KyleMassacre

Hmm its strange cause I'm not seeing how it wouldn't insert correctly. This is an exact copy and paste from my site in which I started several accounts and it worked fine. But ill keep thinking cause now its bothering me haha. Has anyone else tried this and getting the same issue(s)? Thank you

by validate you mean like an email validation where they click a link that you email them to validate their actual email?

what do you mean by small? If your talking playerbase a lot of it may come back to funding. If you have a small player base some gamers may lose inerest themselves and go and find a more active game. Sure, you may get some donations to keep the game afloat for a period of time but if I can donate $20 and become the strongest/richest player in a game wheres the challenge? Also I feel a lot of games fail because some of them are not unique enough. I have never played torn but look at some of the posts here in these forums offering to sell a torn clone mod of some sort. If I join a game and see a cloned mod from another game I may as well go back to the game that was copied. Bottom line be unique, invest some time and some money. There is nothing wrong with having a feature like on another game but spice it up a bit for crying out loud. Is there too much uniqueness? Quite possibly. I had a game I felt was real unique but I think it caused a lot of confusion with players cause it wasn't a "crime game" and it was a game where I order to be at the top you needed to work together to a certain extent. How many games must you work together with people you are competing against? None that I seen. There is my two cents

Far from it but thank you. And what kind of tips are you looking for, anything particular? Just like Ian said just be creative and you would be surprised at what you come up with

please do to end the headache haha. A few of the guys: Ian, Dom, Nick, and DjKanna was going through a meltdown earlier lol

this reminds me because with NWE if I don't use isset() on a get or post I get an error so I wonder if array_key_exists() will also work for certain things

I think with isset() it still works if it is blank so you may wanna check and make sure there is something in there. Im not too sure about array_key_exists thought

I decided to go with a blacklist because IMO its a bit easier, lets say for example I change around what I want to be used to my success rate now I would have to go and add more whitelist options on top of my $ec/$sucrate in docrime. This way its just a bit easier for myself to alter a little bit but keep my db safe from a bad guy. But yes, eval shouldnt be used and I think this is a little bit easier for the novice or beginner people to do that has a basic understanding of how this works. A quick fix isnt always the best and this is just a band-aid just to buy some time

True, mysql_() will be dropped or has been dropped depending on your version >= 5.5 but that is still quite some time away for most people. Using mysqli() is better anyway so that should already be done by most people but I would look up another class that binds the queries for you so you dont have to. But From what I see all those functions should still work as long as they are used correctly and its not like its a whole lot that needs to be fixed

eval($ec);   From what I understand eval is NEVER the best option for anything especially for manually entered input So if you want to keep it just please be aware. My OP from what I have seen will take out any nasty SQL commands that shouldnt be in there

basically you need to do the math yourself instead of relying on eval, take this line for example: $ec = "\$sucrate=" . str_replace( array("LEVEL", "CRIMEXP", "EXP", "WILL", "IQ"), array($ir['level'], $ir['crimexp'], $ir['exp'], $ir['will'], $ir['IQ']), $r['crimePERCFORM']) . ";"; and by default your new crime page is like this: ((WILL*0.8)/2.5)+(LEVEL/4) Now i havent tested it but im assuming you can just change it to something like this: $sucrate= str_replace( array("LEVEL", "CRIMEXP", "EXP", "WILL", "IQ"), array($ir['level'], $ir['crimexp'], $ir['exp'], $ir['will'], $ir['IQ']), $r['crimePERCFORM']) "; which will print out like: $sucrate = (($ir['will']*0.8)/2.5)+($ir['level']/4);   Then you should just be able to get rid of eval($ec); Maybe mess around with it and see if it works of if you come up with something better

I agree, eval() probably shouldnt be used anywhere in a file especially in a web game where there are a lot of people whos whole goal is to try and exploit to show their friends they are real cool but at least this way they have a little bit of time to try and find another method if they are worried about anything

well im not very good at this but i was looking at the files you posted and i see stuff for a div class bar_a and bar_b but i dont see any of those in your css unless im blind

For a little while now I have been trying to figure out how to kind of secure the staff crimes page. Now, im no where near decent at regex but thanks to DJK in one of his posts he recommended RegExr and its a pretty nifty little tool if you can understand regex unike myself. So basically I wanted to see if some of the gurus out there can take a look at this and tell me what they think. I tested this and for in my eyes "badwords" it worked pretty dern good. So basically what you do is open up staff_crimes.php and find the "$_POST['percform'] and replace it with this: $_POST['percform'] = preg_replace("(TRUNCATE|MYSQL(I){0,1}|ALTER|CREATE|DELETE|DROP|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|MERGE|SELECT|UPDATE|UNION( +ALL){0,1})i","", $_POST['percform'], -1 ); Now what this does is takes a few words that are bad in the wrong hands and gets rid of them. The only draw back I see with this is that the crime gets executed the player may be shown an error so maybe someone has a better idea but it can just be the cost of security. ***EDIT*** I should have maybe thought of just using preg_match() ;) $percform= preg_match("(TRUNCATE|MYSQL(I){0,1}|ALTER|CREATE|DELETE|DROP|EXEC(UTE){0,1}|INSERT( +INTO){0,1}|MERGE|SELECT|UPDATE|UNION( +ALL){0,1})i","", $_POST['percform'], -1 ); if($percform) { echo "Your input is invalid"; $h->endpage(); } whould that be better?

For a lot of things, just remember not everything filter_var() and filter_input() can be a really great friend of yours. It has quite a bit of nice features like defaults if the input returns false or even other settings like what you want to allow or not.

Also if your using V2.0.5 you dont have to include or require global_func.php and here, ill expand a little bit for ya: item_add($i, itemidhere, qtyhere); $message = "Just for joining ".$set["game_name"]." you were given /*place item qty/name here*/ to start you off, enjoy and play nice"; event_add($i,$message); //or $mail = $db->query("insert into mail (mail_to, mail_from, mail_time, subject, text) values ($i, '1', ".time().",Welcome,{$message})"); You can do a little something like that

Thats a real good idea and it may save $45 haha

Here is a list straight from the source for the lazies:

Take all this //thx to http://www.phpit.net/code/valid-email/ for valid_email function valid_email($email) { // First, we check that there's one @ symbol, and that the lengths are right if (!preg_match("/^[^@]{1,64}@[^@]{1,255}$/", $email)) { // Email invalid because wrong number of characters in one section, or wrong number of @ symbols. return false; } // Split it into sections to make life easier $email_array = explode("@", $email); $local_array = explode(".", $email_array[0]); for ($i = 0; $i < sizeof($local_array); $i++) { if (!preg_match("/^(([A-Za-z0-9!#$%&'*+/=?^_`{|}~-][A-Za-z0-9!#$%&'*+/=?^_`{|}~\.-]{0,63})|(\"[^(\\|\")]{0,62}\"))$/", $local_array[$i])) { return false; } } if (!preg_match("/^\[?[0-9\.]+\]?$/", $email_array[1])) { // Check if domain is IP. If not, it should be valid domain name $domain_array = explode(".", $email_array[1]); if (sizeof($domain_array) < 2) { return false; // Not enough parts to domain } for ($i = 0; $i < sizeof($domain_array); $i++) { if (!preg_match("/^(([A-Za-z0-9][A-Za-z0-9-]{0,61}[A-Za-z0-9])|([A-Za-z0-9]+))$/", $domain_array[$i])) { return false; } } } return true; } and do this: function valid_email($email) { if (!filter_var($email, FILTER_VALIDATE_EMAIL)) return false; return true; }

I came up with something just like this a long time ago and I'm going to tell you what people told me since its a better idea :p. Do this on register and here's why: No additions to the users table A player can only register once Less file edits On the register page where they get inserted in the database you just do something like this: include_once "global_func.php"; item_add($i, itemidhere, qtyhere);//note: I don't remember the var for the userid getting added but its near by so just take a gander ;) Then you can send a message or an event to the player which ever you choose. all done **EDIT** Also you have like 3 different queries to update one table. How about one query only for example, if you want to keep it the same way as op: $update = mysql_query("update users set money = money + 500, crystals = crystals + 500, donatordays = donatordays + 10, bonus = 2 where userid = $userid"); other than that its not bad and will get the job done granted it clutters the header even more ;) Thanks for the contribution though

I have a couple recommendations myself depending on what you need and both to really great work since I myself have used them: Dave Mac - Pretty brilliant guy to say the least, he has designed me a layout, coded it with the css, html, and the php for the header. W3Theory Peter - Another great designer, I am just not too sure if he does the php potion of it cause I never asked or received that from him but he does do the rest like design, html/css. Both parties I believe charged me a very reasonable price for what I asked for and got, and I have no complaints about either of them. But if your looking for the server side stuff maybe go with Dave especially if its heavily modified like you claim.

thank you *too short*

so its saying that a Boolean has been given which means true/false what you can maybe try is: if (! $q->EOF ) { print "<hr width='50%'>Please read the declined message.<hr width='50%'><h3>! DECLINED</h3>Sorry, you cannot be promoted at this time. <hr width='50%'><a href='job.php'>> Go Back</a><hr width='50%'>"; } else { //$r=mysql_num_rows($q); no clue why that's in there mysql_query("UPDATE users SET jobrank={$r['jrID']} WHERE userid=$userid"); print "<hr width='50%'>Please read the successful message.<hr width='50%'><h3>! SUCCESSFUL</h3>Congrats, you have been promoted to {$r['jrNAME']}. <hr width='50%'><a href='job.php'>> Go Back</a><hr width='50%'>"; } } if it still errors post back and ill try to help but fair warning I'm mobile right now so just fiddle around with it and if it does the opposite of what you want remove the "!" sometimes I get confused :o

most free hosts I have seen hate the minute cron and sometimes they only allow X amount of crons ran per day. I believe some where around is cron tabless cron system that runs off a timestamp or something

care to explain how it damaged your game? maybe its the mod, maybe its the install?