a_bertrand

if you want a really working captcha I would use reCaptcha (http://recaptcha.net/), beside that said, if you don't give us a link to your game we cannot even check what you have to tell you where is the problem.

Actually no, you don't need an hosting. You need simply to install a web server on your PC. I personally use XAMPP, others use WAMPP, or you may as well use IIS if you want to use ASP / ASP.NET Also, I would suggest to start developing something fun on your side and only upload it when you really have something as anyhow you will not attract players until you have a running game.

Gucci Mane: actually what you are trying to do is done by a function called stripslashes() So replace line (187): $_POST['newpic']=str_replace('\\\'',''', $_POST['newpic']); With: $_POST['newpic']=stripslashes($_POST['newpic']);

I can tell you that things like:   $ID = $_GET['ID'];   Need to be banished! We talked enough about such issues to nearly make a book :D The first thing to think is that ANY input coming from the web (cookies, GET and POST) need to be checked, filtered before doing anything with them specially putting them into a query.

I started a while back something like this, and you may find it here: http://wiki.nowhere-else.org/wiki/Build_a_game However there is tons of tutorials, existing scripts and much more on internet.

Honestly I'm unsure about this, I didn't found any law preventing you to post IP addresses, and I don't think it's YET considered a private information. Specially if you don't give a link between a real name and IP. So no I don't think an isolated IP is a sensitive information. Now, to block an "hacker", just an IP like that makes nothing, as anybody with a little bit of knowledge could use ways to change his/her IP. For example the first IP reported is certainly a proxy as it ends up by a hosting provider and a server ;)

please don't re-submit mods which are not OPEN SOURCE, as you may get in troubles with their owners ;-) Otherwise you are welcome. If you have more questions you know where to find me.

First of all nbase in NEaB doesn't just hide the URL but does a bit more, however it's anyhow not really safe, as anyone with a little bit of knowledge knows how to see which URL has a frame.

Trying to read the image size as MD made is nice, also because you could reject images due to their size. Another approach is to check the file signature which is at the beginning of the files like a gif need to start with "GIF89a" and a PNG starts with "‰PNG"

For the cleanup of the parameters yes it is. However I have a few comment to give: Once you cleanup your data, don't put them back in the GET and POST, use variable name (so you are sure you first cleaned up the value and then use the clean value): $itmid = abs($_GET['ID']+0); $qty= $_POST['qty']+0;   Now the second one I didn't use ABS, why? Because you can now check if the quantity is <= than 0. for your queries like: $db->query(sprintf("UPDATE users SET money=money-$price WHERE userid=$userid"); The use of sprintf is totally useless here, as sprintf would be useful if you have the %1, %2 place holders and then add the values at the end. In your case you can simply write: $db->query("UPDATE users SET money=money-$price WHERE userid=$userid");

Regexp are not really efficient, but are anyhow fast. Now, where is your bottleneck, the server CPU?, the server HDD? or the network? For me the server CPU is not the bottleneck, I do have more troubles with the network (for far away players) and some times the HDD, so I don't even start thinking about optimizing such small things. Also a regexp ensure you have LOT more flexibility when you need it. I still use strpos or equivalents when I just search a position inside a string but regexp are really good at finding non fixed things.

Line 91 need to be changed with $db->query("UPDATE users SET username='{$_POST['newname']}', display_pic='{$_POST['newpic']}', forums_avatar='{$_POST['forums_avatar']}', forums_signature='{$_POST['forums_signature']}', email='{$_POST['newemail']}', login_name='{$_POST['newloginname']}', profsignature='{$_POST['newsignature']}' WHERE userid=$userid");   However, just as reminder... all those query are NOT safe. as nothing is done to prevent SQL injection...

For such small thing, a regexp is just fine. And personally I would do the check while writing it to the DB as opposed to every time it's displayed, just to shave a bit server resources.

Hi, I developed for many years with Java (and still do occasionally). I stopped working with it for a few reasons: - Java applet are really unstable. Which means, load an applet, switch to another page, come back to the first one and suddenly your browser crash. This situation is not new, and doesn't seams to have any solution even after about 10 years. - Java is a compile one and run everywhere, unfortunately it doesn't really runs like that, and many times your nice looking GUI on one platform doesn't run or doesn't look nice on the second one. - Java is not compatible with... Java, as each version of Java introduce new features and removes old ways of doing things, your users will be required to upgrade their Virtual Machine in order to make things work. Unfortunately old Java soft may not work anymore. And this is simply painful. - Bad memory management: The garbage collector do have some bugs... and after a long usage you may get the mighty out of memory exception, without any solution to solve it. I do know many companies which reboots their servers every night to avoid such situation. Something I never had on PHP nor in C# The good parts of Java: - Graphics speed is quiet good (even if not like DirectX / Open GL unless you use special libraries) - Applets when they run can do nice things - The possibility (with some efforts) to make your application run on multiple platform - A good documentation and lot of examples - Some nice free developer environment (even if I prefer Visual Studio).

Vortex23: Your $uInfo['uColour'] implies you store the color as it is directly in the database. Fine as long as you double check what players set as color at the beginning. Otherwise it could open the door to XSS exploits. If you don't know what that means, I can make an example.

Well, beside making money seems really difficult, and don't talk about advertisement as it will never cover the expenses unless you run your own network like google, I would say the 2nd most difficult part is attract users to your network (at least at the beginning). Which means you need to advertise it, or get somebody advertise it for you like some articles about your site. And here that will be really difficult.

Yes that's what I meant :D

Sorry but who would use the same NAME and ID on 2 different objects? Never saw it, never had it... so that's why for me getElementById always worked :D Anyhow thanks for pointing me this issue as I was totally unaware of it. Even if maybe I will not need it now, you never knows.

The line you gave us don't have any problems as I see. Beside a odd OUT; which doesn't mean much to me just like that. Maybe you should give us the complete code. Or comment out like by line and check what causes it.

IE doesn't have ANY problem with getElementById, and I can assure you about it as I always use getElementById and my game fully works with both IE and FF.

Looks certainly different and this is really good. However I'm not sure I would personally use it. The chains for example don't blend well, and the background is a bit too strong for my taste. The headers also take really a bit too much height for me. Still, overall it's really cool to see that somebody started to code on this engine ;)

I would say, that in most web games there is some ways or others to cheat. For example, if even in my own game, there is some ways to transport yourself from one location to the other, now this can be prevented for most cases but not all. That has nothing to do with Javascript or not. Now Javascript does add some more problems as with a simple javascript debugger you could actually change completely your stats or always win. Against that I don't have a real solution, beside monitoring players and see who is gaining too much exp, money or whatever else. However think, that even in full blown games like WoW, you can cheat in the same way, with a debugger and send some odd commands to the server. Now WoW do have a strong politic against those things, and do monitor which soft is running in parallel of their game. But nothing is fully safe, for example, if you run WoW in a virtual machine, there is no way for the game to detect it, and yet report it to the admins.

I don't see really where is the problem of using JS (for everything). This makes the game fast, as you don't need to reload, and spare a lot of server resources. Now, is it persistent? No I don't think so, but it's just because it hasn't been so coded. As you could from time to time inform the server of how the thing is going.

So far, I didn't encountered any "modern" browsers which doesn't support the "getElementById" function. So your first function seems a bit just too much work for nothing. Also, why have it on "onKeyDown" and "onKeyUp" event? Why not simply onKeyPress or onKeyUp alone?

Could be due to the fact the image is part of a query string. Beside that I don't see why it should not work.