a_bertrand

Well my own web IRC is starting to work well so for sure the mod will be just an IFRAME pointing to it. However you will still be able to use it for your own game Zero ;)

As I said to Zero via chat, I will not accept anymore free bashing. Indeed this went too far, but I'm sure Zero understood it and will cool down.

To demonstrate how the engine fully works, and to be able to offer for free a complete game (to those which don't have the time or the skills to build it themselves), I will start the work on the following game: A ancient roman gladiator game The game will be pure text (beside some art for the template / skin itself). It will allow you to progress inside the hierarchy of the gladiators, combats beasts and other gladiators (NPC and Players), and be the strongest and well pride one. To do that I will implement: - An inventory system to equip / dis-equip gear - Objects - NPC combats - NPC editor - Level - Top score and more. People interested to join shall answer here, and either share ideas, or propose to code some of those modules (or additional one). Time to complete: for the complete system I'm guessing middle Jan 2010 to be ready for a working version.

I don't make 2K$ a month, but yet I could invest 600$, but as Vali posted out, I will not invest 600$ just for the shake to see if it works or not. No way at all. Call me conservative, but those things for me do not work well, as you could fake all of those. Already the pay per click are a bit on the edge, but that is really way to far for my own taste.

I don't see how it could be cracked... as the ip act already as salt if you think well. But fine, can be done. Not a big deal at all.

Initial documentation may be found here: http://zapengine.com/documentation.php This should already explain why there is so many directories, and what's their purpose, as well as how to create a first module for the engine.

Fixed the issue. Sorry for it.

Yes that would work, but as I said, it doesn't increase the security as you already sent the thing WITHOUT any salt once due to the login. Of course it could be done, but I don't see how that will increase even a bit the security and actually it will slow down the server as it has yet another MD5 to do.

And what do we do with this: md5(md5(md5(password)+ip)+salt) ? As that cannot be stored in the database as it contains the IP, and if we send it back to the browser, fine, but as you run at least once without salt it is useless. So I don't understand what you want to do.

No the salt doesn't work like that at least in our case. Currently we do the following: 1) PHP generates a page containing an hidden field with the player IP 2) The browser make a MD5 of the MD5 of the password + the IP inside the hidden field and send that as password=> MD5(MD5(PASSWORD)+IP) 3) The server checks if it match with the same opertion MD5(DBPASS+IP) where DB pass is already a MD5 That way we NEVER send the password plain text over the network. At the same time, it prevent us to check on the server side the password with some SALT as the 2 strings must match (the one from the browser and the one on the server side)

If I store within the MD5 a time stamp, like I store the IP, as soon as the time change the MD5 is not anymore valid. No way I can just check if it was like 1 min ago or 1 day ago. To test how much time elapsed in that way, I would need to test each time stamp for the time we accept the cookie must stay valid. Which is impracticable. That's why I would say if we need something like that, then let's use a token which is stored on the server side, sent to the client, placed in the MD5 and checked. Therefore when the token dies, the MD5 will be invalid. the cookie would be something like: userid+"/"+md5(md5(password)+IP+token) For the salt, as the password if never sent plain text over the network, and instead sent as MD5, I would not be able to check the password against the DB if I cannot make a match. Therefore if I have on one side a MD5(password) and on the other MD5(password+salt) it will never match. To be able to use the salt, I would need to transmit the salt to the browser (like hidden field or other) such that the browser can use it to produce its MD5. If you send the salt to the browser then everyone knows it, and it doesn't improve the security. But here maybe I didn't understood your idea, if so please explain it.

Then simply try to run it, it should install itself, and you will be able to check how it works ;)

Sure, just start by download it, and check how things works. Be sure to re-download it from time to time (should be announced on this forums) as it's still a work in progress.

Sure we can embed some sort of time. The problem is that if we include a "day of the year+year" inside, and you logon just before midnight you will have to re-login. I have no way to extract something from an hash function. Other option would be encrypt a "token" and accept that token only for a given time. For the salt, yes it could improve a bit the security and is not hard to make. However if you transmit it then it's again not safe. A rainbow table as you say would make it in principle possible to hack passwords, now I give you a MD5 and try with some of those MD5 hacking sites to decrypt it: 652d59bdc9544f681a42029e66b8f521 I mean, it's a game, it's not a bank script, having already that kind of security embedded is good, of course things could be improved, then we should use SSL, and you are covered.

Private messaging implemented (with auto installer): - You can see the message you received - You can send messages - You can delete a message - When you have a new message it's displayed in bold and the menu title shows how many new messages you have.

I know you want to get it... However I wonder if I will not simply include a small mod for a web IRC chat and link it to Ipocalypse.

Thanks, we are trying hard to make this engine as clean, clear and usable as possible. So any comments, any suggestions are welcome. For example I got yet other complains by the name and the hierarchy of directories. Seems that this huge number of directories scare some of you, therefore I'm willing to discuss about it, even changing the names etc. I was also wondering if we should already start to setup a wiki help for it.

Good to hear that the first game developement starts. Let me know if you need anything from the engine itself as I may try to help there. For what is planned to be placed into the engine still: - An Ajax chat - A messaging system like in game email - More admin tools.

For fonts: http://www.1001freefonts.com/ For brushes: http://www.brusheezy.com/ But you may find A LOT more with google... so why not use it?

Posted a new version: - Rewrote the admin panel for the works, templar (nickson) posted a version which allows editing, and I make it compacter as well as adding the edit icon to it. - Changed the players table to add the template information: [mysql] ALTER TABLE PLAYERS ADD TEMPLATE VARCHAR(40) [/mysql] - Created an initial preference panel such that people can choose the wished template - Changed the default template to use a very small CSS - Created a new template called "blue" with guess what? A blue scheme. The menu appears on the right side, just to show that you can do whatever you want with the placement of the things. - Changed the world.php to load the chosen template or the default template as specified in the config.php - Changed the tags with <SPAN> and some class such that you customize how those feedback messages look like. - Changed the install and the config to contain the default template. - Reworked the site http://www.zapengine.com/ now it has a look, and more than a single page, even if it's still quiet empty.

Not at all.

I will work on the engine to support multiple templates then, you will need simply to create a new directory for your template, inside the templates directory and put your files there. The two mandatory files are main.php and skin_functions.php, beside those you can have as many files as you want there (like images or whatever else). On my side, I will modify the engine such that you will be able to define the default template to use (by choosing the name in the config file), and also letting the player choose his/her template (so player will be able to customize their environment).

I don't worry, actually I'm happy if somebody can comment out the code and point issues which haven't yet been raised as this means a better engine quality at the end.

I hope you will enjoy it, and be assured to keep it up to date as we are updating really quickly so far.

As I stated in my last status update, you need to create the table for the events: [mysql] DROP TABLE IF EXISTS PLAYER_EVENTS; CREATE TABLE PLAYER_EVENTS( EVENTNAME VARCHAR(10) NOT NULL, USERID INTEGER NOT NULL, LASTEXEC INTEGER UNSIGNED, PRIMARY KEY(EVENTNAME,USERID)); [/mysql] The MWG engine was the name before we (or I) actually choose the name zap engine. MWG => Make Web Game so the engine of this community. For the serialization of the language, I still believe it's quicker to do the serialization at least as a code point of view than having a PHP file generated and then included. We could do some performance test if there is some impact, however I don't believe there will be a lot of difference. For the editing, sure editing by hand will be more complex if it's a serialized file but not of you want to make your own soft.