Floydian

Re: [V2] Staff Items Lemme explain this a bit more thoroughly. When you use the itemtype_dropdown() function, there are three arguments you can pass to it. The function is defined like this: function itemtype_dropdown($connection,$ddname="item_type",$selected=-1) $connection being the database connection. You have that one in fine. $ddname is the "drop down name" which is akin to doing <select name="itmid">. So, if you pass "itmid" in the second argument, that will be the name of your drop down. $selected determines which item is selected. Since this function uses the itmid from the items database table, you'd have to pass a valid item id in order to have an item selected by default. $ddname and $selected both have defaults, which mean they do not need to be passed as arguments, however for the sake of readability, I do suggest that you pass at least the second argument which names your select form element because if you didn't do that, you'd need to know what the default name is. Now, is you pass "itmid" as the $ddname, the second argument in the function, you will be naming that select field "itmid". Later on, when you've submitted that as a post, you will need to use this variable {$_POST['itmid']} in order to access the value that was submitted by the select field named "itmid". With that ground work laid, let's examine your code again. itemtype_dropdown($c,'itmtype') <<< this is your function that creates a select form field and names it "itmtype". $d=$db->query("SELECT * FROM itemtypes WHERE itmtypeid={$_POST['itmtypeid']}"); <<<<<< This is your query that uses the variable: $_POST['itmtypeid'] which has not been defined in your script. Your select form field name is "itmtype" not "itmtypeid". Therefore, I suspect you are still getting the same mysql error, with the same query showing up. You did not post your error, or even say what the error was this time, which could have been helpful in debugging this for you. Anyways, I hope I've been thorough enough :-)

Re: [V2] Staff Items There's a couple things that are off here. Item Type: ".itemtype_dropdown($c,'itmtype',$itemi['itmtype'])."   $itemi['itmtype'] << which would be the "selected" field, that determines what item type is selected by default in the drop down. However, that variable appears to be undefined. That should be an optional deal, I suggest you leave it out as such -- Item Type: ".itemtype_dropdown($c,'itmtype')."   And then, you are naming the variable itmtype, but your variable in the sub portion, and in the select is named: $_POST['itemtype'] and in the delete it's named: $_POST['itmtypeid'] Both do not match what you named it ealier. so, you're submitting an empty field in your query. If you had echoed your query, you would have seen this: SELECT * FROM itemtypes WHERE itmtypeid= [edit = I realize now that the query was echoed out for you lol. I forget that mc vs2 does that for you.] with no number after the = which is EXACTLY why your query failed. the delete query will fail as well, if the script where to make it past the select query.

Re: Crons what I've done is use curl to run crons curl http://your_doman.com/cronfile.php?code ... flajdlfjad

Re: heredoc, heredoc what? I took a look, and the heredoc is in the header, but only in the part that defines the html head. I doubt that's getting edited a lot. lol 99.9999% of it is print.... so your point? By the way, hopefully you saw the post where I was pointing out the problems in your superstreets mods. Apparently, half of the the entire thing could not contain anything in the coordinates lol. I'm sure that was a simple oversight.... But yeah, I fixed it and it works properly now :p

I thought for a long time that defining a query string that I could store in a variable, that would later be used in a mysql_query() function was a waste of time. It's like, you still have all that ungodly concatenation to do, and escaping and all that. So what's the point? But then I discovered sprintf()! What does sprintf() do? It stores a formated string. Sounds pretty simple doesn't it? It is! Okay, so why should I use this function? Well, to be honest, when I came across this one I thought the same thing as well. Hopefully, I can show you quickly what is so good about it. Let's examine a sample query without the use of sprintf, and then with it. The first thing you should notice is how much more readable the code becomes with the inclusion of sprintf.   mysql_query("INSERT INTO staffnotelogs VALUES ('', $userid, {$_POST['ID']}, unix_timestamp(), '$old', '{$_POST['staffnotes']}')", $c); ################### $q_staff_notes = sprintf('INSERT INTO staffnotelogs VALUES ('', %d, %d, unix_timestamp(), %d, "%s")', $userid, $_POST['ID'], $old, clean($_POST['staffnotes'])); query($q_staff_notes);   Let's take a look at what I did here. the first thing you may notice, is the use of the clean() function, the query() function. clean() is a database escaping function I use that removes slashes if magic quotes is on, trims whitespace from the string, applies htmlentities() function, and applies mysql_real_escape_string() function. query() is a function I use simply because it's shorter than mysql_query, and because I pass $c to the mysql_query function inside the query function. Sure, it's a bit slower, but if you have a million queries in your script, you're probably doing something wrong eh? Now that I've covered some of the things I throw in my code that you wouldn't know unless you know me, let's get back to the sprintf() function. %d is a place holder for integers, %s is a place holder for strings, %f is a place holder for floats. Once of the big benefits of doing this, is automatic type casting! Have you have people try to inject code into your db using a field that is supposed to be an integer? Any userid should be an integer, so if you have a search for user by userid script, it should be typecasting that variable as an integer. This is all the db escaping you need to prevent mysql injection from the userid variable! The same thing applies to floats. Strings however still need a robust db escaping technique applied to them so you'll want to use something a little better than magic quotes (if your site even has it turned on, which I hope ya'll know it's better to code your scripts to not rely on magic quotes!). Using sprintf allows you to apply the mysql_real_escape_string() function without any concatenation! It takes a little while to get a feel for how much cleaner this method of coding is, but once you do, you'll never go back! One last thing that applies anytime you store a query string in a variable before you do your query, is that should there be a problem with the query, all you have to do is echo that query string variable. This makes debugging them a snap. Let's put it all together, and the benefits of sprintf() are: variable type casting no concatenation easy debugging clean/easy to read code Just remember, if you have a bigint column, and you use %d for your variable place holder, the largest number you can store is about 2.1 billion. So you'll need to type cast those money columns as %.0f .0 being the number of decimal places you need. Stats columns typically get a %.4f so that you end up with 00000000.0000 When inserting or updating strings in a database field, you still need quotes around them, so you'll have to do something like sprintf('select userid from users where username = "%s"', $name); If you had a column name that was a variable, you wouldn't need the quotes. sprintf('update userstats set %s = %s + %d where stats_userid = %d', 'strength', 'strength', $userid); Hope ya'll like that! It's like they say, once you've gone black, you never go back! And it's the same with sprintf. ================================= Here's the clean and query functions for ya.   <?php // database escape and htmlentities function clean($string) { if (get_magic_quotes_gpc()) { $string = stripslashes($string); } $string = mysql_real_escape_string(htmlentities(trim($string))); return $string; } // mysql query function function query($query){ $_SESSION['last_query'] = $query; $result = mysql_query($query); return $result; } // This function is used because it's easier to write query than mysql_query lol, and I do some other things with it that don't necessarily apply in this context. ?>

Re: heredoc, heredoc what? I've seen just about all the code on coveofpirates, I've seen quite a bit of mccodes vs1 code, a little bit of mccodes vs2, I've read hundreds of tutorials online, and never came across heredoc quotes. But alas, this isn't a debate, just a lil something that perhaps someone reading it will not have known, and will appreciate the cleanliness afforded by heredoc. And mccodes code is horribly written my friend. Just about every rule of good clean code was broken. Not the least of which is defining functions before you call them. Just look at the admin file, there's what, 40 or so functions in a switch at the top, with the functions defined after it. That switch should be after the function definitions. Anyways, I posted this lil snippet because I know I've seen some folks around this board that are beginner coders and they might like to see a some words of wisdom (not that they are, just couldn't come up with a better name... lol) I'll post some more at some point. Prolly when I'm board.

Re: Developing locally on your own local PHP/MySQL/Apache server   Perhaps you should try your hand at making some mods first? Or even better, just make up some scripts on your own. My suggestion for your first script, since you seem to wanna jump right in, is a login, logout script. If you can make that work, then do an account creation script, and move on from there. If you can't do that, you'll want to seriously think about coding your own game and have someone do it for you.

Re: Need help The thing that gets me is the wording - make an embedded - The use of the word make leads me to think josh is actually making it, while the use of embedded adds in ambiguity. If you are attempting to embed an already made forum, you're going to need to delve into the account creation script for that forum and the login script. Perhaps that forum has a help forum where you can get more specific advise on how to alter their source code. It seems to me the account creation and the login for the forum are the only big problems, and as hamster suggested, once you've done that, you can easily make a frame page that has some header content from your game so they have links to go back easily, and the forum in a seperate frame. Let us know how it comes out :-) Going with a well made forum that has been tried and tested would bypass the security problems of making your own, especially if you make a seperate database just for the forum, and make a seperate database user for the forum. Then you're pretty isolated from any db attacks that could happen through the forum.

Re: Tabbed Browsing That'd be great for allowing staff to do their thing. The only thing that remains is the compromise: is it worth hampering your players from playing in a way that is comfortable with them (realizing of course not everyone surfs this way, but some do) and at the same time reducing server load, or is accepting more server load, and making the game more comfortable to those that do surf that way (within reason) the way to go? Personally, I put those kinds of restrictions only on the training page. But someone that likes to surf the forums by opening multiple forum topics in tabs isn't really creating a strain on the server, right?

Re: Need help I'm not sure what kind of help you're looking for. It took me a week to code a forum mode of some complexity. If you're looking for like, a paragraph worth of advice, I doubt that's gonna help. Perhaps if you had a specific problem you are having trouble overcoming that might help. My forum mod is over 1600 lines of code, so as you can see, you're too vague for me to even begin to help you out. I can offer some general advice though:   MySQL knowledge is essential, and I'm not talking about just knowing how to do select and joins. I'm talking about a more in depth knowledge than that. Make sure you are pretty good at securing your code!!! I learned while making my forum that there were things that come up that most other scripts don't have to worry about. One thing I could do with my forums was force people to merge their items or logout. And I'm talking about being able to do that just by posting a post, and then when people viewed it, those things would happen. I'm sure I could have found even more sinister things if I had spent more time manipulating that bug. I was told that particular bug could allow someone to get a users password. Lost One tells me this, and I take his word for it. So, I guess my main advice is if you're not sure you're up to the task, by all means, code a forum and play around with it, but make damned sure it's ready for use before you put it out there.

Re: heredoc, heredoc what?     What you missed in that deal Lost, is the use of both ' and " which means one of them would have to escaped without the use of heredoc. The inner quotes in javascript are supposed to be ' and the outer ones, the ones that belong the href html part, are supposed to be "   echo "[url="javascript:self.a_js_function('blah', 'blah2')"]Click here to execute js function.[/url]";   that would be the equivalent of   echo <<<EOT [url="javascript:self.a_js_function('blah', 'blah2')"]Click here to execute js function.[/url] EOT;   It's a personal preference, but html that doesn't have any escaping, and isn't concatenated at all, is much easier to read, and therefore much easier to fine tune, than html that is escaped and concatenated.

Re: Forum Sigs Problem Right on, so long as it's working :D

Re: Tabbed Browsing Although I understand the desire to prevent tabbed browsing, speaking just from a players point of view, if I were playing a game that all of the sudden prevented me from doing that, I would be sorely disappointed. I can think of numerous instances where I use multiple tabs, especially as staff. Doing investigations into multies could be hampered. Perhaps at least excluding staff from any restrictions should be considered.

Re: Forum Sigs Problem Sweet, but I did notice a small syntactical HTML error.   <div style='overflow:auto; width:500px; height:250px'> {$memb['forums_signature']}</td> </div>   The </td> should come after the </div> instead of just before. Lemme know how that works for ya.

Re: heredoc, heredoc what? Using start and end tags works out just fine. However, if you have a lot of them, your script will execute slower than otherwise. Personally, I found that adding in lots of those tags makes the html harder to read. That's just my own personal opinion on it though.

This is just a little something I rarely ever see in any scripts. I've seen quite a few scripts from some of the coders floating around and many many more scripts on the net, and I don't think I've seen heredoc used once :? here doc looks like this: echo <<<EOT The three < followed by three capital letters of your choice are a substitute for quotes. EOT;   Some ground rules for using heredoc are as follows: on the first line, immediately following the <<<EOT, there can be NO spaces. You must start a new line afterwards. The ending EOT; must not have any spaces before it, or after it. I must be on a line all of it's own. Don't tab it in! lol Benefits of using heredoc: Heredoc consistently is faster than using the double quote ( " ) but is slower than ( ' ). So when you need to put variables inside of quotes, heredoc is actually a faster syntax. Heredoc is especially good for doing something like:   echo <<<EOT <table width="100%"> <tr> <td> I like using contractions in my sentences because not using them doesn't seem to feel right somehow. </td> </tr> </table> EOT;   Note how the use of both kinds of quotes does not require any escaping. This is way more valuable for javascript code.   [url="javascript:self.a_js_function('blah', 'blah2')"]Click here to execute js function.[/url]   Doing that without heredoc would requre some nasty escaping.... Drawbacks: You can not concatenate, so if you want to use functions on something that is getting echoed, do the function first, then store it in a variable you can later echo in the echo. I don't consider this a drawback though, as seperating PHP code from HTML presentation is very good form and should be done be everyone. There you go, the wonders of heredoc explained. Hope it helps ya.

Re: Tabbed Browsing Why not just put in something that store that time when the last page was loaded, and if the next page is loaded within say one second of the last, have the script die in the header?   if (!isset($_SESSION['time_of_last_page_load'])) { $_SESSION['time_of_last_page_load'] = time(); } else { if ($_SESSION['time_of_last_page_load'] == time()) { Echo "Pages cannot be loaded faster than one page per second." die; } $_SESSION['time_of_last_page_load'] = time(); }   It would be super easy to modify that to increase that to two seconds if you wanted. Sure beats changing a bunch of stuff around in some complex way eh? :-)

Re: Forum Sigs Problem Can't you do the width="blah" height="blah" in the img tag for the forum sig? If that's not an option, try this:   <div style="overflow:hidden; width:500px; height:125px"> Forum sig goes here </div>   doing that will put a div in for the forum sig that cannot stretch any bigger than the size you specify. It won't display any scroll bars either because you're doing overflow:hidden. If you did want scroll bars, use overflow:auto. If you wanted the div to shrink down in size when people don't have sigs, you could put in a variable for the height, and if there is no sig, set the height to 1.

Re: Mass give mod This should do it. It's a bit more comprehensize than mccodes code normally is. I find that for any code that exists on mccodes, I normally have to do at least twice as much code to make it work properly, and to keep the code readable. It's just lots of little things that would take way to much time to explain.   function mass_item_give() { global $ir,$c; // Line below this is where it was missing $item_dropdown = item_dropdown($c,'item'); echo <<<EOT <form action="admin.php?action=giveitemsub" method="post"> Give item to all awers. Item: $item_dropdown Quantity: <input type='text' name='qty' value='1' /> <input type='submit' value='Mass Item Give' /> </form> EOT; } function mass_item_submit() { global $ir,$c; $q_users = mysql_query('select userid from users', $c); while (list($them_id) = mysql_fetch_array($q_users)) { mysql_query("INSERT INTO inventory (inv_itemid, inv_userid, inv_qty) VALUES('',{$_POST['item']},$them_id,{$_POST['qty']})",$c) or die(mysql_error()); } print "You gave {$_POST['qty']}of item ID {$_POST['item']} to all users."; }