Dabomstew

The v2.0.4 cron_minute file has a small bug in it causing this issue. It will be fixed in a future patch but here's the immediate fix: Open the file, and replace every time it has GREATER (there should be 2) with GREATEST. Save and it should work.

That has the same shortfalls as caching it any other way in V2 since we load settings either way. But it is interesting for other purposes.

Do elaborate if you wish here or in a PM; i see a way to make it 1 query per pageload for the both but no more efficient than that without *some* form of cache, or updating a count every time someone enters/leaves one of the two.

Every v2 release has had the crons update hospital/jail count since otherwise it wasted 2 queries every page. Making sure they're on will solve any such problem

Eh, I think you made a typo in the method name (__destruct?)... Otherwise, good stuff. The original code was not written with PHP 5 in mind, though, hence why something like this isn't already there.

I understand that the mods that you linked to would have been absolutely fine to include in the patch. However, the process by which I compiled the patch did not include looking for topics on the forum containing mods that could improve the base engine. I was simply aiming to discover the bugs and security flaws in the script and correct them, whilst doing some other minor touchups such as standardizing the code style. I decided that the best way to patch the issues I found was simply to correct the code, as most of them were not complex problems. Whether you agree or not with this approach regarding this patch doesn't really matter as it has already been released, and does the job it is intended to (to our knowledge, at least). Again, we may release another patch in the future that *does* go down the route you suggest. Copyright and licensing are two different issues, really. As far as copyright goes, where MCCodes is created (the country I live in), there is *no* copyright registration process whatsoever. Additionally, the codes are still protected under copyright from the date of their creation according to the copyright laws of a large amount of countries. Whether it would be prudent to register our copyright in certain other prominent countries where such registration is possible & helpful is another matter. As far as licensing goes? If you were to release some code under a GPL license, and I was to include it in a product I was selling without asking you to relicense it, you could take action against me regardless of the copyright status or license of my for sale product. That is where licensing issues could arise.

Thanks for the feedback, but this *was* primarily a bugfix release and so the focus was on fixing what was there to do what was intended, not improve it. There were some improvements made, as you can see in the changelog, but they were mostly either very important things or byproducts of the bugfixing process. We will consider stuff like "improved" mods being integrated if there is another patch release, but there are also licensing issues associated with that even if the mods are released as "free". To the best of our knowledge we have fixed the bugs found in v2.03.

Manually upgrading a 2.0.3 game to include EVERYTHING in 2.0.4 would be a very long-winded, almost impossible process as the actual code changes number in the hundreds, if not over a thousand. However, we will update the security document within the next few days to include specific fixes for the specific problems listed.

Ok, fair enough. To clarify: Pretty much every php file released by MCCodes until the release of 2.0.4 has had a trailing ?> at the end of every file. Unfortunately, they were also littered with inconsistent code style, different opening tags (<?php vs <?) and a fair amount of trailing whitespace after ?>s. The new standard, which will be followed from the release of 2.0.4 onwards and for each patch/version following it, will be that there will be no ending ?> where it is unnecessary. This, along with a set of other coding standards to be followed consistently are part of our efforts to improve the understandability of the MCC scripts. It is true that whether MCCodes scripts should have ?> or not is a valid talking point, but the war of whether it is "better" to have them or not from a standpoint of best practice appears to not have a clear winner. It is this part which is getting offtopic, not how it applies to MCCodes.

This discussion on ending tags has drifted away from the point of this topic, so I'll say this: The fact that there is no trailing ?> in the files is controlled by one line of code in our release builder. If you really want a copy of MCCodes v2 with a matching ?> for every <?php, contact us and we'll be happy to provide if you're a customer. Otherwise, it's rather irrelevant.

Read above. The security notice has been moved to our customer area. If you have a license, it's just a few clicks away still.

We feel that we have to inform customers of the two engines which do not yet have a patch of the potential issues in their games. This is mainly why the security advisory was released. v2 users should download the new files and work from there. The code does address a bit more than the security advisory does, I believe - though it was prepared with the changelog of the patch in mind. If there are further security issues which neither the patch nor the advisory cover at all, we would very much like to hear them so follow-ups can be made. EDIT: Also, contacting our entire customer base and waiting for a reply from every single customer would have seriously extended the time taken to release the patch. We therefore felt that this was not a practical option. EDIT2: We have reconsidered slightly, and moved the security document to only be accessible to paying customers. The changelog is still public.

After a bit of a delay in programming & testing, MCCodes have finally released the v2.0.4 security & bugfix patch for MCCodes v2 users. Also released is a security document, which allows users to fix the security problems which were fixed in 2.0.4 in their own games if they are heavily modified or not v2. The changelog is attached to this post. The security advisory is available to ALL paying customers in their customer area, underneath the engine license section. Please report bugs through our bug tracker, or here if you prefer (though reporting them to our official bug tracker is much better for us) If you want to just place the 2.0.4 files over your (UNMODIFIED) 2.0.3 ones you can do so and have it function correctly by executing the following SQL queries:   INSERT INTO `settings` (`conf_name`, `conf_value`) VALUES('jquery_location', 'js/jquery-1.7.1.min.js'); ALTER TABLE `userstats` ADD PRIMARY KEY ( `userid` ) ; ALTER TABLE `forum_posts` CHANGE `fp_text` `fp_text` TEXT CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL DEFAULT ''; ALTER TABLE `fedjail` ADD UNIQUE (`fed_userid`); ALTER TABLE `users` ADD `pass_salt` VARCHAR( 8 ) CHARACTER SET latin1 COLLATE latin1_swedish_ci NOT NULL ;   This is highly unrecommended for all but those who are just starting out on their game, since you will lose all your mods. changelog_204.txt

BUMP for release info. The release of the 2.0.4 patch is near. We should get this out in the client centre next week, early on unless internal testing finds significant problems. At the same time, we will also release a public announcement document containing details of the security issues patched in 2.0.4. This will allow v1/Redux owners to make sure their game is patched against them before our official patches, if they wish. It will also allow v2 owners who have modified their sources heavily to make sure these exploits are not still open. Following this release the patches for v1 and Redux will be developed.

A note on the content of these patches: The primary purpose of this particular batch of MCCodes patches (2.0.4, 1.1.1 and Redux 2.5.6) is to provide essential security & bug fixes. That is to say, the patches focus on the following: A) Security issues affecting any code in the main MCCodes product B) Functionality in the MCCodes product which does not work (such as admin pages which don't do anything, submission pages where strings were getting double escaped etc) Changes to other aspects, such as the code style, and conformance to "best practices" and the like come second to the above in this set of patches. There are certainly improvements to the other aspects of the engine as a byproduct of fixing the two key issues above, such as consistent code indenting. However, we believe that the immediate need is to make sure the engines work and are secure to the best of our ability. That said, these patches are certainly not the "be all and end all" of patches to these products. It is definitely possible that future patches will address other issues such as code style more thoroughly.

Getting into this for a while was quite fun and produced quite a long list of issues - which I'm sure isn't close to the "full" answers. Though I did start to question myself after a while on what was actually relevant...

For people that have bought a license since the new system came out or already had their previously bought licenses linked to a customer account on our site, absolutely free out of our client download page. For people that haven't been bothered yet linking their pre-April 2010 licenses to a new account, a trip to our contact page to send us the details of the license you bought and the account you wish it to be linked to. Then same as above, once your request is processed. For people who don't have a legal license, ...

MCCodes v2 has required php5 since 2.0.3, and Redux since its release AFAIK. We haven't had many, if any complaints on this matter, so it will be staying as is.

Addressing some points here quickly: * The thing that duplicates the effects of magic_quotes_gpc on servers without it is still there. Simple reason? Mod compatibility. It would be simple enough to recode the base engine to not use it at all (and in fact do the opposite) but a patch such as this is not intended to break years worth of mods. * I have heard one or two inklings here of issues with filter_var - will look into it before releasing this patch. * Location of jQuery can be specified in settings - by default it's in a "js" directory but you can e.g. use the Google APIs server copy instead. The usage of jQuery should be simple enough to not require any specific version, though I will check to see which (if any) version it breaks on and make sure users are told to use at least the one above. * No, MCCodes v2/Redux do not use any of the actual improvements in MySQLi, but a broken class is a broken class. Again, changing v2/Redux to use MySQLi in the way it is intended would be outside the scope of a patch (would break support for servers without it, most likely) Also, I have updated the main post with an updated changelog, reflecting further progress on the 2.0.4 patch. The same conditions as before apply. A release by the end of this week is possible, with the other 2 patches to follow not long afterwards.

We can provide a separate script that adds stock gang organised crimes to a v2 game if that's wanted by anyone - but it isn't really part of a patch persay, especially for people who have already SQLed in their own.

Thought I'd take this discussion out of the "bug tracker" topic as the patching process is well under way. MCCodes is releasing patches that contain security & other bug fixes for all 3 currently sold MCCodes versions - v1, v2 and Redux. This process is currently underway with the development of a patch for v2. The current changelog for the v2 patch is below, to show progress & allow you to fix these bugs yourself manually if you so wish (excluding security-related fixes to stop people trying to exploit them before the patch comes out): [critical bugfix] mysqli class was missing escape function [bugfix] lots of texts were getting double escaped [bugfix] register script fixed to not accept weird genders, etc [bugfix] fix gender in installer [bugfix] fix Crystals in Hall of Fame http://makewebgames.io/showthread.php/39954-Problem-with-Hall-of-Fame-in-version-2-03 [bugfix] fix other weird hall of fame behaviour [bugfix] fix gang record viewer http://makewebgames.io/showthread.php/39623-Another-v2-03-error [bugfix] fix gang credit crystals http://makewebgames.io/showthread.php/39623-Another-v2-03-error [bugfix] fix editing items losing their effects [bugfix] fix a users staffnotes being wiped when you use "edit user" [bugfix] fix stafflist [bugfix] gang record now records in stafflog properly [bugfix] some staff pages now close properly [bugfix] ending polls now works [bugfix] raw references to mysql_query,mysql_num_rows etc replaced with $db usage [bugfix] prevent users doing invalid crimes [oddity] generic references to "Mono Country", "Dabomstew" etc removed from game rules & help tutorial [oddity] mysqli classwas missing affected rows, added back (but not critical bug as never used before) [compat] validate_email uses filter_var in all circumstances now [imprv] All uses of AJAX changed to use jQuery library [imprv] PHP notices reduced [imprv] Staff logs page cleaned up (e.g. message for "no attacks yet" etc) [imprv] Some uses of "num_rows" changed to fetch_single on COUNT to improve execution times I'll repeat: this changelog does not contain security fixes. There are security fixes, which will be disclosed in more detail when the fixes are actually released. Nor is it finalised, we are still looking for more bugs by checking the code, forums & bug tracker. The v1 and Redux patches will be along similar lines. As far as an ETA goes? Barring the discovery of really bad exploits and/or bugs in the engines, we're aiming to push through all three patches by early February at the latest.

We do indeed intend to release a patch for all 3 current MCCodes versions in the near future, starting with v2 base. It seems silly that we'd ask for bug reports otherwise... To try and properly address forum posts: We've been rather inactive on these forums for years. So being able to go back and read every single topic regarding MCCodes on the forums that we haven't seen yet in a short space of time isn't exactly possible. We do intend to read over the forums as part of the process of patching the current versions and releasing v3, but doing stuff like replying to 2-year-old support enquiries here would be silly. As ColdBlooded said, we do have a support channel that is replied to at a decent rate, and if problems are urgent we suggest that our paying customers take things there, as we'll always prioritise that level of support over queries on the forum. Our plan for the immediate future is to get these patches out in a way that balances speediness and fixing everything possible, whilst working on other upcoming things also. As far as being too late? We realise that we've already lost the faith of a decent number of the members here, but we still intend to push on with things for the benefit of those that do still use the engine and would appreciate official updates, support and the like. If our efforts manage to change the minds of a few of you, then even better.

Regardless of forum posts (and we do intend to address those at a later stage, to some extent...) we feel this was a needed step for future progression. It certainly doesn't fix our mistakes of the past, but it's a start.

With some MCCodes v3 work going on behind the scenes and bugs in the older versions still being found at a rather disturbing (to us at least) pace, we have decided we need to attempt to centralise bug reports into a formal system where users can submit bugs, and get feedback directly from developers. We have setup our bug tracker at http://bugs.mccodes.com/ for this reason. A registration is required but is free (naturally) and once your account is made you will be able to report bugs. Please report any security issues / exploits as "private" to start with so we can attempt to fix the problem without leeches being able to go on and abuse these bugs on other peoples' games. We are intending this to be the first step towards opening up more to the public regarding our development processes for current and future MCCodes versions. Dabomstew MCCodes Developer

We are aware this is out of the blue, but after the shift to vBulletin we have been monitoring load and have decided to move MWG back to a different server. As I posted in the IRC channel, we attempted to time this to occur during the downtime between the peak periods of activity of our two main user demographics - the US and the UK/EU. We do apologise for the lack of warning though, and we hope this downtime causes you minimal disruption. If there are issues with the forum again we will reconsider our options but things should be fine by our reckoning. Dabomstew, on behalf of MWG owners