able to get whatever information you need to pursue legal action through them. You should also be able to go through the registrar, even if the domain was registered privately. (Which I see it is) Private registration is not intended to prevent legal action against the registrant, but to keep your name off of publicly searchable records. As for MCC posting information.....chances are they have been advised not to by their own legal counsel. There are a number of ways them posting any information can come back and bite them in the ass. I wouldn't expect MCC to post up anything until after their day in court is over, if at all. Keep in mind, they were able to track Ravan down, there is no reason you can't do the same.

Cool, I will have to keep an eye open for when it comes back up.

I'm curious as to what you all use for editing text. Currently, I use Crimson (Emerald) Editor, Notepad++ and GVim, depending on what I am working with. Crimson is the most common choice though. Has anyone come across a really good editor with full regex support? For example, I would like to search/replace (\d*\.\d{0.8})(\d*) and replace it with the first group ( or \1 ) (for those of you unfamiliar with Regex, this would truncate any numbers within the file to 8 decimals) I was able to do what I was after with a couple of other tools, but a single tool would be preferable.

Your demo isn't working. I'm certainly interested as jQuery is one of the frameworks I've got on my list to look into for building a from-the-scratch game....

Here is what I would use.... (Note, this is set up for V1, but it should be simple enough to convert) First, a global function: function admincheck() { if ($_SESSION['ADMIN_AUTH']!=md5("Verified"))//Check to see if this admin user has authenticated themselves. (Change the string for increased security) { $attemptedURL=get_url();//Get the URL of the page this function came from $_SESSION['ContinueToURL']=$attemptedURL;//Save the attempted URL in a session variable header("Location: adminauth.php");//Redirect to secondary authentication page exit; } } //A couple additional functions... function cheat_punish_msg_admin($jailmins, $feddays, $adminmessage, $connection) { //This function punishes a cheat attempt with a variable number of city or fed fail days as well as sends a message to the admin. //Inputs: Regular Jail minutes, Federal Jail days, Message to the admin, and Connection string (Usually $C) //Outputs: None global $ir,$c,$userid; if ($feddays > 0) { mysql_query("UPDATE users SET will=0, energy=0,brave=0, hp=0, jail=$jailmins, jailreason='Auto-Jailed by the System', fedjail=1 WHERE userid=$userid", $connection); mysql_query("INSERT INTO fedjail (fed_userid, fed_days, fed_jailedby, fed_reason) VALUES ($userid, $feddays, 0, 'Auto-Jailed by the SYSTEM')", $connection); } else { mysql_query("UPDATE users SET will=0, energy=0,brave=0, hp=0, jail=$jailmins, jailreason='Auto-Jailed by the System' WHERE userid=$userid", $connection); } $a=mysql_query("SELECT * FROM users WHERE user_level=2", $connection); while($ad=mysql_fetch_array($a)) { event_add($ad['userid'], $adminmessage, $connection); } } //This function gets the current full URL of the page it is called from function get_url() { //=============================================================== // Get URL Function: // This function simply returns the full URL of the page it is // Called from. // Inputs: None Outputs: String containing URL // Usage: $var=get_url(); //=============================================================== $_SERVER['FULL_URL'] = 'http'; if($_SERVER['HTTPS']=='on'){$_SERVER['FULL_URL'] .= 's';} $_SERVER['FULL_URL'] .= '://'; if($_SERVER['SERVER_PORT']!='80') $_SERVER['FULL_URL'] .= $_SERVER['HTTP_HOST'].':'.$_SERVER['SERVER_PORT'].$_SERVER['SCRIPT_NAME']; else $_SERVER['FULL_URL'] .= $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']; if($_SERVER['QUERY_STRING']>' '){$_SERVER['FULL_URL'] .= '?'.$_SERVER['QUERY_STRING'];} return $_SERVER['FULL_URL']; }   Now, make a new page called adminauth   <?php session_start(); require "global_func.php"; if($_SESSION['loggedin']==0) { header("Location: login.php");exit; } $userid=$_SESSION['userid']; require "header.php"; $h = new headers; $h->startheaders(); include "mysql.php"; global $c; $is=mysql_query("SELECT u.*,us.* FROM users u LEFT JOIN userstats us ON u.userid=us.userid WHERE u.userid=$userid",$c) or die(mysql_error()); $ir=mysql_fetch_array($is); check_level(); $fm=money_formatter($ir['money']); $cm=money_formatter($ir['crystals'],''); $lv=date('F j, Y, g:i a',$ir['laston']); $h->userdata($ir,$lv,$fm,$cm); $h->menuarea(); if ($_POST['CurrPass']) { //verify that the current password is correct and this user is an admin user if((md5($_POST['CurrPass']) == $ir['userpass']) && ($ir['user_level'] > 1) && ($_POST['SecurityToken'] == "SomeSharedPassword")) { //Admin access granted $_SESSION['ADMIN_AUTH'] = md5("Verified");//Must match the global function print "<center><font color=green><h3>Access Granted</h4></font> [url='{$_SESSION[']Continue[/url] "; } else { //Access Denied. Send a message to admins. $_SESSION['ADMIN_AUTH'] = "DENIED"; print "<center><font color=red><big><big><big><big><big>Access Denied!</big></big></big></big></font> Admins have been notified of this attempt.</big> </center>"; $adminmsg="[url='viewuser.php?u={$userid}']{$ir['username']}[{$userid}][/url] Attempted to authenticate themselves as staff with improper credentials."; cheat_punish_msg_admin(10000, 0, $adminmsg, $c); } } else { print "Enter your password and Security Token to access admin functions: <font color=red>WARNING! Incorrect entry will result in automatic Fed Sentence!</font> <form action='adminauth.php' method='POST'> <input type='hidden' name='Security' value='Confirm' /> Password: <input type='password' name='CurrPass' /> Security Token: <input type='password' name='SecurityToken' /> <input type='submit' value='Continue' /></form>"; } $h->endpage(); ?>   To use the function, simply add admincheck(); immediately after the line on the page that redirects to login.   if($_SESSION['loggedin']==0) { header("Location: login.php");exit; } checkadmin();   For V2, this only has to be added to sglobals.php Functionality: When a user tries to access an admin-only page, they are prompted for both the password associated with their userid, as well as a shared password (I call it a security token) that is known amongst staff. If they don't have the proper credentials, they are automatically punished (this example just throws them in county jail/in game jail for a long time and zeros all of their regenerative stats), and a message is sent to the admins to let them know someone tried to break in. The nice thing about this setup is that it doesn't require additional coding to add additional staff, unlike the header array method. This current version works for any staff, but I hope it is pretty straightforward should you want to implement it separately for different staff levels.

Looks pretty cool. I haven't signed up yet to check out the game itself, but from what I can see going through the "Public side" looks pretty cool. Looks to be a rather unique idea as well. I did catch some grammar errors, but nothing too major.

Watermarking your screenshots is not hard to do, especially if you keep it simple. Just download GIMP (its free) http://www.gimp.org You can get one of the many available watermark scripts, or you can do it yourself by adding a new layer to your image, putting your watermark on that layer, and adjusting the opacity until you are happy with the way it looks.

Personally, I do not think MCC is obligated to give anything to the people that were scammed by Ravan, either morally or legally. That being said, there is something to be said about working with those that fell victim to this scammer, instead of telling them "Tough Luck" In a certain sense, anyone that bought from this guy is a guilty party along with Ravan. MCC would be within their rights to expect some degree of compensation from anyone using their code, even if they got it through some illegal channel. I know some software out there does do this, by making the recipient of illegal copies pay for a legal license, sometimes at a cost greater than retail. If MCC offers some kind of discount for a legal license, then they are being generous. You can always pursue legal action against Ravan as well. Keep in mind that MCC is not to blame just because them pursuing their legal rights is harmful to you. The guilty party here is the guy who stole from MCC and all the people he ripped off.

One really big thing that I see missing... NEVER take raw input (PHP $_GET, $_POST or $_REQUEST) and put it directly into a query. This is just asking for trouble, as it opens up a hole for SQL injections. Always sanitize any values that are going into the database queries, even if they are generated by a function. For example, if you have a dropdown box for selecting something, do NOT trust the value that you are getting just because it is not simple to change the values. There are plenty of tools out there that allow someone to intercept and modify data before it goes to the webserver. So, how do you sanitize your input? Check to make sure it is a value you expect. If you are looking for an integer, there should be no characters in it. is_int, is_double, is_string, and is_object are helpful for this. If you are expecting a URL (say for a picture) You should make sure that it is properly formatted. Regex checking comes in handy here. If it is something that you want to accept HTML (forums, mail, signatures, etc) I would suggest using striptags to remove any unwanted tags. Alternatively, you could block all html and only allow bbcodes or your own variation of. The newest version of PHP has bbcode functionality already built in, I believe it started with PHP 5.2.0, but I am not entirely sure. While mysql_real_escape_string is a good start, you may want to use trim to remove extraneous whitespace from a string (newline, space, tab, carriage return, null-byte, etc) A simple function for this would be: function make_safe($var, $allowablehtml='<a> <img>') { $var = mysql_real_escape_string(trim($var)); //escape any special characters and remove trailing whitespace $var = strip_tags($var, $allowablehtml); //remove unwanted HTML $var = str_replace("\r\n", "", $var); //remove any carriage returns or newlines in the string. return $var; }   You can also add htmlentites to the function to convert any html special characters into their encoded equivalents, however this will render any real HTML input invalid because the resulting output when viewed in a browser will look like the actual HTML code. html_entity_decode will undo htmlentities if needed. You could add a simple function that is called with every page load that automatically puts any input from the user through the make_safe function, but I would not advise doing so as there may be times when you want to be able to put in input that would be damaged by make_safe. That aside, if you are making your own game from scratch, do not use an easy-to-guess table structure. If you keep the tables hard to guess, it is just that much more unlikely that a malicious user will be able to do anything. Also, it is a good idea to keep data that your users can edit separate from data that only the game itself should change. For example, username, profile, signature, etc should all be in one table; stats and player data should be in another. This will prevent a player from being able to credit themselves stats with an SQL injection, which shouldn't be a problem if you follow the above but having an extra layer of security never hurts. Another thing you can do, if your webhost allows it, is to create different database users for different tasks. Have one user that only allows select, one that only allows update, one that allows delete, and one that allows create. This isn't a major issue, as PHP does not support multiple queries in a single mysql_query statement, so someone trying to do a '; DROP TABLE users; -- would not be able to do any harm. I'm not sure if ADODB has this same function, it looks like it does. Again, if you are checking anything and cleaning it up before putting it into a query, this wouldn't do much. I hope my rambling makes sense.

First things first, if the cron jobs never worked, try exercising them manually. If there is an error in your code, you may be able to figure out where based on any output from the script. If running them manually (browse to http://www.yoursite.com/path/to/cron/files/cron_file.php) does update stuff like you would expect, then it is possible that you do not have the crons set up properly on your host. Some hosts do not have curl (a command-line tool for transferring data using URL syntax) and require some other method for executing scripts when they aren't called by a remote browser. PHP CLI (Command line PHP) I personally prefer running the cron jobs this way, because then you can run them from a directory that is not world readable, in other words, you don't have to worry about someone figuring out where the crons are located and named, and running them several times (I don't know if this is still an issue with v2, but I know it was with v1)

Re: More Cron Fun..lol I'm not familiar with them. I don't know of too many free hosts that offer shell access unfortunately.

Re: More Cron Fun..lol who is your host? If you have shell access, >crontab -e put in all the commands (* * * * * /usr/bin/curl http://www.yoursite.com/cron.php >/dev/null 2>&1 ) IIRC

Re: Coding Tutorials php.net planet-source-code.com google All very good sources of info

Re: Useful little function: Get_url Nope, just put it at the very end of global_func (before the ?> ). For example, I use it for logging cheat attempts. I have a table that tracks the time, user, URL, and posted variables any time someone tries to cheat. I use this in addition to killing the page when a player tries to cheat, for example by changing the userid after losing an attack. This way I can see not just who tries to cheat, but how they try to cheat as well.

Here is a handy little functiont that you can add to global_funcs.   function get_url() { //=============================================================== // Get URL Function: // This function simply returns the full URL of the page it is // Called from. // Inputs: None Outputs: String containing URL // Usage: $var=get_url(); //=============================================================== $_SERVER['FULL_URL'] = 'http'; if($_SERVER['HTTPS']=='on'){$_SERVER['FULL_URL'] .= 's';} $_SERVER['FULL_URL'] .= '://'; if($_SERVER['SERVER_PORT']!='80') $_SERVER['FULL_URL'] .= $_SERVER['HTTP_HOST'].':'.$_SERVER['SERVER_PORT'].$_SERVER['SCRIPT_NAME']; else $_SERVER['FULL_URL'] .= $_SERVER['HTTP_HOST'].$_SERVER['SCRIPT_NAME']; if($_SERVER['QUERY_STRING']>' '){$_SERVER['FULL_URL'] .= '?'.$_SERVER['QUERY_STRING'];} return $_SERVER['FULL_URL']; }   This returns the full URL, including the query string. For example, www.criminalexistence.com/index.php?act ... t&topic=11 returns exactly that. I use this for troubleshooting, logging, and advanced cheat detection in the game I am developing. I'm sure there are some here that could benefit from it as well.

Re: thanksgiving treat Cool, I kind of like the idea of clicking a link for a holiday gift. I was going to simply update all users for Xmas and send them an event.....but I think I like this idea better--reward those that are active.

adding a crime panel in admin panel Sean, go ahead. Any ideas on how to strip the quotes from the Textbox Value pulled from the DB? Also I am not sure how to go about making it so SQL doesn't treat information in the text areas as part of an SQL command.....

adding a crime panel in admin panel Could you give me an example of how you would use either? inside the SQL command? etc