a_bertrand

I saw somebody worried about a security issue while working with a file upload. For those of you which are a bit... lost with such kind of issues, I thought it may help to explain a bit the issue: As soon as you allow file uploads you may end up with security holes if you don't manage the upload correctly and simply store the uploaded file on some browsable directory. Let's take an example: I have a simple "upload file" (whatever it is) page, which once the file is uploaded stores it in the images sub directory. Now some "hacker" uploads some script instead of an image and call the script directly like "http://mysite.com/images/myuploaded_script.php" Of course this could be an issue as it allows everyone to run code on your server. To avoid such situation you may: 1) Check that kind of file is uploaded. For example, try to open the file with imagecreatefrompng or whatever function, and check the width / height of it. 2) Make the image upload directory not browsable (via .htaccess) and go through a PHP to view it like: <?php header("Content-type: image/png"); readfile("images/thefile.png"); This will ensure you only give back the data as stored on the server, however then this script could potentially serve any file (not in this case as I hard coded the path), so you will have to check what to display here and not allow to browse outside of the given path. 3) Instead of storing on the file system, stores it in a database, the advantage is that if you run the web server on a cluster or make just a backup of the DB you will as well backup such document. The drawback is the speed of the database which will quiet certainly be slower than a simple file access. You will need of course again some script to serve back the image. Keep in mind you should use readfile, or file_get_contents NOT INCLUDE as it will then execute the code! There is other kind of more creative ways (both for hacking and for protecting), but I think I gave some hints. BTW Supdinski this is not against your script, I didn't checked it, so I can't judge it nor it was my intention to do so. If you guys want to share more info, or have questions, please do so.

Then let's say I do really compressed code ;) But again, does that really matter? Is it better to have millions lines of code which you cannot understand or a couple of well written one? or in another case you could have 2 lines totally un-redable (think about complex regexp) or 100 which all make sense. Sorry but just comparing lines of code means... little. Also Spudinksi, I don't need to rephrase, your mod does basically all the functions of a gallery script, with even an admin side of it as far as I can see from the feature list. So it's more a gallery script than simply a mod. Doesn't surprises me it has 1527 lines of code. On the other side, a "work" mod or train mod which does 2000 lines with tons of copy / paste HTML for 10 different ifs, that would hurt more my eyes. And... remember we should not talk about V3

2000 lines for a mod? Then maybe it's a lot of copy / paste ;) Sure it's not HUGE, it's simply enough and not that small for an engine. Don't mix engine and game Arson! It's an engine not a game. BTW If it's too small for your taste check at least what it can do, and then let's discuss about the size. It was just to give an idea of the work behind, but as you stated and demonstrated it may means a lot or nothing.

Happy coding Sporto!

So basically about 5 days after cron issues, and stating you are new to the coding / game owner business, you sell the game? What's wrong? Decided to stop? Maybe before we could try to help you. Also, if you don't own a license of McCode you don't have the right to sell it, if you own one on the other side your game should worth the price of the license. (Of course it means you cannot continue to use McCode unless you purchase another license). Overall you must give more details, and maybe don't give up so quickly. Unless of course you have other issues or decided to take another road.

Danny: Sorry but license transfer can requires fees and is a legal practice: For example ZBrush requires around 50$ to transfer a license: http://www.pixologic.com/docs/index.php/Installation,_Updating_and_Licensing_FAQ#Selling_Your_License

The main difference when you work with ZBrush is that you feel free. I mean, it's really like working with clay and not in 3D. Sure it's on the screen, sure it's behind a computer and your fingers are not feeling the clay nor they are not dirty at the end (if you don't put your hand in odd places while you are at your computer). It's totally different from the "precise" 3D thinking you must have with other softs and with ZBrush. Yet, if you are after designing an helicopter or a tank, or a bridge, or an house or whatever else which is... more structured than monsters, people, faces. Well you will have troubles. As said, for me it's an excellent additional tool, or more like an another world. Yet a very interesting one. BTW They are hiring coders and web designers: http://www.pixologic.com/jobs/

Most of you should know now my passion for 3D art, even if I'm by no mean a pro in the field I invest quiet some time into it, and plays a lot with the tools I have. Since a couple of years the best sculpting and texturing friend of most 3D artist has been ZBrush. I must admit I tested it LONG time ago (more than 12 years now) as I have been invited to beta test one of the first versions, and I was not all that interested because at that time it was like a 2.5 painter (their own terms) and you wasn't able to work in 3D. Yet, since V4 of their product you can effectively work fully on 3D models, sculpt them, paint them and work on them. Now is ZBrush the ultimate tool? No, for most normal 3D activity, like animation, hard surfaces (hard edge, mechanical parts and more), ZBrush is not really ideal. Also the materials are cool, but don't offer yet the flexibility of traditional 3D rendering tool even if you see on the example made by ZBrush artists incredible creations. But I would say it's normal with nearly all software. After quiet some thinking I decided to spend the money for it (yes it's not cheap), and try to use it as well. I must say that the user interface is... odd at best if not hardly usable. However the features it has for my needs seems simply incredible. It's smooth, it allows to work on extremely complex objects and support wacom tablets without issues. Also it integrates with my 3D without much pain, which is was I was needing. So if you are in the monsters, people, or other soft bodies yourself, and or you want to pain sculpt in 3D, I would say it's the soft to have. Site: http://www.pixologic.com/ Gallery: http://www.pixologic.com/zbrush/gallery/2012/

Cronus: here on MWG ;)

Potions: Ok not difficult to make really, but I will do so as you kindly asked (and actually it's not the first time).

To answer to the ajax, I didn't checked meteor, so I can't answer for that, but I strongly suggest you to open google docs (same document) across two browsers, and use firebugs to check the ajax activity. Basically: Your browser make an ajax call to the google server, but instead of being a quick answer, the answer hangs for like... nearly a min or so. During the minute, if there is an update to do, google send back data though the open connection. After the min, the connection is closed from the server, and the client then open again a new connection. Why does it work like that? Well, first of all, TCP sockets or web sockets are pretty new and would not work with older browsers, plus you have all the risks to be blocked by firewalls (for example where I work it would not go though). So rely on some older technology makes more sense. Yet keeping the connection up (it's like giving very slowly data) the server can use that connection to send updates as soon as it gets them. Of course you still lack the "action" from the user in this picture. Well in google solution, every time you type (or nearly) a new ajax call is made to send this update. For the stream of hot copies, well it's cool but not amazing. I suggest you to check things like erlang which are odd languages which allows the full code to be updated live without stopping it. Now of course they don't do that, here they basically have a "state" which is stored on the browser side, maybe cookie or whatever, and when there is a new version they simply load the new page and restore the state. Nothing all that fancy for me. Yet it does work. Again I wonder how useful all this is. For my own applications => not useful. If I change a soft, well basically the change will be valid on the next reload, not the end of the world in my opinion. BTW, I coded something VERY similar with wsirc (a couple of years ago), where in case I change the js code on the server, the browser do reload the page, but keep all the state as it is (connections and history). So certainly not magic. But hey, this is the only application I ever made which may have a benefit from such feature. For the "latency compensation" for me this is pure marketing. Sorry, but if a user do some action, simply the action is made directly on the page, and then the ajax send the thing back to the server at the possible speed. Nothing magic nor new. Again I do have the same on wsirc... and it's really not all that hard.

Official make a wish thread: Request an official mod As I said to many of you, I'm willing to take into consideration any module development which will then be delivered in the official package. Which means, if I develop a mod it will be available to all of you. For this, the mod need to be somewhat neutral to the game theme like "clans" would be accepted where "pirate bar" will not. The more precise you will be with the description the more likely the module will be developed I mean, "do me a one click game" will not cut it, where a complete description of the problem, rules and possible customization would certainly improve my interest in developing it. That been said, not all requests (even valid one) will be implemented. And don't even bother to ask for a custom payed mod I will simply not do it. However I do know a couple of people which may do it for you or yet better ask openly in the forums if there is any developer wishing to develop something custom for your own game. So let's the requests flood!

Well, it's not only a quick way but allows in future to patch a modified game. Think that you added new modules or touched some of the official one, well, with the patch you will know what files we modified and hopefully in most case will not touch your work. Anyhow thanks for the support guys, and thanks to rulerofzu to have tested it before release as we had a couple of issues with the patch system. Next to come, is either the add of new modules like clans or trade house, or improvement of the current one like the forums or the messaging system. Let me know what you would prefer.

Hi, As promised, you may now download from the license page your fresh new 1.0.3 release. You may either download the whole package, or just the "patch" zip file. The patch zip file contains only the changes from 1.0.0 to 1.0.3. If you take this road, simply download the zip, un-compress in the main directory where you installed NWE and open your browser with the right URL, you will then see the game installer, then simply say you want to upgrade, and after a couple of refresh your game should be up and running with the new code. What does the 1.0.3 bring: - Fixes in the installer - A bit more content - An HTML / XSS filter - A quest (or missions as you want to call it) system which can be linear or not, single action or multiple. - A wizard for logic and code entry in a lot of tables. - Cleaned up the art_medieval template (left over some useless code). Of course this upgrade is free to all full owners. We will release certainly a new version of the DEV later on.

Does look cool indeed, and thanks for sharing Spudinski. However a couple couple of things which came to my mind: - JS is still JS, really not the nicest language out there. Too bad we are somewhat stuck to this. - Security? It's not SQL injection here in the example, it's full DB access. So unless you can control what can be done and what not (and no clue how), this is totally useless. So don't come to say it's done in 1 h, it is actually 1 h for nothing as you can't use it. - Server usage, for all those kind of ajax instant web pages, like google do, where basically if a user modify you get instantaneously the update on other web pages, you have basically a connection which is left open for a given amount of time, like let's say... 1-2 min, then the server close it and the browser open a new one. During the time the connection is open, the server can push the data though it. Now it's all good as it's really the fastest you can currently have via ajax, however this has a major drawback, it requires that for each connection the server keep all in the memory, and keep a TCP socket open. We do know there is an hard limit on the number of TCP sockets a single sever can handle, so I wonder how this scales up and what are the overall server usage. In my day to day work I really don't see much benefit of such platform. I don't need live updates, I don't use much Ajax neither. Code and presentation is already separated due to the fact I use ASP.NET, and I do prefer C# over JS. I do see however some cool stuff here, and I do see how and where it could be handy, but it need to be really though of, tested and see if it really make sense. I'm still by far not such a fan of having JS on the server, even if that would mean unifying the development.

The quest system shall be ready, and the wizard has been incorporated in the table editor. That means all the logic will be editable directly from the table editor without actually requiring you to write any PHP. The PHP will be created for you by the tool. The wizard is able to create condition logic as well as action logic. The same wizard can be then used on any other tables requiring such PHP code (like the usage_code column of the objects) simply by defining a little tag in the config.xml file. Of course the wizard can be disabled via the admin panel and you would then be able to write down whatever code you want. We are now testing all those modification and hope to deliver the new version tomorrow or the day after.

mage outpost mage academy lost my mage wizi wizard world of wizard lizard the wizard mage vs wizard no more wizard magic rules law of wizard wizard of unlucky lucky mage beat my spell look at my spell lost spell of the wizard yet another wizard spell with mages and much more join as it's free and fun The last name being the best in my opinion as you may short it to yawswmammjaifaf which is easy to spell and remember and I doubt you will find anybody using this domain

The deal seems now way too good to be true ;) Also, do you really know how to manage a Linux system? Apply patches and enable the basic linux firewall rules? Do you know how to make backups? At least for the DBs If not stay away from a dedi or a VPS until you have a good knowledge of system administration. I would anyhow start with a shared hosting like for example http://www.w3theory.com/Hosting/ And migrate from the shared hosting to something else only if you cannot continue on the shared host. You will save money in case your game is not as successful as planned, and allows to start without worrying about all the system administration.

With your deal? Not really no. You will be able to start a game (like with any shared host) but not much more. With 512 Mb of ram, will be a bit better but still on the low side. At the end of the day for a successful game you will need a dedicated server quiet certainly or a good cloud hosting.

Managing multiple codes in the same times seems a bit un-practicable. At least if there is only one developer group. Maybe CB and Dabs could somehow sell or give away the right of V2 to somebody such that this person or group of people can continue to work on it and in the mean time they work on their new version in parallel. With such solution you would have the best of both words. For V3, I would suggest to stop calling it V3 as if there is no compatibility nor really a sharing design between the 2, it would maybe make people un-happy if they purchase V3 thinking that they would keep all modules and yet would not be able to. At the end, the community is more interested in a new version it seems, therefore I would suggest CB and Dabs to continue with their work. So we don't need to wait yet too long before we get our hand dirty with something fun to play with.

Yes, as mysql will tend to cache (if you allow so) the index keys, apache will use anyhow some memory by itself (how much depends how you configure it), and of course your PHP scripts will use some too. Would a normal script work on that config of yours? Yes I guess so. However you may not reach very good performances that's it. If your hosting allows it, you may start with the configuration they propose and then check how to upgrade if you need more.

Ok the price starts to be reasonable. However the ram is too low to be really usable if you want a web server with mysql running on it. You will basically have VERY POOR performances in the best case.

100$ for a year? for a month? 192Mb of ram is really low even if they promise 256 Burst... 7 Euro per month can get you: 512Mb of ram 40 Gb of diskspace 500 Gb of traffic per month http://www.leaseweb.com/en/cloud-hosting/express-cloud Which would mean around 109$ a year. So look around, your offer for me is really not all that good.

Also you can always make a screen capture and then copy the image you want without even saying everybody can as well disable javascript and be able again to right click. Sorry but there is no way to protect you here.

Illusions already started to offer mods in the market place. Yes it's open to everyone, provided the mod is secure, and uses the appropriate engine functions (in any case I will review and report to the author any kind of issues, as well help in case it's needed). Mods can be free or not, it's up to the author. You may also if you wish post your mod outside of the market place, as pure sources or as package which has the advantage of being easier to install. For the conversion of a McCodes mod to NWE (New Worlds Engine) mod, I would say it's generally not all that difficult. If you need an hand I can help you out. BTW I did said it, but the quest mod will be free for all full engine owners.