Monkuar

Well yeah, you're supposed to know all that stuff / etc. Then just ask them about a design, work with them, talk to them about SEO, etc. I have a feeling u already know how to do this. I would handle them the same, be nice and respectful regardless of their knowledge level.

Well, that's subjective.

Templates or frameworks like Smarty/Lavarel are horrible. No need to learn a subset framework, get knowledgeable in PHP first and you will be set free. Welcome to PHPFreaks!

Thanks, but I usually just install debian, and run a full web stack via putty/console. I usually do these on cheap VPS's. But, are you saying a dedicated is needed to run a websocket server for sure? If that is the case, I might need to raise my budget I will check out ovh, and others, thanks. Yeah, 4 gigs of ram+ is probably what I would want just to be safe. I could always upgrade. Ram is dirtcheap nowadays as well. There is no way I can afford those XEON servers though. I don't even think if my game went viral, I would make enough money off microtransactions to even pay that off per month.. lol

For example, take a look at this: https://code.google.com/p/phpwebsocket/ When I run the server, it works fine and I am using the server for my Inventory system on my game. When users drag and drop items in their inventory to change position, it sends the data to the html 5 websocket server, and updates the positions accordingly/etc. And I will use it for a bunch of other stuff later. My question is: What kind of VPS would I be looking for in terms of ram/cpu power to keep a websocket server like this up 24/7? Is it more memory intensive than socket/io/nodejs? Or what? How can I test these things? Looking at cmd.exe or php.exe in my task manager when having it run on my local windows machine isn't really a good way to test performance, or to estimate how much ram or VPS/CPU power of a server I'll need before launch. I can get a idea, but I don't think it's going to be close to reality. That's why I'm asking you guys here if you would know. Thanks

Read 448191's response though. Why? Forum software has been done to death. Come up with something new already. For example, Websocket Forum Software, Flash based Forum Software, a Forum software written in c++ or be used an application with notifications/etc.. Those are the inventious ideas, not this simple, silly, "ASP/PHP" forum crap. It must be unique and intuitive for it to be successful.

Not necessarily, look at d2jsp. I know for a fact Paul Taulborg never spent a dime on advertising, and doesn't even use adsense. His site is displayed just like twitter and other crazy and popular sites. I think once the popularity reaches a certain threshold by site activity, is when the layout becomes like that. But I do believe people have an option to pay as well.

I think google just does it automatically based upon the sites popularity/hits?

That only depends what they're doing or working on though. For example. Someone who is working on a php rpg game, should learn javascript/css/socket.io/php. Python / Ruby is irrelevant .

Seems like a good lightweight, intuitive idea. Here is an example of character on my game choosing between a sword and armor/shield. The problem is when you say 'Looks like he is slashing' is very hard to manipulate because it's just a 2d image. I could however, do what you said and take off the sword and arm, and then change the positions of it and use it as a seperate png? Then upon clicking, I can move those positions. It would look funny, but atleast some type of combat, right? Not sure yet. I would really love treasure arena's combat though, especially for attacking mobs and basic moveability. I have EVERYTHING down, inventory management, items, hp bars, statistics, all server side and stored in MYSQL. But, then if I were to use treasure arena's combat (If I could get their source code and implement it), the character would definitely look different than what mine is... I'm at a dilemma for sure. Hmm What I tried in the past is to change my mouse cursor to a sword, and then append a swing like effect to it. So it looks like the cursor is slashing at mobs. (This way, I don't need to touch the character portrait, and just have them attack and 'slash' at mobs). But with no luck, any idea how to do that? I tried with css3 transitioning with transform rotate, but the sword cursor rotates 100%, not a slash type effect was my problem when I tried... hm

Does anyone know a simple HTML 5 game engine (Heck, it doesn't even have to be an engine, just some type of movement) similar to: http://treasurearena.clay.io/ ? Been trying to find one forever. Thanks in advance! My game is pretty much almost finished. Character designer with a .png model, inventory management, stash tabs, stat points, everything all server side, etc. I'm just trying to get a combat system where a div element (my character model) can move around and swing an object and has simple collision. So it at least looks like a character is 'slashing' something... just anything besides basic point and click

Yeah, I already added the headers and will be using html purifier as another added layer of protection. For the bbcode package, not sure. I feel like just grabbing phpbb's or something as I know they have spent a lot of time on theirs. And they know what they're doing. I'll try to find a well respected and secure one and not use my own. In any event, the thing that got me from what you said was Which really hit the nail on the head. Working on this RPG game for the past several months and then not even caring about security is pretty childish and doesn't show true dedication. I do honor. honest criticism every once in a while, so don't be afraid to give me more of it! It will only help me, trust me!

So, I guess I'm going your route as you've been more than enough patient with me. Is HTML purifier the only library that's worth using? (in your opinion). I do actually agree with what you're saying now, no one really has been this blunt towards me as my ego is insanely high. I'm looking at this from an objective standpoint too, and I think your path is the right path. Regardless about my issues with bloatness from html purifier, or the xss semantic issue with patching each time a user finds a loophole. But, a good question remains.. Even with using HTML purifier... The risk is still there right? But it's for sure of a lower chance than what I'm using, correct?

Yeah I get your prerogative okay. I am not trying to be entertaining, I apologize if I came off that way. The regex for building my url is as follows: $text = preg_replace( "#\[url\](\S+?)\[/url\]#ise" , "regex_build_url(array('html' => '\\1', 'show' => '\\1'))", $text );Function for regex_build_url: function regex_build_url($url=array()) { $skip_it = 0; // Make sure the last character isn't punctuation.. if it is, remove it and add it to the // end array if ( (strlen($url['show']) < 2 )){ return $url['html']; } if ( preg_match( "/([\.,\?]|!)$/", $url['html'], $match) ) { $url['end'] .= $match[1]; $url['html'] = preg_replace( "/([\.,\?]|!)$/", "", $url['html'] ); $url['show'] = preg_replace( "/([\.,\?]|!)$/", "", $url['show'] ); } // Make sure it's not being used in a closing code/quote/html or sql block if (preg_match( "/\[\/(html|quote|code|sql)/i", $url['html']) ) { return $url['html']; } // clean up the ampersands $url['html'] = preg_replace( "/&/" , "&" , $url['html'] ); // Make sure we don't have a JS link $url['html'] = preg_replace( "/javascript:/i", "java script: ", $url['html'] ); // Do we have http:// at the front? if ( ! preg_match("#^(http|news|https|ftp|aim)://#", $url['html'] ) ) { $url['html'] = 'http://'.$url['html']; } //------------------------- // Tidy up the viewable URL //------------------------- if ( (strlen($url['show']) -58 ) < 3 ) $skip_it = 1; // Make sure it's a "proper" url if (!preg_match( "/^(http|ftp|https|news):\/\//i", $url['show'] )) $skip_it = 1; $show = $url['show']; if ($skip_it != 1) { $stripped = preg_replace( "#^(http|ftp|https|news)://(\S+)$#i", "\\2", $url['show'] ); $uri_type = preg_replace( "#^(http|ftp|https|news)://(\S+)$#i", "\\1", $url['show'] ); //$show = $uri_type.'://'.substr( $stripped , 0, 35 ).'...'.substr( $stripped , -15 ); } return $url['st'] . "<a href='".$url['html']."' target='_blank'>".$show."</a>" . $url['end']; }You're right, it did just blindly accepted my http://, but that stopped your specific attack. Now, since you gave me your xss attack, I improved the code and added this: if (filter_var($url['html'], FILTER_VALIDATE_URL) === FALSE) { return $url['html']; }Which will just return the text because data based dynamic expressions are not valid urls now . So, step by step I am improving this. It seems like the url tags are very well protected at the moment, can you spot any other red flags? I am not saying my code is 100% secure. I believe code cannot be 100% secure and there is always, ALWAYS room for someone to craft up an exploit if given enough resources and time. That's why I posted here! And I do appreciate your help thus far. I would of never added filter_var without seeing your xss.... So, believe it or NOT, you are making a difference to me. And I do appreciate it.

Thanks Jac. I ran those codes through my parser, but not sure why it's still not being XSS injected. I'm returning: <a href='http://data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTIDInKTwvc2NyaXB0Pg==' target='_blank'>data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTIDInKTwvc2NyaXB0Pg==</a><br /><br />[URL]javascript:alert("XSS 1")[/URL] Upon clicking the link, nothing happens. I can try HTML purifier, but I don't know how bloated it is, and not sure if I even need it at this point. I guess once you or I find an injectable code, I might do it, but as of right now.... meh. Also, I've tried all of these as well: http://jeffchannell.com/Other/bbcode-xss-howto.html None work. I'm vigorously trying to find why.

htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text ); $text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text ); $text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text ); $text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text ); //Spoiler $text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text ); //Beautiful Colors $text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text ); $text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure.

I assume for minimal XSS protection, incase someone crafts up an exploit in one of the bbcode functions correct? I should just run the htmlspecialchars at the end then. Then, I don't have to use the html entities in my smileys array to check via regex as well, and I would of never even had this problem right? Lol, I'm a debby downer sometimes, I apologize...

LOL!!! Yep. I was calling htmlspecialcharsbefore. I should of inspected the freaking source code before making this topic, my apologizes. Thank you! Oh, yeah. Nice find Thanks guys!

Here are my smileys: // Here you can add additional smilies if you like (please note that you must escape single quote and backslash) $smilies = array( ':)' => 'smile.gif', ';)' => 'wink.gif', ':(' => 'sad.gif', ':mellow:' => 'mellow.gif', ':(' => 'sad.gif', ':angry:' => 'mad.gif', ':cry:' => 'cry.gif', ':banana:' => 'banana.gif', ':locked:' => 'dancinglock.gif', ':hug:' => 'hug.gif', ':bonk:' => 'bangin.gif', ':love:' => 'heart2.gif', '<3' => 'heart.gif', ':blush:' => 'blush.gif', ':p' => 'tongue.png', ':lol:' => 'lol.png', ':mad:' => 'mad.png', ':rolleyes:' => 'roll.png', ':cool:' => 'cool.png'); And here is the function to convert them to images using preg_replace function do_smilies($text) { global $smilies; $text = ' '.$text.' '; foreach ($smilies as $smiley_text => $smiley_img) { if (strpos($text, $smiley_text) !== false) $text = preg_replace('%(?<=[>\s])'.preg_quote($smiley_text, '%').'(?=[^\p{L}\p{N}])%um', '<img src="/img/emoticons/'.$smiley_img.'" alt="'.$smiley_text.'">', $text); } return substr($text, 1, -1); }All of them are being replaced except for '<3', why? I tried: \<3 AND <\3 to see if I needed to escape the left carrot (<), but still no luck.

Yeah, I started with Jquery's UI, it's nice. I eventually moved to http://interactjs.io though, this thing is an absolute monster. Very lightweight as well, and doesn't even depend on jquery. Add http://darsa.in/tooltips/ to your movable objects as well, and it becomes simply beautiful.

'This project is now being re-written for Socket.IO and NODE.js support' LOL.. Good luck trying to make something better than this: https://nodebb.org/ Stop trying to re-invent the wheel, enhance it and become a part of a community and help development. You can start by creating a new skin for nodebb's shitty default style..

Are you inserting that code at the exact same place? Sometimes the JS needs to be rendered before the ID. Is your clock.js in the same directory? Is it being called? If your on chrome go to dev tools and refresh and see if it's getting called. Edit: Oh I see, it's because you're using php for inline variables. You need to pass them through a parameter function instead if you want to use that js externally.

Yeah, I currently disabled it as well. I am just worried because it's not set as default and future users WILL have a problem with the editor. They will type out a whole paragraph explaining their code and what the problem is, then all of a sudden see it's all gone. That would diminish the customer and user retention for this site. And if that user doesn't have ad block, it will in essence generate less revenue. I think it's a prevalent issue and it should be top priority. I don't know what else to say.

Got it. Thank you very much for the explanation. Didn't actually know you could pass variables through a parameter without the use of using global. I was wondering where the hell it was getting it's value from!

The font is looking weird and not smooth as compared to Firefox: Chrome screenshot: Firefox: This is my CSS: @font-face { font-family: 'Aldrich'; font-style: normal; font-weight: 400; src: local('Aldrich'), url(../font.woff) format('woff'); } body,input{ font-family: 'Aldrich', sans-serif; font-size:12px; } Any idea? Why is the font not smoothed out on Chrome (for font-weight:bold) properties?