60 replies to this topic

[Caseyweederman]

Sweet. Oh, I think MySQL has a thing that checks as you're entering it?
That was something I put off when I was feeling extra creative and didn't want to slow down and pay attention to boring things like validation.
I guess I could easily write a function and run everything through that with little trouble.
But yeah, I'd intended on getting to it by now, but then I didn't.
Other than that, Mrs. Lincoln, how was the show?

[Drackir]

You may be thinking of magic quotes. Don't rely on that. One server may have it on, another may not. I cannot stress enough how important it is to validate the things you're concatenating into SQL queries.

The function you want to use is this: mysql_real_escape_string This will replace the appropriate characters taking into account the current character set of the connection. Note that you have to call it after mysql_connect and also if magic quotes are on, you need to strip slashes first.

So something like this...

$action = $_POST['combat_action'];
if(get_magic_quotes_gpc()) {
    stripslashes($action);
}
$action = mysql_real_escape_string($action);
//Do stuff with $action

...is what you should be doing.

[Caseyweederman]

That's the one! I guess that's PHP side, not MySQL.
I'll do that. Soon. I promise. >.>

[Drackir]

Well, I mean, as long as you back up the database after every query, it would be Ok. Well, except that it would also back up the bad SQL injected code changes. Hmm. I guess the only way to get around it then, is to validate the input. Don't worry, I'll be the first person to hax your database!

[Caseyweederman]

I hope so. White hat hackers are alright in my books.
Now I just need to worry about dropping the database myself and repeating the White Wednesday ordeal.

[Drackir]

You lost me on the Wednesday thing.

[Caseyweederman]

Heh. White Wednesday is when Jick hit the Delete ALL the things button by accident and then found out that the data wasn't being backed up properly.
He turned it into a world event where everybody got cool stuff to try to make up for it.

I'm rewriting everything!
And this time, I'm validating.

[Drackir]

That's neat.

Also, yay for validation!

[Caseyweederman]

Hm. New question.
What's the simplest way to have an input from one account affect the display on another? Do I just have a script check a state every three seconds to see if there's new information, and reload if there is?
How does in-line chat work? I could use that to deliver information. Each battle is its own 'channel' and battle results are 'spoken'. It would also be nice for, you know, chatting.
But even in the chat pane, is it possible to trigger an event that reloads parts of the page based on un-mimic-able text in chat? Also that sounds confusing and lame.
Maybe I should go back and read through that link about application variables.


How it's set up now: If one player is combat ready but any other player has not yet made a decision, the first player sees 'Somebody else isn't ready yet. Click here to reload this page to see if everybody is ready.'
That reloads the page and displays a readout of whatever took place in between.

It would be nice if the page reloaded on its own once the last person has made a decision.

[Drackir]

You should read the other links I added to that post (long-polling, comet, etc.). You have a couple options:
1) You can make JavaScript make a request every few seconds and then update the page with whatever it gets back. No refreshing here, us JS to update the page.
2) Long-polling which basically means you leave a connection open to the server for a long time which allows the server to keep sending you data occaisionally. This has the benefit of not having to go through the whole HTTP GET request stuff for each piece of data, however, some servers may terminate connections and it can be a waste of resources.

I really recommend using jQuery and JSON. PHP has a json_encode function that will convert your PHP arrays/objects into JSON form for sending to JavaScript. It then comes out as objects in JavaScript which makes your code more robust and readable.

And always remember: leave no logic to JS, it should only update the presentation of data on the page. The server should handle all calculations and validations. Though you may want to validate the JavaScript first to prevent unnecessary (i.e. invalid) requests sent to the server.

[Caseyweederman]

Whoah, prepared statements are awesome.
Quick question, I think I'm being led to believe that PDO prevents SQL injection. Does this mean that I don't need to use mysqli_escape_string any more?
If I do, how?

[Drackir]

Whoah, prepared statements are awesome.
Quick question, I think I'm being led to believe that PDO prevents SQL injection. Does this mean that I don't need to use mysqli_escape_string any more?
If I do, how?

Well, it does as long as you use the parameters. That's what's so great about them.

In fact, it's a really bad idea to escape the parameters since what actually happens is you're double escaping it and it won't go into the database properly.

I've seen this on websites where I enter a search term with a quote in it and when the new page loads, it the single quote was replaced by two single quotes. In some cases, subsequent page views (i.e. Page 2 of 7) even re-escaped those values (so now there were 4 quotes!).

[Caseyweederman]

Yep okay I need to cut down on that whole double-escape thing. And allowing apostrophes in usernames.

Next question, because my thirst for knowledge is UNQUENCHABLE, is as follows.

A script includes another script which refers to itself ($_SERVER['PHP_SELF']) which points to the first script. How do I solve this?
Options I see:
Stop using PHP_SELF and just commit to never reusing functions in that script,
or google it myself and find the following line:
echo '<META HTTP-EQUIV="Refresh" Content="0; URL=file.php">';

Sweet. Thanks!

[Drackir]

What are you trying to do using PHP_SELF? Is there a reason why you would want it to output the included file's name instead of the includer file?
Also, what does a meta refresh have to do with this?

If you want something to keep checking the db for new data, do it through JS using AJAX.

Other than that, I imagine you could solve your problem by refactoring your code so that the dependency on the file name falls on a separate file altogether. Then, the first two files can reference it directly.

[Caseyweederman]

The mail code allows the player to join a battle from a special battle invitation message. Clicking 'join' dumps you into that combat. Thus: dump from mail script to battle script.
Meta refresh with the URL attribute set to the other script lets the mail script finish and then push the player into the joined combat.

[Drackir]

Well, I don't see why you can't hard-code the script name in the refresh tag. Also, you'll want to make sure that there is a link to the page because people can disable meta redirection.

Also also, you can use php's header() function to change the location header if you haven't output anything to the buffer yet. Just call

header("Location: mypage.php")

and it should move the user over. However, the same thing applies regarding the link since, I believe, header redirection can also be disabled.

Is it not possible to simply combine the join from mail logic into the battle script since they're both related?

[Caseyweederman]

That's a question of flow that I'll have to think about.

My new task: Make chat.

I've succeeded in writing a javascript function that hits a php script on the server which returns lines pulled out from a table named Chat. The javascript then updates the page without reloading the whole thing. Also there will be tabs for the different channels.
I guess what happens next is to make that javascript function repeat every 1-3 seconds. Is that responsible? What happens if a hypothetically large number of people are all logged in, hitting the database once per second?
Would it be better to store this in a text file on the server? If only the server is reading and writing to this, there shouldn't be any problems with it being accessed more than once at the same time, right? Though that would still be hit so many times and so frequently.

I've looked around at some examples, and these seem to be the way this is generally done.
Is this the right way? Is there something I'm missing? Is there a threshold I should be aware of?

Also: Updating things on the page with document.getElementById is so cool.

Also also: Please take away the default value of the Stay Logged In box... Users who want it on would only need to click it once, but I need to click it every time I log in. Pweeease?

[Drackir]

How's this going?

Basically, yeah, you poll the server every so often using AJAX to see if there are new messages. You may also want to, when it sends a message to the server, have the server respond with any new messages and add them before you add it to the chat box (so everything is in order).



Why don't you just stay logged in?

[Caseyweederman]

I can't stay logged in or I'll die.

It's going well! Chat updates that way, poking away a bunch of times. I'm tying other things into the same timer, so combat will update as often as chat does. Handy if everybody is making a decision every couple seconds, then everyone can progress apace.
I miiiight make it so that mail messages only update every three times that the others update though... That's not really something that needs so much constant attention.

Oh, here's a question. Check out my site in Chrome, and then check it out in Firefox. The contentContainer div and the chatContainer div are both set to height:100%;overflow-y:auto;, but in firefox it ignores this and just expands the height until all contents are displayed and I am dismayed. I don't want the whole page to scroll, just those divs. Halp? :3

[Drackir]

The overflow-x and overflow-y properties are new in CSS3. They're probably getting ignored in FF.

...and that is probably because you're not using a proper doctype and your code is malformed.
First of all, the first line of your code should be this: <!DOCTYPE html>
The second line should be <html>.
Your script and style tags should be in the head tag following the title.

If you want the browsers to act the same you have to tell them how to act. That doctype will tell them to treat it as HTML5, which means smart browsers will be standards compliant, which means your code will most likely be displayed the same across the browsers.