Upcoming patches for MCCodes released versions

[Dabomstew]

Thought I'd take this discussion out of the "bug tracker" topic as the patching process is well under way.

MCCodes is releasing patches that contain security & other bug fixes for all 3 currently sold MCCodes versions - v1, v2 and Redux. This process is currently underway with the development of a patch for v2.

The current changelog for the v2 patch is below, to show progress & allow you to fix these bugs yourself manually if you so wish (excluding security-related fixes to stop people trying to exploit them before the patch comes out):

[critical bugfix] mysqli class was missing escape function

[bugfix] lots of texts were getting double escaped

[bugfix] register script fixed to not accept weird genders, etc

[bugfix] fix gender in installer

[bugfix] fix Crystals in Hall of Fame http://makewebgames.io/showthread.php/39954-Problem-with-Hall-of-Fame-in-version-2-03

[bugfix] fix other weird hall of fame behaviour

[bugfix] fix gang record viewer http://makewebgames.io/showthread.php/39623-Another-v2-03-error

[bugfix] fix gang credit crystals http://makewebgames.io/showthread.php/39623-Another-v2-03-error

[bugfix] fix editing items losing their effects

[bugfix] fix a users staffnotes being wiped when you use "edit user"

[bugfix] fix stafflist

[bugfix] gang record now records in stafflog properly

[bugfix] some staff pages now close properly

[bugfix] ending polls now works

[bugfix] raw references to mysql_query,mysql_num_rows etc replaced with $db usage

[bugfix] prevent users doing invalid crimes

[oddity] generic references to "Mono Country", "Dabomstew" etc removed from game rules & help tutorial

[oddity] mysqli classwas missing affected rows, added back (but not critical bug as never used before)

[compat] validate_email uses filter_var in all circumstances now

[imprv] All uses of AJAX changed to use jQuery library

[imprv] PHP notices reduced

[imprv] Staff logs page cleaned up (e.g. message for "no attacks yet" etc)

[imprv] Some uses of "num_rows" changed to fetch_single on COUNT to improve execution times

I'll repeat: this changelog does not contain security fixes. There are security fixes, which will be disclosed in more detail when the fixes are actually released.

Nor is it finalised, we are still looking for more bugs by checking the code, forums & bug tracker. The v1 and Redux patches will be along similar lines.

As far as an ETA goes? Barring the discovery of really bad exploits and/or bugs in the engines, we're aiming to push through all three patches by early February at the latest.

[Mystical]

That all sounds great. Any way to add back in the gang crimes that are missing?

[Dabomstew]

We can provide a separate script that adds stock gang organised crimes to a v2 game if that's wanted by anyone - but it isn't really part of a patch persay, especially for people who have already SQLed in their own.

[rulerofzu]

All very well but I can see where this is leading to already.

All the bugs and exploits pre redux and 2.0.3 you can find on the forum anyway fixed by the community as you wouldnt provide or support your engine.

Then you came back released 2.0.3 quickly followed by the launch of redux for a fee.

Now after another long stint away your back. Fixing it up some more and also working on releasing another version.

Lets face it your only attempting to fix the previous engines in an attempt to restore the faith in mccodes for the launch of the next version. If it wasnt for you working on v3 I highly doubt you would be here at all.

[Nickson]

How black and white of you ruler...

Yes, many bugs have been reported by the community for them. But I haven't found out a topic for all bugs and issues I have discovered so far.

Yes, this is a marketing move by them so everyone has a little bit more faith in the next engine, but they are here due to our "lobbying" as well. We've asked them many times, sometimes a bit more friendly than otherwise, but we also explained some things and it seems that we finally got through to them.

I'm already happy that they are fixing and packaging things up and spread a release with fixes via the official channel.

 

However, one issue that a lot of people seem to forget, simply don't know because they don't read everything or they just ignore it completely is this: http://makewebgames.io/showthread.php/39796-Makewebgames-Mccodes-Relation

Read that post properly but I'll say it again and keep saying it.

Official MCC support is NOT given on MWG, MWG can only provide community support. If you want a response by an official member of MCC, use their contact links. Does this mean I'm happy with the current situation? No of course not, I'd like to see them more involved of course, as it only helps both mcc and mwg itself. But if mcc decides not too, it's their right.

Now everyone that will make a post .. stay on topic please :)

If there are any questions, feel free to contact me.

[Danny696]

I wonder what McCodes will try and sell us now. Everytime they have done something regarding their engine its always been the same. Give us more money for this rubbish that doesn't do what we just said it will do.

Oh boy, I've just found this;

[critical bugfix] mysqli class was missing escape function

Honestly I've never seen an mccodes game that uses MySQLi. That and the fact the class has nothing to do with the MySQLi functions that actually make it improved, so nothing really comes from the MySQLi class.

Edited January 21, 2012 by Danny696

[Nickson]

Okay, the classes are indeed overrated and not what they could have been, but that counts for the whole package. However, the classes were provided in the first place. If it's missing a critical function for their software package, they should fix it, no? I think they should. The fact that mysql_real_escape_string() can only be used when a connection tot he db has been established, makes it somewhat fair that the function is placed there as well. Many or "none that I know of" use it, is not a good parameter to base yourself upon when making a decision...

Now that they are fixing bugs, show them encouragement. Stop being so negative about every move they make when it's an improvement, especially you danny ;) And IIRC mcc is what made you what you are today.

[Dominion]

First off it’s nice to see you posting, and active again for bug fixes.

[bugfix] lots of texts were getting double escaped

I’m going to hope that means you removed the foreach() that tried escaping everything (well… addslashes() anyway). Still at the top of files such as authenticate.php.

[compat] validate_email uses filter_var in all circumstances now

I don’t remember the exact version, however I know it’s still common for shared hosting. This function (filter_validate_email of filter_var anyway) had a bug. You may want to check it.

[imprv] All uses of AJAX changed to use jQuery library

I would suggest creating Javascript, css, directories in order to separate them. It has its benefits e.g. easier to debug.

 

You surprise me; 99% of the projects I work with use the new MySQLI class

(though not the provided one)

The Mysqli class mccodes provides would not give any added benefits to the user. This is what Danny is talking about not Mysqli in general.

[Dabomstew]

Addressing some points here quickly:

* The thing that duplicates the effects of magic_quotes_gpc on servers without it is still there. Simple reason? Mod compatibility. It would be simple enough to recode the base engine to not use it at all (and in fact do the opposite) but a patch such as this is not intended to break years worth of mods.

* I have heard one or two inklings here of issues with filter_var - will look into it before releasing this patch.

* Location of jQuery can be specified in settings - by default it's in a "js" directory but you can e.g. use the Google APIs server copy instead. The usage of jQuery should be simple enough to not require any specific version, though I will check to see which (if any) version it breaks on and make sure users are told to use at least the one above.

* No, MCCodes v2/Redux do not use any of the actual improvements in MySQLi, but a broken class is a broken class. Again, changing v2/Redux to use MySQLi in the way it is intended would be outside the scope of a patch (would break support for servers without it, most likely)

Also, I have updated the main post with an updated changelog, reflecting further progress on the 2.0.4 patch. The same conditions as before apply. A release by the end of this week is possible, with the other 2 patches to follow not long afterwards.

[H4x0r666]

Yes, many bugs have been reported by the community for them. But I haven't found out a topic for all bugs and issues I have discovered so far.

Then start a topic and collect all those fixes in it ? xD

[Nickson]

http://bugs.mccodes.com/ :)

[Dominion]

* The thing that duplicates the effects of magic_quotes_gpc on servers without it is still there. Simple reason? Mod compatibility. It would be simple enough to recode the base engine to not use it at all (and in fact do the opposite) but a patch such as this is not intended to break years worth of mods.

Magic quotes are simply flawed. There is no reason to keep such compatibility. I don’t see what mods it would break.

* I have heard one or two inklings here of issues with filter_var - will look into it before releasing this patch.

One more question on this. Using a PHP5 function would stop mcc working correctly on php4… are you dropping support, and working entirely with 5 for future patches?

* No, MCCodes v2/Redux do not use any of the actual improvements in MySQLi, but a broken class is a broken class. Again, changing v2/Redux to use MySQLi in the way it is intended would be outside the scope of a patch (would break support for servers without it, most likely)

It would be easy enough to keep the current structure, but add more potential for those who want to use it. Saying that however, you’re right in saying in may be a step to fair for now. Patch up what’s there. :)

[a_bertrand]

Do any one still use PHP 4? However filter_var seems a PHP 5.2 or later not 5.1 which is the default of Cent OS 5 for example.

[Dominion]

Do any one still use PHP 4? However filter_var seems a PHP 5.2 or later not 5.1 which is the default of Cent OS 5 for example.

I don't know how many people still use php4, but I would hope it's a very small number if any. I was asking mainly out of curiosity over if they are dropping support. In the past mcc has always kept itself backward compatible.

[Dabomstew]

MCCodes v2 has required php5 since 2.0.3, and Redux since its release AFAIK. We haven't had many, if any complaints on this matter, so it will be staying as is.

[Danny696]

How much will these patches cost us then?

[Dabomstew]

For people that have bought a license since the new system came out or already had their previously bought licenses linked to a customer account on our site, absolutely free out of our client download page.

For people that haven't been bothered yet linking their pre-April 2010 licenses to a new account, a trip to our contact page to send us the details of the license you bought and the account you wish it to be linked to. Then same as above, once your request is processed.

For people who don't have a legal license, ...

[ColdBlooded]

Legal license is a license for an engine which was purchased from MCCodes.com.

Give us either your full name, game domain name which the v2 engine was ran on, suspected paypal names/email address or/and roughly around when you purchased the engine. We have it all stored in records and just need some sort of identity to bring up the transaction. mccodes.com => contact form; we can sort out something there.

[Dabomstew]

A note on the content of these patches:

The primary purpose of this particular batch of MCCodes patches (2.0.4, 1.1.1 and Redux 2.5.6) is to provide essential security & bug fixes. That is to say, the patches focus on the following:

A) Security issues affecting any code in the main MCCodes product

B) Functionality in the MCCodes product which does not work (such as admin pages which don't do anything, submission pages where strings were getting double escaped etc)

Changes to other aspects, such as the code style, and conformance to "best practices" and the like come second to the above in this set of patches. There are certainly improvements to the other aspects of the engine as a byproduct of fixing the two key issues above, such as consistent code indenting. However, we believe that the immediate need is to make sure the engines work and are secure to the best of our ability.

That said, these patches are certainly not the "be all and end all" of patches to these products. It is definitely possible that future patches will address other issues such as code style more thoroughly.

[Dabomstew]

BUMP for release info.

The release of the 2.0.4 patch is near. We should get this out in the client centre next week, early on unless internal testing finds significant problems.

At the same time, we will also release a public announcement document containing details of the security issues patched in 2.0.4. This will allow v1/Redux owners to make sure their game is patched against them before our official patches, if they wish. It will also allow v2 owners who have modified their sources heavily to make sure these exploits are not still open.

Following this release the patches for v1 and Redux will be developed.