Index's Forum Posts

  • MySQL statements.

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • Two hours seems a bit much but alright. Also, remember to escape the variables before they go into the database. It's also a good idea to configure firewall settings to avoid user access to ports outside of the ones they are supposed to access.

    Good Luck!

  • I'm not too educated in this matter but I spent several days trying to figure out a solution to something I learned. I wanted to make a tutorial at some point but I didn't want to mislead if there was something I missed. Therefore, feel free to look deeper into the things I mention- if you have concerns. I wont be sharing code at this moment. I also wont be writing those tutorial pages (yet anyway). I'm just going to give you way more than you asked for in one post. It will perhaps come in handy for you or anyone who searches this in the future- and so here we go.

    I'll start off by saying this. If you're doing operations on the client-side a person who wants to attack knows exactly what you're doing. Never depend on the client-side. Never trust the client-side. It can be manipulated. So the best way is to always design away from a client dependency.

    Now. I don't recommend sending passwords in plain text on the basis that it's the most frowned upon thing. A single encryption on the client-side should be fine. Do not mix encryption unnecessarily. It will weaken your encryption when you're not careful.

    You're going to want to get an SSL Certificate. These can be moderately difficult to understand at first. I'd go way more in-depth but this post would be giant. You can get a cheap SSL for around $10 a year. RapidSSL, Comodo, TrustSSL(GeoTrust), DigiSign, Verisign. You'd primarily want one of these, and for this- preferably the cheapest.

    It will latch onto ONE domain (example.com) and the immediate subdirectories (example.com/*). It will not latch onto, (*.example.com) or any of those subdirectories (*.example.com/*).

    Wildcard SSL exists and covers the domain, subdomains and all subdirectories (*.exampledomain.com/*) but they're a lot more expensive ($100+). I don't think you'll need Wildcard or an EV SSL, so don't be too concerned with those.

    SSL is great. It helps give an extra layer of confidence to your members. The most important part here is that it will encrypt information that transfers over the line. It will also help indicate if something seems tampered. Although this is a huge plus, it comes with some drawbacks. Things that come from non-SSL connections will sometimes get blocked by your browser. You can also encounter things such as Cross-Domain and Cross-Origin more frequently. However, it's all part of the development process and it feels good once it's done.

    Note: exampledomain.com IS NOT secure. You have to use https:// and you can use exampledomain.com as the port is not what is important.

    So, with all this you should be able to get the data from the client to the server. The important part now is storage. SHA and MD5 are very fast encryption methods. This sounds good on paper but is horrid against crackers.

    There is a fancy way of offloading a particular cracking to a graphics card. SHA/MD5 being run through multiple machine's graphics cards can hit up to millions of attempts every second. A lunch break could become disastrous for many people.

    Now, this would most likely only be the most determined of people out there. You'd have to paint a huge target on your back to piss them off. Maybe you could *shrugs*. There is a possible protection from this.

    There is a method called PBKDF2 which will run a SHA512(or 256, not sure which) over and over to the extent that you specify. The more times the better. It connects something called a Unique SALT value to the password and re-rusn the encryption thousands, ten thousands and hundred thousands of times making it require more resources to hack.

    Another newer method is called SCRYPT. This hasn't been tested too much so it's not openly recommended. However, this method takes an increased amount of resources. This would essentially mean it is very difficult to crack these values. This of course depends on the settings you specify.

    You can find PHP libraries of PBKDF2 and SCRYPT. You can find NODEJS libraries that can help do this in Javascript alongside Socket.IO.

    Now I told you it would be easy to understand. Well- at the core of it- it is. The true issue is that PBKDF2 and SCRYPT can skyrocket the CPU usage and RAM usage very easily depending on the settings you choose. Keeping them lower, you might be fine. However, if a lot of logins have to be processed at one time- things get very complicated.

    I'd recommend trying them on low settings and going with that. I wont be sharing my code any time soon (as I'm still using and developing it) but this is some idea of security. It's tough. I just hope I could clear something up for you.

    I wont go into details but also look into something called Cloudflare.

    Note: Make sure to understand what they do with SSL because if you buy a certificate it wont work with their Free nor the $20 plan.

  • Google is working on something for faster UDP usage. I think it was leaked information though so there's not too much about it just yet.

    Also~ I'll be keeping watch on this thread. Keep it updated with your progress. :]

  • Glad to hear you're still fiddling with this. I haven't ran into the need to use it yet- but once Johnny's falls too far behind I'll probably switch over.

    I looked at the official one websocket one. I just don't understand how to edit the url to use Https(Wss) since the plugin layout is strange to me.

    About the video. If you're looking into doing multiplayer stuff- I don't know too much about it. I wish I knew where I originally heard this from.

    Basically- you should allow the client to predict with periodic updates. That means sending the direction, speed, and so on only when there's a difference. The client then emulates that. The server will also send a hard update of coordinates every ~2 seconds(depending on need) making sure the client isn't too detached from the original. This cuts the amount of messaging by a ton.

  • You still working on things here, Ace?

  • Could also make a light blank plugin object. Separate every new one off into subdirectories. Use the instance variables for data. Create as many as you need.

    When you need to save offload that organization into web storage.

    I've also been messing around with node recently and there's a lot of buzz around MongoDB. I have no experience with it though.

  • These avatars of the people replying to this thread.... xD

    <img src="http://static4.scirra.net/avatars/128/ea20a6ab8eae2e7762d7f3f9e25629c3.pngs" border="0" />

    Anyway, if I was browsing the arcade and some posts on the forums I probably wouldn't be too convinced. There's many other HTML5 engines that are appearing and if they're offering frees, you're hurting yourself. If it had a reputation like Unity does- but it doesn't. Therefore, I see no reason towards jump to a gamble.

    Now a monthly access fee could be something else but, *shrugs*

  • Here

    Note: Read the thread to see what he decided at the time.

  • I must have missed the submit button when I made a post (in this thread) about the issue. Anyway, ya- I think it's an old bug from when I broke a plugin and never wanted to search for which one it was. (AKA, I just have a folder filled with old plugins)

    Thanks for the help though. The guy above me posted how to reproduce his issue.

    Cheers.

    EDIT: Posted in a thread that was closed and there's no way to delete my post. >.<

  • I'm getting this same error oddly enough. I haven't tried re-installing yet. I was just coming to see if there was a solution already :C.

    <img src="http://i.imgur.com/wltoghI.png" border="0" />

  • megatronx

    I use it for passwords. A simple example would be~

    User inputs their password -> It is hashed to something unknown -> Unknown string is sent over SSL -> Server hashes it again and stores or checks it.

    Note: I don't recommend using that exact setup. Also, never store sensitive data information on the clients computer or send it back to the client.

  • I have not tried this yet but it if the features are true this sounds great. Keep up the good work and I'll tell you what happens when I get around to checking this out.

  • I hope everyone gets to read your post. Truly something there.

    You are a developer that makes me proud to say, I utilize and support that software.

    Ashley - Keep it up.

  • My dream computer game is one I hope Scirra(Construct 2) can help me achieve one day. It will, on the surface, be a community-oriented website/app. This means that the users have the tools to contribute content from assets like art and music to tutorials, servers and even completed games. From there small systems for other games, events and tournaments continue to grow the community.

    Then with a key combination any user can seamlessly drop into a persistent Online RPG World. This RPG World co-existing with the website/app. This means that you're never switching programs. Never becoming someone or something different. And you're always part of the community.

    Construct 2. <3

    (That may be too long and a lot is missing. However, if any one of you C2 brains are feeling curious and willing to assist, I could possibly elaborate if you want to offer your assistance one day. The second part(RPG) is ultimately delayed until news of "Online Game" functions breach the lips of an Admin's mouth.)