Persistent Browser-Based Games Blog

MyMiniCity

Want to create your own city? MyMiniCity allows you to do just that!

MyMiniCity is a simple ‘game’ where you can pick a country, name your city and start getting people to click on your link. Every time somebody clicks on your link, your city will increase in population, and so your city grows. As your city becomes bigger, you get more links to manage unemployment, transport, crime and pollution, so just getting citizens isn’t enough!

Your city is ranked against other cities in the same country, and the largest cities have huge skyscrapers and buildings, while you start off with a simple house in the middle of nowhere. As your city grows, so will its land, and more buildings will be added, and older buildings will become bigger.

There isn’t really any skill involved in the game, except a skill of getting people to click your links. You can check in from time to time to see how your city is doing.

To see a demo of what MyMiniCity is like, I registered a city called PBBG Blog. You can view it here: http://pbbg.myminicity.com/

Posted in PBBG General, PBBG Websites | Related Content | No Comments »

Defeating SQL Injection

Your code is the walls which protect your intellectual ideas. The best attack your enemy has is SQL injection. Are your walls providing a suitable defense? (*groan* That was a horrible intro but it was the best I could do)

A few comments on this blog were made on SQL Injection, so I thought I’d post some thoughts. There are many articles about how to prevent SQL injection, I am going to cover just a few techniques.

The Problem
If you don’t know what SQL Injection is Google it, but quite simply it is a way for external forces to execute SQL statements on your database. Statements like:

delete from user (scary)
update user set life = 100000000 (hacker)

Most of these types of hacks happen when a user types specific things into a text box or address bar. This being the case you want to “clean” all incoming input. Rule of Thumb: Very rarely trust and always verify. (Trust but verify?)

The reason this hack works is because when you use a variable in a sql statement it can contain malicious code. For example the following piece of codes is suspect to SQL Injection:

$sql = “Select * from user where username = ‘$username’ and password = ‘$password’;”
mysql_execute_query($sql);

If the user uses the following as their username ‘;delete from user; it will delete all users from your tables.

The Solution
Clean all your variables. I run all variables, regardless of how I use them through a clean function. The clean function is responsible for removing quotes and cleaning up odd characters.

This takes a variable, cleans it and returns it. If you use this code, please add your own steps to ensure protection of your data, this is a simplistic clean function. Below is some of the function:

function clean($value)
{
$value = trim($value);

$value = strip_tags($value);

$value = mysql_real_escape_string($value);

if (!get_magic_quotes_gpc())
{
$value = addslashes($value);
}

$value = rtrim($value);

return $value;
}

I use this function like so:

$sql = “Select * from user where username = ‘” . clean($username) . “‘ and password = ‘” . clean($password) . “‘;”
mysql_execute_query($sql);

Another Solution
The other step I take is that I have overwritten the mysql_query function so that it replaces my table names. I want to make it difficult for people to guess my table names, so I have the following function:

function executeQuery($sql)
{
$sql = str_replace(”s_”, “game_”, $sql);
$q = mysql_query($sql) or die(”SQL Error on $PHP_SELF: ” . $sql);

return $q;
}

This replaces any s_ with game_, I might name my table “game_user” however my sql would be select * from s_user.

Hopefully this helps those who have questions about SQL Injection. And again, this certainly does not fully cover the topic.

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

Posted in PBBG Coding, PBBG General | Related Content | 3 Comments »

SQL Select Statements Kept Simple

This is a quick article on writing simple and complex select SQL statements. This primer can be used for mySQL and many other database systems. Please keep in mind this is a primer, please research and read other materials to enhance your knowledge.

For those of you who are wondering, mySQL is used in browser based game design quite often.

Select Statement

The select statement is used to get information from the database. It consists of 3 parts. The Fields the tables and the where clause.

SELECT [TABLE].[FIELDS]
FROM [TABLE]
WHERE [TABLE].[FIELD] = [VALUE]

select user.email
from user
where user.username = ‘mobeamer’

• Fields - Can contain a list of fields that you want to select.
• Table - will contain one, possibly more tables that hold the fields
• Where - This will allow you to restrict the information you receive.

Notice that I surrounded mobeamer with quotes, this is needed for strings and is good practice for other data types. A good rule of thumb is when in doubt add quotes.

Notice that I fully qualified the fields by putting the table name in front of the field name. This is not needed when writing a simple select but it is considered good form AND it will come in handy when you decide to “upgrade” your SQL statement (see joins).

Inner Join

An inner join will allow you to pull information from multiple tables with one query. The syntax for an inner join is as follows:

SELECT [TABLE].[FIELDS]
FROM [TABLE]
INNER JOIN [TABLE] ON [TABLE].[FIELD] = [TABLE].[FIELD]
WHERE [TABLE].[FIELD] = [VALUE]

Let’s say you have a user table which contains all the player’s information. You also have a units table that contains all the units that a player can have. You need a select statement which will get the player’s name and the unit’s name. In this instance my unit table has a column called ownerID which holds the userID of the owner.

select user.username, unit.unitname
from user
inner join unit on unit.ownerID = user.userID
where user.username=’mobeamer’

Another example:

select user.username, unit.unitname
from user
inner join unit on unit.ownerID = user.userID
where unit.class = ‘Warrior’

In most cases your joining field will be named the same in both tables, but I wanted to show how this was not necessary.

Notice, that you must fully qualify fields that exists in both tables. You should be aware when using an inner join, as in the first example, if the user does NOT have any units they will NOT appear in the result set.

Be very careful with inner joins as they ALWAYS restrict the result set. (See outer joins)

Outer Join

An outer join works in the same fashion as an inner join with one exception. The join will NOT restrict the returned set For example, in the example above, a player may not have a unit. In this case, an inner join would not pick up that player’s name. An outer join on the other hand would pickup this player.

select user.username, unit.unitname
from user
outer join unit on unit.ownerID = user.userID
where user.username=’mobeamer’

This will get all user, regardless of how many units they have.

Notice, the first table in the select statment begins the result set. Every outer join from there on can only add rows or columns to the recordset.

A good rule of thumb is to always use an outer join as you will never lose data with an outer join.

How I do It

This is how I write a complicated sql statement, this may not be best practices but I think it may add some context.

I wanted to create a page, which displays a player’s profile. I knew I needed a number of fields from the player’s table, unit’s table and item’s table. (Items are things that the unit holds)

I knew I wanted to display all players that had registered, so I started there.

Select user.username, user.numKills
from user
where user.isRegistered = ‘Y’

I then wanted to display the unit’s name, class and life

Select user.username
, user.numKills
, unit.unitName
, unit.class
, unit.life
from user
left outer join unit on unit.ownerID = user.userID
where user.isRegistered = ‘Y’

I then wanted to display all the items that the unit held, and the item’s description

Select user.username
, user.numKills
, unit.unitName
, unit.class
, unit.life
, item.itemName
, item.itemDescription
from user
left outer join unit on unit.ownerID = user.userID
left outer join item on item.unitID = unit.unitID
where user.isRegistered = ‘Y’

This was the sql that I ended with.

Further Articles
Good ideas to follow this up with:

• Updates, Inserts and Deletes
• Restricting an inner or outer join
• Links and Resources

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

Posted in PBBG Coding, Theory | Related Content | 2 Comments »

Tip of the Week

Do you use the header() function to redirect users?

<?php
header("Location: http://www.example.com");
?>

Here’s a little tip: use the exit statement right after you redirect.

Why? Imagine this: You have some code that runs after the redirect (the user was redirected because he did not have the correct permissions to view the page), and that code updates the user table to change some sensitive data. Obviously, you wouldn’t want that code to run after the player is redirected, but it could happen.

By using exit immediately after the redirect, you can stop any other code from executing, and make sure that nothing goes wrong!

Posted in PBBG Coding | Related Content | 5 Comments »

A Good Place to Start

A lot of people ask how they can start/learn to develop browser based game, hopefully this article will help get them started. This article may be helpful to developers who are struggling to make changes / develop games without disturbing the production version.

The development environment comes into play for both these circumstances. There are a number of ways to setup your development environment. The solution is both short and sweet.

Please keep in mind this is only good for development teams of 1 or 2 individuals, you will need to do much more if your team consists of 3+ developers/coders.

I tend to use Uniform Server (http://www.uniformserver.com) as my environment. It’s a simple download you unzip and click a “start” executable. Yes, this is a Windows solution however, there are a number of alternative solutions, just search for LAMP on google.

It runs Apache, mySQL and PHP with a number of utilities. The great part is it’s less then 2GB so it fits on a flash drive, this means you can work on any windows, anywhere.

I use that to develop on my local machine. Once I am ready, I ftp my changed files to the site. (After making the database changes)

Every so often I will download the entire site from production and over write my development file. This helps keep my local version from getting to far from the production version.

mobeamer

www.BattleForcesOnline.com
blogspot.mobeamer.com
I am no author but I do have somethings to share.

Posted in PBBG Coding, Theory | Related Content | 3 Comments »