Zeggy

Short can also be used to describe height, ie. a short person :)   Not really... 10 years ago we already had text games. Today most web games are still text based. With some pictures thrown in. In 25 years there will just be more pictures :P

Nice find :D I like coding challenge websites, I'll be giving this one a go soon :)

You're right, but you are talking about the mysqli_ library of functions in PHP. I was talking about mysql as a language. If you open mysql in a terminal, can you use bound parameters? Nope.

The first two lines with $IP have nothing to do with the rest of the script and doesn't actually do anything even if they did. The rest of the lines are an exact copy of what lazyt posted, except you added a bunch of random line breaks, and instead of session unset/destroy, you have session_write_close. I don't really see how what you posted is any different :P

I would recommend python or java. Even though I don't have much experience with perl, I feel sick looking at code written in it :P I like python code because it's easy to read, pretty easy to manipulate data structures and it's just fun to code in. Python's also got many gui libraries available, including gtk+, and many database libraries. Personally I think java is too verbose, but it's still okay to work with. It's got some pretty good IDEs to use, and it's also got the swing package for guis. I haven't used java with mysql before but I imagine you'll need many lines of code to do even simple stuff :P I've recently started using c# but I don't know enough to answer (it's pretty nice though). I heard linq is pretty amazing for data, maybe ask a_bertrand about that :) I don't think c/c++ is worth the headache if you are trying to make it multi-platform. There's really not much reason to use c/c++ anymore unless your application is performance-critical.

Why do you think it might be unsafe?

A mining module. Features: Buy mining license Buy mines Sell minerals Mine for minerals A nice way to let your users invest their money in something and earn it back. Mining costs energy and a mining license. Lots of opportunity for new features and ideas with this module! [

You mean a database connection> You don't really need to specify it in mysql queries unless you're connecting to more than one database at a time. Otherwise it just uses an existing connection you made on the page.

Added a Job module for the player to work for money. Different types of jobs will earn the player different amounts of money depending on their stats. For example, a job that requires lots of physical work will earn more if the player has higher strength. Edit the variables in the modules/Job/index.php file if you want to rename the jobs. No installation needed, just upload and you're good to go.

Like I said in my reply, this was not a mysql error. MySQL doesn't have parameter binding in the language. Parameter binding in mysql is usually implemented through libraries. As far as I know, mcc doesn't use parameter binding and jesterc was asking about ezrpg earlier, so i assumed he was talking about ezrpg. I could be wrong but I doubt it. And yes, I wrote the database class and the method that handles the parameter binding but other database libraries use the same format. Anyways, the problem was fixed, topic should be closed if there's nothing left to comment :P

Wow, that was quick :) Can't wait to check it out!

Not sure if this was what you fixed, but when querying tables, the table name should have the prefix <ezrpg>. So for this query you need to select from the table `<ezrpg>players`. :) Oh by the way, this query syntax isn't a mysql error, it's a database class error. Parameter binding isn't used in the php mysql_* functions.

Sorry, hooks aren't available in template files. To use $msg to display messages to the user, you can either redirect to the same url with &msg=text. Or you can manually set the template variable GET_MSG. Header redirects are used throughout ezrpg, mostly for security, to stop repeat refreshes and accidental refreshes.   Yes, you can use javascript in template files.   The fetch function uses mysql_fetch_object by default. Is there any reason why you want an array result set instead? I could add it to the class in the next release if you want.

A battle system would be quite popular I think :)

Awesome! :) Have you checked out the wiki yet? It's got some more info that you might find useful: http://code.google.com/p/ezrpg/wiki/GettingStarted If you've got any questions, just ask!

$text = preg_replace("/\[img=(.+?)\]/", imagefix($1), $text); function imagefix($s) { if (stripos($s, 'http://') === 0 && stripos($s, 'yoursite.com') === false) return $s; else return ''; }   This makes sure every image url begins with 'http://'. I believe this is the only actual solution to the problem after reading this thread for a while now... Any other solutions (checking extension, checking image size) can all be circumvented since the images are hosted off-site. You cannot control how those files are served or how those files will change over time. Checking that the image is hosted externally, not on your website, will make sure they can't just include logout.php (as crimgame's example). The best solution would just be to only allow external images from accepted image hosts.   Note: This implementation is really bad, I just wrote it up in like 10 seconds. Obviously this particular implementation means they won't be able to link to images hosted on your site, if you're hosting images or stuff. If anybody wants to improve it then feel free, the concept is more important.

All that does is disallow images with 'php' in the name. What about php.gif? What about exploit.phtml? A solution would be to compare the extension of the linked images against a whitelist of allowed image file types.

Any external php files linked will be executed on the external server anyways. It's not like they can use your database connection or read your files :)

You can't really restrict that if the images are hosted off-site. Unless you want to scan through every image linked then figure out if they are above or below the restrictions :) But if you do that with getimagesize then your server has downloaded the image already. Think of it this way - if you use getimagesize, your server needs to download the image, then the client needs to download the image to the browser as well - possibly doubling the user's load time or worse.   But my point (that I forgot to make :P) was that you can get image size in other ways without using getimagesize and without downloading the entire image - just the first few bytes of image data.

I think checking the extension should be good enough. As long as the urls have an image extension then nothing too bad should happen to your site. Make sure file.gif will pass the check, but not file.php?bla=.gif If the external server is serving php files with the .gif extension then any php code is executed on their server. It shouldn't have any affect on yours. (But this means they can track your users) You could use getimagesize to make sure the format is an image, but getimagesize downloads the entire image, and if you are running this on every single image tag on every page load, if the images are very large your page can slow down a lot! But the best way is as zed said, only trust popular image host urls, don't just allow any image url.

@Drizzah: That post only showed me two things - you don't know regular expressions and you don't test your code :P Have you tried using the regular expression that you put in the code? I don't think you have because you'd have seen quite a HUGE difference before/after the function. It strips out every character you listed in there. For example, you listed 'UNION' as one of the character sets to replace... That means your regular expression will remove all u, n, i, and o characters. With the rest of the characters you put in there, MOST of any text going through will be removed. Sure, it will keep your request variables 'safe', but it also completely mangles regular text. To everybody else: Do NOT use that code, or (as you will find out) all your request variables will be abused :P

You need to think things through more carefully... How is your game going to integrate with facebook? Do the users have to go through the register process again, or will your game use their facebook account details? If you decide to use fb details, how are you going to store two different kinds of info in your database and display them in your game? Facebook doesn't have usernames. Is your facebook app going to be a mini-game clone of your full game, or will it be exactly the same? Integrating your game with facebook has a lot of problems that you need to think about... Also, if your game becomes popular on facebook (viral) then will your host be able to handle sudden increases in server load? The answers to these questions also affect how deeply you can integrate your game with facebook. It may be that in the end you won't be able to take advantage of any of facebook's features like friend invitations, notifications, wall posts, etc.

Hopefully this will be the last release candidate. Made a few changes to ezRPG in this release... I cleaned up the init file, and added a hooks system. The hooks system will allow modules to add code that will be run at a certain time (such as on the header of every page). You can use the hooks system to modify certain variables before they're used by other modules (such as the player variable). Hopefully, this way module installations won't require editing any 'header' code. Instead, you simply upload the hook file and it will be automatically run whenever needed. You can get the latest download here: http://code.google.com/p/ezrpg/downloads/list The documentation has also been updated for the hooks code.   If you are updating from release candidate 2, just replace all the old files with the new ones. If you've edited any core code (top-level files like init.php, index.php) then you might want to diff them.

lol I think only one reply so far has been on topic. I agree with silver - it's pretty easy for people to just keep this in mind when posting for help. Of course, it should be up to the mod writers to provide support if the mod is paid. Nobody can help if we can't see the source.

return number_format(abs(floatval($var)));