Spudinski

;) -msg2short-

Very strange. Would you mind entering your registration details on the page, and before you submit the form, just executing this script within your browser console: $('input[name=verify]').val();

Well, technically you are. Do you have JavaScript enabled? If so, does any errors appear?

An online demo of ezRPG Rework is available at: http://ezrpg.nand.co.za Username: test Password: test Or you can just create an account. :)

I'm currently busy thinking of ways to amend an access control system to the engine. But, I'm at a cross-road as to which approach will be best. The thing is, there's no need to make it over-complicated - but on the same point, it does need to be scalable. I was thinking of a Role-based Access Control system, NIST has a pretty good standardization for it here. From that article, I really like the Flat RBAC as it's simple, yet it can be improved on demand. I've drawn up a simple diagram of how it would work: The database isn't mapped here, but that should be the "simple" part of it all. Does anyone have any suggestions/comment for[/on] this?

What is ezRPG rework? ezRPG was originally created by a Zeggy in late 2007. Since then, not much have been done to improve the engine. So, in mid 2012 Spudinski and Aventoro set out to improve upon all that is ezRPG. The main goals are to provide better security and to make it more "complete".   What's the differences between ezRPG original and ezRPG rework? Security There are three unique authentication adapters: PBKDF2, bcrypt and Oldschool(being ezRPG original). Request signatures have changed, for the better. GET_MSG approach is obsolete within the rework.   Libraries The main database abstraction has been changed, this was to allow for multiple adapters. The rework currently has two adapters, mysql(legacy) and mysqli, an improved(preferred) version of ext/mysql. HTMLpurifier is no longer used.   Why should I use the rework? Because it has everything ezRPG has, but reworked for the better. It's also actively being developed, with code pushes happening at least once a week. Status of ezRPG rework? We are currently in a mid beta stage of development on our first release. Version is 0.1b. Where can I get it? We use github as our deployment avenue. You can find our repository at https://github.com/nands/ezrpg. If you want updates about the project, please star it for updates. How can I join in? It's very simple - simply fork us on Github.

Updates again... GET_MSG This method of sending messages between requests have been removed. It contained a very serious XSS vulnerability: Something like "index.php?msg=<script>alert(document.cookie);</script>" would have been valid. A method have been added to the Base_Module class just for setting messages: setMessage(string message, string level). There are three levels to make use of: info, warn, fail and good. These are all merged to the template automatically if they exist. They can be found with MSG_[LEVEL]. Additional styles have also been added. All modules have been updated to use this new/better method. $.run First time I'm doing something JavaScript-wise with this engine. This feature is basically an interface to jQuery's .ready and .load methods. The main reason I've done it this way is for cleanliness. There's no sense in executing scripts if they're not needed. Much like require.js, this will load the method required, and execute it when you need it to. There is two key parts in this design: a library, and the call. Currently, theres a sec(urity) lib, which contains an object with the spamCheck utility. On the template, there's one line: $.run('security.spackCheck', 'ready'); security.spamCheck is referenced into the jQuery.ready function. There's some pretty brutal hacks within the plugin, but there's no other way to have done it as I see it. Hope developers find this useful. Spam checking Nothing new or special here, it's just an "alternative" to the CAPTCHA that used to be on the registration page. All it does is: Count username and email Populates a hidden input box Validate server-side   This depends on the bot not being able to execute JavaScript, but it's a pretty good measure for today's common bots.   I'm also attaching a complete change log this time.. Backwards Compatibility: Although attempted, there is currently no guarantee of backwards compatibility with original ezRPG versions. For a complete list of all changes since last release, please see https://github.com/nands/ezrpg/commits/master. Version 0.1b (TBA) - Fixed a few bugs in administrator panel where hooks aren't correct executed. - Added a better system to send messages between scripts, GET_MSG is now obsolete. - Modified template to show avatar as a favicon as well. - Added anti-bot validation to the registration page. - Added a jQuery library to add specific callbacks at runtime. - Updated installer to accommodate new default style. - Improved UTF-8 support, set as PHP default and transfer encoding. - Added ToS and Privacy pages(templates), improves SEO. - Created modal dialog utility for use in JavaScripts. - Added jQuery 1.8.1 include to template, and copied a CDN into local. - Added session expiration(validation of same user access) functionality to the engine. - Created a naming convention used for hooks so files are executed in a specific order. - Modified config file to use associative array, will be useful when scaled. - Added avatar functionality. - Created a scripts directory in /static. - Implemented a new style for the default template. - Changed naming hierarchy for templates, and created hidden directories used by Smarty. - Modified ModuleFactory to reveal config variables to modules(except DB). - Removed HTML purifier, too much dead weight to drag around. - Mixed PHP notices generated by template on registration page. - Fixed a few issues with MSG across a few template files. - Improved layout, now uses a overall wrapper for nav and body divs. - Improved signature functionality, uses simple algorithm to compute. - Added option to select password hashing algo' on installation. Version 0.1a (06/2012) - Changed image bars to use only CSS - Added MySQL Improved adapter - Changed the way in which database adapters are initialized - Improved email validation in validate library - Implemented PBKDF2 hashing algorithm - Implemented bcrypt hashing algorithm - Added passwords hashing performance test module

I wish my bank used unsigned integers. :P Anyway, I'd suggest you change `amount` to SIGNED. You may want negative values there, as it's an absolute. And again, I'd suggest the usage of actual fix-length integers. Because, it's like using the capacity of a T1 link to do the work of a cross-over LAN cable.

That tells me there's an invalid cert somewhere, probably the built-in root ones(Verisgn, etc.). I'd try checking the date. With Skype, I know it opens up the HTTP port on a computer(only Windows though, how strange?). There might be another process already using the ports MSN requires for authentication as well, though, last time I checked it uses random user-range ports.

I like their infosec blog(naked security), but their AV seems a little bit too corporate for desktop use. @Everyone: this is an old thread, please refrain from posting in it. Though, as update: using ESET again.

This is downright fucked up. I must have read it miss somewhere, but most devs(including me) thought the GPL was a "free" license, not a fucking "freeware". Edit: I think you guys are looking at the wrong place... http://programmers.stackexchange.com/questions/79726/gpl-confusion-can-i-sell-a-product-with-gpl-covered-components-without-making-t

No, you can not. Any changes based upon ezRPG has to be released under GPL. Edit: if this weren't the case, I would have long since released my changes/additions to ezRPG under the BSD 3-clause license. The basic philosophy of the GNU GPL is that once somethings GPL, it's always GPL. You may however, ask permission from the copyright holder to release "some" changes under a different license. There is a vague clause though, that states that if you extend upon it, you are the copyright holder of "that" content. It's a little complicated, but I think that if your "changes"/additions does not use anything from ezRPG, you are entirely entitled to license it under whatever you want to. You are just not permitted to "use" any part of the application within the product that you sell.

Thanks. :) All modules that work on ezRPG original will work on ezRPG rework.

Update, you can view all of these wonderful changes on: http://ezrpg.nand.co.za Username: test Password: test Just don't go around changing the password, as it is virtually impossible to recover at this stage.

Problem #1: You're using ext/mysql, get rid of it. I think your problem lies within in initial query, assign the return value to a variable and validate it. Better yet, use *_affected_rows() to validate that something has indeed been updated - and then remove the SELECT query(seems unneeded?).

Well, there might still be people that have a special need for it. sha1 + salt isn't totally insecure, as said, it's just not "the best possible security available for dealing with password authentication". It has been disabled within the new installer: [ATTACH=CONFIG]641[/ATTACH] @a_b & @Aventro: Thanks. :)

Thanks for the Q's. Session expiration: There are tow things that will play part in this - PHP's session timeout settings, and the engine's. PHP's is 24 minutes, or 14400 seconds - this can easily be modified though. There should be a way of changing the session expiration timeout, I didn't really follow the schematics there - it's currently 5 minutes. Edit: Ok, seems like a useful feature - added. see #d0cbbe5. Thanks rulerofzu. gzip compression: Stylesheets and others are automatically gzip'd when it's enabled(on apache/php conf). And no, it would cause problems when the script handles the output buffering - it's just setting values already available. That's why I chose UTF-8, and why I said we'd need to rewrite string operations with mb_*. But yes, I know, dealing with character encodings is an art! (not really, you just have to know the principles, and have an ASCII table ready). Guest signatures: Well, kind of. The functionality is available, but not in use. Signatures are only implemented for authenticated players.

A few changes were made, I'm just going to explain the most major ones here. Password hashing algorithms: bcrypt, PBKDF2 and Oldschool We have implemented a security lib just for this, under lib/func.security.php. There's also a configuration flag within the configuration file that is used system wide. So, why spend all this time on something like this? I personally feel that one has to be "creepily obsessed" with security, but not in a way that an application is fort-nox with no windows. These changes will improve security not only per user, but also per engine(exception bcrypt, which doesn't support multiple hashes). Each user's password has three key parts as the engine sees it: the actual plain-text password, the player specific salt and the global salt as defined within the configuration file. PBKDF2 and bcrypt is also somewhat more secure than legacy sha1+salt methods, as each calculation of a hash takes time. This means that, users will see a short delay when hashes are calculated(about 0.2 - 1.5s) which isn't anything really, but for brute-force attackers this is a big problem. Even if they have any part of the hash(password, user salt or global salt), it will still take plenty of time to crack the actual password. The biggest flaw here is the webmaster: if they're not using SSL passwords are still sent in plain-text. So which one should you use? It's for you to decide, but here are the facts.. NIST recommends PBKDF2. Most people prefer bcrypt. Don't use Oldschool unless you need compatibility with older versions. Improved signatures A signature is much like a "key". The user carries one, and sends it to the server on every request(done with SESSIONs in ezRPG). Every time a user makes a subsequent request, the server calculates a signature of that request - if it matches the one the user carries, authorization is granted to the system. ezRPG rework improved this a little bit. A signature tool set was added to lib.security, and uses four unique data sets: userid(guest if not logged in), IP address, browser details and engine key/salt. Using the IP address is a harsh decision, but it's one of the data sets that is the most static and individually identifiable. Added session expiration You might have seen this on quite a few sites - if you're inactive on the website for a few minutes, it prompts for your password again to be able to continue. Why is this needed? There are many ways in which sessions can be stolen, XSS being most predominant. This is a tough one to secure against, but with the signature and this feature, it is handled well. Even if it's a less malicious attack, like you leaving the tab open and someone comes in to attempt to do something. If the timeout is hit, the user must enter a password to continue - or alternatively, they can log out. "Proper" UTF-8 support Normal ezRPG used HTMLpurifier to attempt and encode any random output PHP produces into UTF-8. This doesn't really make sense, since the original character set is rather unknown. We've implemented something simple: setting PHP encoding and output encoding. This works, but some string operations with database content will have to be rewritten to support multi-byte character sequences(and we'd need to drop ext/mysql in all). A later feature might be to include gzip compression as well.   So that's the most major things that changed, any comments welcomed.

@thatgame: I don't think it's based on ezRPG. I also can't recall of any other games based of ezRPG. Feedback, such as? As for security... There's currently a major flaw in it's design: it has to do to with the way in which modules transmit status messages. Currently, it's a URL passable string of HTML. IIRC, original ezRPG used HTMLPurifier to solve this issue, but at the same time, not really. Me and someone else also have an independant version of ezRPG, called ezRPG rework(see my signautre). We are addressing quite a few issues and modifying the engine to be more secure and complete. Some of the things we have done with regards to security(copying from changelog): Version 0.1b (TBA) - Added session expiration(validation of same user access) functionality to the engine. - Removed HTML purifier, too much dead weight to drag around. - Improved signature functionality, uses simple algorithm to compute. Version 0.1a (06/2012) - Added MySQL Improved adapter (more: now default) - Changed the way in which database adapters are initialized - Improved email validation in validate library - Implemented PBKDF2 hashing algorithm - Implemented bcrypt hashing algorithm   Other than that, ezRPG is quite secure by today's standards.

Nope, confirmed.

One more reason for people to begin to program with Python. I prefer K&R in whichever language I decide to use, it's a well formatted style created by one of the pioneers of programming(refer:C K&R).

Can be used for scripting as well. I've seen some really, really old pages use it. I haven't done VB a few years, so not quite sure. I think it's somewhat like Turbo Pascal(backend of Delphi?). Anyway, I know I'm wrong. http://en.wikipedia.org/wiki/VBScript

As I see it, traits are another way of copying objects, nothing too new there, in JavaScript it's quite common grounds. I've set myself onto learning traits when PHP 5.4 first came out, but I haven't used them at all since. On the other hand, I use do use interfaces. As a side note, the link a_b posted doesn't really give a decent explanation of traits. I'll simplify it. Scenario: You have two main classes, database and player. You need to provide error logging capabilities to both of them (traits). Meanwhile, the database class have different adapters (interfaces). See zip: nand.co.za/downloads/oop_dev.zip

We've got Win8 Consumer Preview on a flower pot at work. Can't really speak for performance, as we're being quite brutal with the machine we gave it. But I like the improved task manager, a big thumbs up from me there. What I don't like is the whole metro thing, it's inconvenient to say the least. Being used to Win7, I can't find anything - something as simple as finding Word is complicated for someone who's been using Windows for the past fourteen years.