Xanthia

Sorry, where are they checking? I see an assumption about data-type, and a coercion, there is no checking.  Sure? MySQL does not need a space their. PHP will generate a warning of course however as the associated keys amount and price should really be quotation marks. Placing a new-line following the ". will split the line into a more manageable block which is possible what the original author had in mind.  Mad, no, however when you visually scan large quantities of source, I tend to find that missing multiple > and < (and/or => <= etc) becomes confusing. Extra braces would help, however there is nothing wrong with splitting the if statement across multiple lines; For example:if (($_POST['amount'] >= 1)) && ($_POST['amount'] <= $user_class->points) && ($_POST['price'] >= 1) ) {   I will correct my point re. character classes however. It appears the the hyphen character can be at the start of a character class; my mistake. I would ask why something simpler like ctype_digit() or the more expensive preg_match("`^\d+$`,...) is not used instead.   Doesn't really make much sense to access the $user_class variable *above* where it is (re)created with new User(...). Since it is presumably created in the header include, I see no reason to duplicate it at this stage.  Really, just really?

Password recovery link ?

$_POST['amount'] = abs((int) $_POST['amount']); Check the type first, don't assume it is a string   $_POST['amount'] = abs((int) $_POST['amount']); Why are you doing this again?   if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['amount'])){ I imagine that you really only want digits. BTW `-` if used in a character class should be at the end   if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['price'])){ Again, why are you permitting characters?   if($_POST['amount'] >= 1 && $_POST['amount'] <= $user_class->points && $_POST['price'] >= 1){ Use braces, or split into multiple lines for legability   $result= mysql_query("INSERT INTO `pointsmarket` (owner, amount, price )"."VALUES ('$user_class->id', '$_POST[amount]', '$_POST[price]')"); Check the result, don't ignore it   $result = mysql_query("UPDATE `grpgusers` SET `points` = '".$newpoints."' WHERE `id`='".$user_class->id."'"); Again, check the result   $user_class = new User($_SESSION['id']); Say what now?   $result = mysql_query("SELECT * FROM `pointsmarket` WHERE `id`='".$_POST['points_id']."'"); Zing, injection point   I gave up after this. More holes than a Glaswegian slapper's stockings after a hard Saturday night on the town.

Assuming you mean MySQL: @daily mysqldump -uusername -ppassword database > /home/user/database-`date +%Y%m%d`.sql For example: @daily mysqldump -uxan -pnotmypass xandb1 > /home/xan/xandb1-`date +%Y%m%d`.sql would produce the file xandb1-20110727.sql assuming I ran it when I posted this reply - but every day would produce a new .sql dumpfile with a different date-stamp. Far from perfect, but it provides a limited backup capabaility. Look at the options to mysqldump to fine tune it. @daily btw is equivalent to 0 0 * * *

This is actually a surprisingly nice little game with, as pointed out, features that are not readily apparent. Sure there is some room for improvement, but the same can be said for many products both commercial and privately run. Too many games appear to follow the same rather tired genre, however the author here has taken the time to drop the player into the realms of fantasy which has long been a favorite of mine. Based on the mmcodes platform makes it simple to pick up; at the expense of being a little limiting in places, however with a little work graphically, and some minor bug-fixes this could easily become a solid platform to build from. The current "mods" are all fairly basic I admit, however again each has been tailored to suit the environment, and there have been a few surprises. All this game really needs is a decent player base to give the author the confidence to develop it further and to play-test ideas with a decent group of people. So give it a try -- Realm of Legends