Web-based RPG (23)

1 Name: 2k7!z5coofV3Hw : 2007-04-25 09:58 ID:ucsKrWcM

Hi everyone, I'm making a web-based RPG (using PHP and MySQL) and I was wondering if you could all help me out in testing the security and give general comments/suggestions on the actual game.
It's at an early stage so there's no captcha for registration but I'd appreciate it if 4-ch would help me out ;)
Register an account and test the security, try changing forms, SQL injection, whatever you want, see if I've missed anything.
If you do find any bugs, I'd appreciate it if you posted here with where it happened, description, that sorta stuff.

The link to the game is in my name.

Thanks for all your help guys.

2 Name: #!/usr/bin/anonymous : 2007-04-25 16:20 ID:EiVVoyFx

If you want us to test it's security post the whole code.
I'm too lazy to do some blind exploitation

3 Name: #!/usr/bin/anonymous : 2007-04-25 16:21 ID:EiVVoyFx

sorry for the double post, add that you need to prove us it's your server.
Upload a file named /4-ch.txt somewhere in the server, or do something similar.

4 Name: #!/usr/bin/anonymous : 2007-04-25 17:48 ID:AdXpZ9zv

Give a username and a password and i'll check things out.
Also, program the login application in a way that if you use an invalid username ("no such username in the database"), it will tell you so, and if the password is wrong he will tell you so.
It's really simple to do in any language and might prevent headaches to some people (Like me).

5 Name: #!/usr/bin/anonymous : 2007-04-26 01:29 ID:Heaven

>>4
Never. This lets on to someone trying to brute-force the admin login that they at least got the name right.

Just say "invalid login" or similar if the name or the password is incorrect. If someone is really trying to log in they should be able to look at the name they typed and say "oh, whoops, I mistyped my name."

6 Name: 2k7!z5coofV3Hw : 2007-04-26 10:14 ID:ucsKrWcM

I've added the "4-ch.txt" file in the root directory.
Fixed various bugs as well, see if you can catch ones I haven't found.

Also, if you can't be bothered registering an account, feel free to use -

Username: 4-ch
Password: 4-ch

and test it out.

7 Name: dmpk2k!hinhT6kz2E : 2007-04-28 01:57 ID:Heaven

It seems to work. o.o-b

May I suggest either adding a map and/or a more elaborate attack scheme?

8 Name: 2k7!z5coofV3Hw : 2007-04-28 21:25 ID:Heaven

Yeah, I'm planning to add things like that later, after more monsters are added/admin panel is completed/etc.

Although, what exactly do you mean by "more elaborate attack scheme"? Could you give me an example as to what it would be like?

9 Name: dmpk2k!hinhT6kz2E : 2007-04-29 20:16 ID:Heaven

Sure. Take a look at http://www.carnageblender.com/ or http://www.urbandead.com/

I like how Carnage Blender lets you adjust skills. It's surprising how far a game can go simply by letting players tweak builds and try different strategies. Urban Undead is the opposite: turn-based with a variety of weapons, but no tweaking.

A hybrid would be nice. The only issue is that the obvious solution, turn-based with skill tweaking, can be dreadfully dull. It's slow and uncertain.

10 Name: dmpk2k!hinhT6kz2E : 2007-04-29 20:23 ID:Heaven

One other suggestion: get rid of the current set of enemies.

Lamp? Why would I fight that?

Slime? Worm? Cliche.

Magic Bottle? I suppose that's passable. How about "magic coke bottle"?

11 Name: 2k7!z5coofV3Hw : 2007-04-30 03:41 ID:Heaven

Thanks for the links, I'll check them out.
With the monsters, I'll probably do that sometime, I couldn't think of too many names so I just went off the top of my head.

12 Name: dmpk2k!hinhT6kz2E : 2007-04-30 05:27 ID:Heaven

Fair enough.

I realise you probably don't want to hear this, but since your project is young, consider using another language. There are a number of alternatives you'd be better served with.

If your game ever becomes popular, as I'm sure you hope it will, you're setting yourself up for some headaches.

13 Name: 2k7!z5coofV3Hw : 2007-04-30 10:04 ID:Heaven

Would you mind suggesting some alternative languages?

The reason I'm using PHP is because it's the only web programming language I know at the moment, and it hasn't exploded on me yet ;)

I'm also curious as to what you mean when you say "you're setting yourself up for some headaches", could you possibly elaborate on that?

Thanks for all the suggestions and comments as well, I appreciate it.

14 Name: dmpk2k!hinhT6kz2E : 2007-04-30 17:05 ID:Heaven

The three big headaches I can see, in decreasing order of importance, are: security, load, and maintenance.

The security issue has been beaten to death on this board and elsewhere (http://4-ch.net/code/kareha.pl/1120533289/9 and the rest of that thread). Your current worries about SQL injection attacks are an example of this. Suffice to say that while PHP is better than C, it could do a lot better.

It may come as a surprise that PHP is about the same speed as Ruby. We've all heard how horribly slow Ruby is. Same applies to PHP. If you start getting more players your load will shoot through the roof and you'll need new hardware sooner. Can you afford that? Online games always seem to have problems with load. Also, make sure to use FastCGI.

Maintenance has to do with the language features. Apparently PHP still lacks namespaces and lexical scoping, and the function names and argument orders in the (very large number) of standard functions are inconsistent. That's bad news if your project gets bigger.

The three most popular alternatives are Perl, Python, and Ruby. You'll probably want to stick to these three because of support issues; there are other great languages, but where do you turn if something goes wrong?

Ruby is wonderful, but it's a lot slower than the other two and lacks support for unicode, so I'm leary of recommending it. Perl is the most powerful, but it has all kinds of little rules and exceptions, making it hardest to learn. Python is fairly consistent, fast, and easy to learn. Its main problem is that the library-based regex are sinfully ugly, and regex is common when writing code for the web.

Of the three, I'd recommend Python to you. I don't much like it myself, but it's decently fast, is adequately powerful, and you'll have fewer security worries with it. Just remember to use templates when writing your game, because mixing HTML with code will lead to ugly very quick.

15 Name: 2k7!z5coofV3Hw : 2007-05-01 20:13 ID:Heaven

Thanks for the explanation, at this moment I think I will stick to PHP but if problems arise I'll take a look at Python and some of the other ones you suggested.

Thanks for your help.

16 Name: #!/usr/bin/anonymous : 2007-05-05 20:13 ID:ZQJdt+lF

wth ? php and sql is really convenient for this kind of game, and PHP is nowhere near better than C, though it's stupid to compare the 2 as there is not much in common xP

btw, PHP is used a LARGE majority of websites, blogs, and games, it is not slow and there are no better equivalent atm for this use.

17 Name: #!/usr/bin/anonymous : 2007-05-05 21:32 ID:kJmEvxTb

> PHP is nowhere near better than C

So you're arguing that PHP code is even less secure then C code? That was dmpk2k's point.

> PHP is used a LARGE majority of websites, blogs, and games

Because it's easy, not because it's good.

> there are no better equivalent atm for this use.

Sure there are. dmpk2k listed three of them. Is there some specific opposition you have to his suggested languages? We've hashed out our opposition to PHP in many previous threads, but have yet to hear solid reasons why Perl, Python and Ruby are inferior for web development.

18 Name: #!/usr/bin/anonymous : 2007-05-06 15:46 ID:2s/R09G1

>>17
It's easier to make programs that work while having completely unforeseen security problems in PHP. Meaning that while an expert could surely produce secure programs in both C and PHP, the amateur is able to make a more or less feature complete program with oodles of security holes in PHP whereas he'd just crash and burn using C.

I'll admit straight away that C is likely nowhere near the appropriate implementation language for a web service. Without an utility library (and I'm not saying anyone should do without one), string handling is rather labour-intensive. SQL database access depends on the database used. You'll need to write your own transaction harnesses, though this applies to Java, Perl and PHP just the same. Buffer overflows are the least of your problems, especially if you know what you're doing.

Regardless, I'd recommend against using PHP for anything that is expected to interface with the big mean nasty hostile intarbutts, for the simple reason that SQL injection attack bugs are both so trivially easy to produce and actually encouraged by 99% of all "how do I did MySQL in PHP???" web tutorials.

19 Name: #!/usr/bin/anonymous : 2007-05-07 11:25 ID:bAa3YbeP

>>18

Perl has a standardized interface for databases, so it's theoretically not tied to a single database. Of course, no two databases interpret even fairly basic SQL code in the same way, so you're still stuck in incompatibility land, but at least it's not because of the API.

20 Name: #!/usr/bin/anonymous : 2007-05-07 11:41 ID:2s/R09G1

>>19
That's what I meant. At least with Perl, people are taught by example to use ?-parameters in their SQL...

21 Name: #!/usr/bin/anonymous : 2007-05-07 15:06 ID:bAa3YbeP

Also, the fun thing here is that PHP's mysql API is pretty much exactly the same as the C API! You might as well be programming in C sometimes when you use PHP.

22 Name: 2k7!z5coofV3Hw : 2007-06-10 04:35 ID:wEBS88Dj

I've updated this a little bit, added join dates, a shoutbox, favicon, a remember me option in the login screen, and a few other bug fixes and whatnot.

Feel free to try and break the RPG with SQL injections or whatever, I've tried to prevent most SQL injections/etc from happening but I mightn't have gotten everything.

Also, if you have any suggestions, feel free to post ;)
(Especially little things that make someones experience better).

23 Name: #!/usr/bin/anonymous : 2007-06-10 05:09 ID:Heaven

wait, is this /code/ or /plz2findmybugswithoutlookingatthecode/?

This thread has been closed. You cannot post in this thread any longer.