a_bertrand

You don't need to run them manually, you can use remote-cron systems, proxy and much more. As soon as you find a way to upload some custom made PHP file, you can basically do all what you want. No need to be executed by cron or not. Well the image upload can be handled in different ways: - If you don't allow code execution (PHP or any other) on the image uploaded directory I hardly see how you could be vulnerable - If you load the image from another script and serves it only as content as the image upload is not directly visible, then again I hardly see the vulnerability. Overall, your cron statement is for me a non sense. If you can upload a script you are vulnerable. No need to be run by cron or not. And actually running by cron changes nothing.

Well if a player is able to upload a PHP file, you are anyhow f*@! as you could still use remote cron system which would call this file periodically. So for me the security is not different. Sorry. The first thing to do is to patch any vulnerability which would allow a player to send custom code.

Why shouldn't you do that HD?

https is not a proxy Raven, HTTPS means HTTP+SSL which is the secure layer on top of HTTP

You can do all what you want with C++. From an OS to a 3D FPS or even a web application. Actually you have more freedom with C++ or any other true compiled language than the modern one like Java, C#, Python, PHP or whatever. The drawback if that coding in C++ takes a lot more time than with the modern languages and is harder to code with. Beside those drawbacks, which pushed new solutions, C & C++ are still the most used languages out there.

Fully agree with you here Spud. I know some "programmers" which want to always try new things or things they are reading about even without really thinking if that method is applicable or not for a given problem or without fully understanding the end goal. I would say a programmer should understand what needs to be done, and if you are doing a software for a given company you should be able to do all the steps MANUALLY before thinking about to code them. Why? Because if you are not even able to make them by hand, how do you believe you will be able to write a code to do it for you? Programmers are not just people mixing some lines here and there to make something barely work, they should actually use the tools to create what they want. Transform a need / problem into a concept and then create a solution for it. As spud say, true programmers are actually quiet rare... and valuable ;)

It depends pretty much on what you do, and the language / api you work with. In PHP honestly, you can do most (even re-usable code) without yet using much OO. Some times OO is also nearly a requirement for PHP but overall the implementation of the OO in PHP is not what I like most. In C# on the other side, I code only in OO, not only because the framework is all OO, but because it makes me the life indeed much simpler and allows to make things in a smarter way. Yet think that what you can do in OO can be done without OO, maybe it will be more clumsy but it can be done.

Demons are basically console applications which are started in the init.d (some sort of... special linux service which starts software on boot). Now, making demons in PHP can be useful, and I did some myself too. All depends what you actually need.

that doesn't work, it's easy to parse the HTML and do the right action.

Well usually it's called bots and not macros... Anyhow bots usually simply reproduce always the same sequence of "get" or "posts", one after the other. So for example, get a page, extract some hidden fields or whatever and then post back with that values. So simply moving things around with an X-Y is not the way to prevent it. Either use captcha (which are annoying for users), or limit the number of page load per sec, or yet smarter look if the frequency of the actions are too perfect or too fast and detect therefore the bot. You may even mix such solutions, for example the first time your thing doesn't have a captcha, but if you load too quickly it shows a captcha.

Big O Notation in my understanding is when a curve function does a "turn" and goes toward some number like 0 or infinite. Nothing to do with a profiler here IMO.

I didn't took it as if you said it was bad, but I had the opinion you was wondering what a profiler had to do with the engine. So I thought it would make sense to explain to all what profiling is and what it can bring (roughly, as if you go in details... well you could write books on it ;) ) Totally true Spud, without some knowledge of what you are doing, you will not do much. Same on the large dataset otherwise you will not be able to really test MySQL queries. I must admit I don't use much tools for PHP (also because I don't develop all that much on PHP anymore), however I do use JetBrain .NET profilers when I need some help on the .NET side of my work. So if you have tools / hints for PHP and MySQL profiling please share with us!

I thought it could be interesting to continue a discussion with Spudinski about how useful a profiler is, but instead of just having a "yes / no" discussion I thought I would first try to explain what a profiler is, what it could deliver and how you could with the help of a bit more code do some profiling without any external tools. A code profiler is a tool which check the execution of a code. Could check the time the code / functions takes, or it could check the memory usage (called memory profiler). Both are usually hard to use 3rd party tools, specially if you fire then up the first time. You may find quiet some tools to profile PHP code or MySQL queries. As an example I could point you to: http://xdebug.org/docs/profiler So what does a speed profiler (not a memory profiler) exactly? Well basically it will help you to detect what piece of your code takes the most of the time, for example if your code is like: <?php $valA=FunctionA(); $valB=FunctionB(); $valC=FunctionC(); echo "$valA $valB $valC";   You may want to know which of the 3 function is the slowest, and maybe inside each function you would know which block takes more time etc. Now it's not only important for a function you call 1 time, but think you may have a quick function you call millions of time, then suddenly this function actually is more important for the optimization that a slower function you call only once. Ideally you would want to know up to which line of code which one is the slowest, but usually profilers ends at function calls so if your script is one big flat thing without functions, then... no luck. Now without the need of setting up some odd tools, you can directly do some primitive profiling just with PHP and the function microtime. To do so, simply start to store the microtime before the piece of code you want to monitor, and then the microtime after, and by doing the difference of the 2 you know how much time you spent on that piece of code:   <?php $start=microtime(true); // to get it as float for($i=0;$i < 1000000;i++) $a="Line $i"; $diff=microtime(true)-$start; echo "Milisec to comlpete: $diff<br>";   Same technique can be applied basically everywhere, and for example I monitor how much time my queries need to complete. You could save this data inside the session or in a special log file, it's up to you. As an example, inside NWE I use the same technique for the included profiler: [ATTACH=CONFIG]629[/ATTACH] So how does it help you? The faster a page loads the more page you can serve with a same server, which means the more players you can handle. By discovering which piece of software is slow you are able to try to optimize the right piece of software. Also, you could discover that some query or code is suddenly really slow and it's not just a network connection issue, and could try to investigate what is going on.

Yes each user should have their own HTTPS / SSL key. The issue is not only on the database level that you store the password encrypted which is mostly a security if somebody steal your table somehow, but I believe here the issue is the transfer from the web page to the web server which sends at least once (if you don't store the password in the cookie for example) the password in plain text over internet.

Secure authentication, maybe he intend as the password will never travel in plain text, so some sort of hash sent from the browser page to the server or something similar. Yet the only true secure one I know is HTTPS or... at least the more secure than some JS code you could come yourself. Maybe security expert Octarine could find a better and safer way, but for me HTTPS is really the easiest / most secure you could get. BTW SSL keys are not so expensive starting at like 8$ a year for a comodo SSL key... I mean, come on if you can't afford that...

Anyhow if you want to go though your idea, you can either use strpos and see if it returns a position or not, or you could create regular expressions and checks on each row of your array if it match or not, and only for those matched it would work.

Doable but could be dangerous. What if I create an url like mynastysite.com/google.com/ ? would that work as well? If yes then your security check is as good as useless.

Well security is not fun to test, and takes actually time and efforts to test correctly, so you should pay somebody to do it if you want something serious.

Sure you can have a template for each language, the trick is a bit more than that. Imagine that on version 1 of a module you have about 5 links or text. Now the owner of the game change them, to match more his/her own game theme. On version 2 of the module 2 more texts have been added. If you would have to edit a template, you would basically need to merge the templates by hand basically to make sure the changes of V2 still work. With my approach nothing need to be done beside simply changing the 2 new texts. That's just for the texts directly edited. You have then functions like for buttons which can either simply use the CSS to change the look or actually per template generate different HTML. If the modules are well done and use the standard API, then changing the template will change the actual HTML of all the modules. Sure you could have a template just for the button, but that would make things a bit clumsy IMO. Again I'm not saying a template system is bad, I just thought my approach makes things a bit easier for the game owner. For the multiple versions of ez... Not sure we should make a column for each different version, it would make just things more messy IMO. If you want to point some info about the fork, then please share. On the feature list unique to all engines, I do agree, it would be great to have the list of features which makes each engines unique. So those which knows what to add should state it in this thread and the list will be updated. Indeed McCodes will be a better choice out of the box for a Mafia game, or if you want on the other side to rely purely on open source then NWE is not the good choice etc... That's why we have different cars, as they have all small or big differences which may please more one customer than another.

MVC is not a library it's a design pattern. Huge difference. The model is a pure Object Oriented representation of the data. It DO NOT have any code logic normally. It's like purely the result of the ORB. So you will usually need some DB abstraction layer which is able to load / save objects for it. The controller is what manipulates the model, for example edit fields, add new values, or remove them. Checks for the passwords, email, or whatever are inside the controller. However it doesn't know anything about the forms as that's the job of the view. View is a little bit more than HTML and a simple template system. It could even use jquery to have the dynamic feeling or more. The view is basically FULLY responsible of how some action / content is displayed and handled by the user. Beside that I must admit I didn't really understand what you want to do but ok, fine. More engines == more choices and could actually improve the quality of the exiting if a programmer pick some ideas ;)

- Table has been updated thanks to spud comments. If there is more, post them ;) - Lines of PHP may give an idea of how much mess you may need to check if you want to go through the whole stuff, it doesn't say that the biggest is the best or the smallest is the best. It's just an info. - For the player stats: you are fully right, you should not have to change the DB to be able to change the number of stat / skills or whatever. However McCodes as you know is like that where most info ends up in the user table. - For the development status there is 2 things: stability of the API / LIB and the feature set. If buy a product you hope to get new features every now and then, and see that the product is evolving. Dead products are usually lot less interesting than emerging one. - If you run after stability you could use OS/2 which is totally dead as nobody develops it anymore. On the API side, of course as developer you don't want to change your code at each release. Now if you pick NWE, show me what changes you had in the API since the beginning which forced you to change even a single line inside a module. None is the answer... yet the engine is frequently updated / improved. - Having game live stats is a feature... New comers (which are anyhow the target of most game engines right?) don't know much of internet overall, and having the possibility to see inside the game how it's going is a plus. - Game profiler help you detect bottle necks, slow code and slow queries, it shows even what kind of module is used for a single page. You may find it useless, I find it extremely useful. - Bug tracker: again something useful. The game owner could create some code which breaks something, well it's a way to report the issue. Or the content may be broken somehow... again you want to know it. Could you live without? Sure... but it's more than an useful feature. - Edit all texts: sorry but here it's not just question of template. First of all it allows to have your game in multi-language (with little efforts), but it helps also the owner to customize the game without modifying the code / template or anything from any kind of modules. That allows a module coder to release a new version, and you are sure the customization you had for your own game will be kept, even if the base template is changed. For me again this is something mandatory for a good engine which shall use 3rd party modules. If you do all yourself you don't need it. - NWE uses PHP as template engine ;) no need of anything else. You should have a look with the free version and then comment once you understood the concept. Smarty is not bad, don't take me wrong, yet it has a little different approach of the problem.

mmm... registration => same username and password => and you end up in a new page with a warning, you press the link => bam wrong URL. Nice ! captcha is weak... but well... it's maybe better than none? after registration... you have to wait but it logs in... good! Now... I'm inside the game and... sorry but I have no clues what the story is, no clues what the game is, so basically you must click randomly on links? Sorry that's stupid and sadly it's a common issue here on MWG. Online with last action over 6 hours ago? Sorry for me that doesn't mean online ;) Overall I would strongly suggest to put a story, have some content which match the story, not some generic McCode (or the like) site which sorry to say I have no interest for.

I'm not a big fan of the MVC pattern. I know lately (or not so lately) this is like a marketing word, but honestly I find it most of the time overkill and annoying. Why? Because you need 3 classes (the model, the controller and the view), you don't replace completely the use of a template engine and make the code harder to debug. Overall the only benefit I could see of this design is in case you need multiple "views" of the same content, for example one mobile and one full, or for example a soap interface too. This design would let you keep then the model and the controller intact while just changing the views. Beside for such cases, I hardly see a benefit. For your engine, you should think what kind of customer you are aiming at: - The newbies which knows nearly nothing about PHP and web games, for which the easiest the engine is (installation, upgrades, management and ideally the coding too) the best it is. - The advanced developers, which usually needs only a framework and may are not even interested in a game engine. This will be your harder audience as they may think they can do it better, and in any case doing all by themselves will let them have full control. So if you are aiming at the first kind of customer, I would strongly suggest to keep the code as simple as possible and not go for some fancy design pattern.

If you are new, then 20 min is not bad.

Well then, maybe McCode should hurry up with their V3 and do something against it, don't you think? But I doubt that anyhow people will not buy anymore McCodes.