DragonPrime - LoGD Resource Community
Welcome Guest
  • Good morning, Guest.
    Please log in, or register.
  • July 23, 2019, 05:00:36 AM
Home Forums News Downloads Login Register Advanced Search
* *
DragonPrime Menu
Login
 
 
Resource Pages
Search

  Show Posts
Pages: [1] 2 3 ... 15
1  Core Code Development Discussions / Core Development Discussion / Re: Compressing the SQL traffic on: July 13, 2019, 10:14:18 AM
I see your point(s) ^^ they are valid.

With the current installations, I think bottlenecks are generally different.
Some have slow mysql hosting, great web server speed. Others quite the opposite.

Normally any webhosting platform can run lotgd and not break a sweat, page gen times <1s.

The complexity you introduce needs to be balanced towards a potential gain.
2  Core Code Development Discussions / Core Development Discussion / Re: Compressing the SQL traffic on: June 23, 2019, 11:18:43 AM
"Servers can handle a lot" ... you need to know that scaling from 1-30 users hitting a site every second is not really an issue with this sentence.
If you go to 100, or 200... or you have users who hyper through sites...

I give you 40kb.
Say you have 100 ppl hitting it per second. 40*100 = 4000, that's 4MB/sec to save in your DB.
Just the page hits. Nothing else. No useful data. That is just *if the user has a badnav* or *logs in again after timeout/logout*

So, let's say you have that all day. 24*60*60.
I'll let you do the math. =)

It's fine if you have low traffic, but this stuff there saved me tons of needless data transfers. =)
3  LotGD Around the World - Language and Translation Support / Board fr allgemeine Spieldiskussionen (Support in German) / Re: Translation Wizard on: June 23, 2019, 11:14:23 AM
Kurze Checkliste:

- hast Du Deine Sprache auf Deutsch gestellt?
- war der Pull lt. Wizard erfolgreich? (falls ja, hast Du die Daten in der Datenbank)
- hast Du danach auch "Insert missing translations" gemacht? (ein Pull holt erstmal alles in eine Zwischentabelle)

Er spielt Dir das alles nicht live ein. Das wirds vermutlich auch sein, also der letzte Punkt.
4  Game Administration, Installation and Configuration / Installation and Configuration Assistance / Re: Translation Wizard on: June 23, 2019, 11:11:43 AM
Some things said were great, other were not Smiley I'll sum up:

- You *can* translate anything that is translateable in the game (+modules) with it.
(that comes from the game translation functionalty).
- Modules may be poorly writting and break that function, needs to be fixed in that module
- existing translation are sadly outdated, so many modules you may have are not pre-translated if you "pull" them in.

o/

(side note: I switched hosts today so you may have to wait a few hours to pull)
5  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / Re: SQL injection bug in motd.php on: April 28, 2019, 02:22:44 PM
Yeah, sure, that's shorter and better =)
6  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / Re: SQL injection bug in motd.php on: April 27, 2019, 11:13:00 AM
It's pretty much the same, you'd need to rewrite the queries afterwards then or you have to concat the month+year together again.
Or you check if both are originally integer values, which would be more lines of code.

Pretty much the same I think, regex might be a bit quicker.

Any fix is good as long as it is fixed.
motd.php is accessible from outside the game, making it worse.
7  Core Code Development Discussions / RAID! (Core Code Bug Reports and Patches) / SQL injection bug in motd.php on: April 26, 2019, 10:10:10 AM
I got a rather interesting sql injection attack on my server, which is (as I just downloaded the bugfixed 2017 version) also present in lotgd core.

motd.php has the following code:

Code:
$m = httpget("month");
if ($m > ""){
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$m}-01' AND motddate <= '{$m}-31' ORDER BY motddate DESC";
$result = db_query_cached($sql,"motd-$m");
}else{
$sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor ORDER BY motddate DESC limit $newcount,".($newcount+$count);
if ($newcount=0) //cache only the last x items
$result = db_query_cached($sql,"motd");
else
$result = db_query($sql);
}

As you can see, $m is entered by httpget() and patched without escape right into the query.

Which leads to somebody actively trying to get the db connection (and therefore access to user data) producing this error:

Code:
fopen(/var/datacache/datacache_motd-cast2828SELECT20dblink-connect28chr28104297C7Cchr28111297C7Cchr28115297C7Cchr28116297C7Cchr2861297C7Cchr2854297C7Cchr28121297C7Cchr28112297C7Cchr28116297C7Cchr28115297C7Cchr2851297C7Cchr28107297C7Cchr28100297C7Cchr28115297C7Cchr28110297C7Cchr28110297C7Cchr2849297C7Cchr28108297C7Cchr28106297C7Cchr28100297C7Cchr28114297C7Cchr2899297C7Cchr28120297C7Cchr28120297C7Cchr28107297C7Cchr2899297C7Cchr28115297C7Cchr28117297C7Cchr28106297C7Cchr28101297C7Cchr2897297C7Cchr28103297C7Cchr28105297C7Cchr2898297C7Cchr28102297C7Cchr2897297C7Cchr28111297C7Cchr2853297C7Cchr28118297C7Cchr28102297C7Cchr2851297C7Cchr28109297C7Cchr28114297C7Cchr28107297C7Cchr28101297C7Cchr28106297C7Cchr2856297C7Cchr28107297C7Cchr2846297C7Cchr28114297C7Cchr2856297C7Cchr2855297C7Cchr2846297C7Cchr28109297C7Cchr28101297C7Cchr2832297C7Cchr28117297C7Cchr28115297C7Cchr28101297C7Cchr28114297C7Cchr2861297C7Cchr2897297C7Cchr2832297C7Cchr28112297C7Cchr2897297C7Cchr28115297C7Cchr2 8115297C7Cchr28119297C7Cchr28111297C7Cchr28114297C7Cchr28100297C7Cchr2861297C7Cchr2897297C7Cchr2832297C7Cchr2899297C7Cchr28111297C7Cchr28110297C7Cchr28110297C7Cchr28101297C7Cchr2899297C7Cchr28116297C7Cchr2895297C7Cchr28116297C7Cchr28105297C7Cchr28109297C7Cchr28101297C7Cchr28111297C7Cchr28117297C7Cchr28116297C7Cchr2861297C7Cchr285029292920as20numeric29): failed to open stream: File name too long in /var/www/html/naruto/lib/datacache.php (62)
Call Stack:
2: fopen("/var/datacache/...", "w") called from /var/lib/datacache.php on line 62
3: updatedatacache("motd-cast((SELECT dblink_...", Array()) called from /var/lib/dbwrapper_mysqli_proc.php on line 65
4: db_query_cached("SELECT motd.*,name AS mot...", "motd-cast((SELECT dblink_...") called from /var/motd.php on line 64

I used (I think this should work on your systems too) following git patch:

Code:
diff --git a/motd.php b/motd.php
index 48b2b6d..a034a2a 100644
--- a/motd.php
+++ b/motd.php
@@ -58,10 +58,16 @@ if ($op=="") {
        /*
        motditem("Beta!","Please see the beta message below.","","", "");
        */
-       $m = httpget("month");
-       if ($m > ""){
-               $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$m}-01' AND motddate <= '{$m}-31' ORDER BY motddate DESC";
-               $result = db_query_cached($sql,"motd-$m");
+       $month_post = httpget("month");
+       //SQL Injection attack possible -> kill it off after 7 letters as format is i.e. "2000-05"
+       $month_post = substr($month_post,0,7);
+       if (preg_match("/[0-9][0-9][0-9][0-9]-[0-9][0-9]/",$month_post)!==1) {
+               //hack attack
+               $month_post="";
+       }
+       if ($month_post > ""){
+               $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor WHERE motddate >= '{$month_post}-01' AND motddate <= '{$month_post}-31' ORDER BY motddate DESC";
+               $result = db_query_cached($sql,"motd-$month_post");
        }else{
                $sql = "SELECT " . db_prefix("motd") . ".*,name AS motdauthorname FROM " . db_prefix("motd") . " LEFT JOIN " . db_prefix("accounts") . " ON " . db_prefix("accounts") . ".acctid = " . db_prefix("motd") . ".motdauthor ORDER BY motddate DESC limit $newcount,".($newcount+$count);
                if ($newcount=0) //cache only the last x items
@@ -97,7 +103,7 @@ if ($op=="") {
        while ($row = db_fetch_assoc($result)){
                $time = strtotime("{$row['d']}-01");
                $m = translate_inline(date("M",$time));
-               rawoutput ("<option value='{$row['d']}'".(httpget("month")==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
+               rawoutput ("<option value='{$row['d']}'".($month_post==$row['d']?" selected":"").">$m".date(", Y",$time)." ({$row['c']})</option>");
        }
        rawoutput("</select>".tlbutton_clear());
        $showmore=translate_inline("Show more");

8  Coding Support / Coding Support Desk / Re: How To Reset The Prefs Of ALL Players on: January 13, 2019, 12:30:36 PM
I highly suggest copying your database + testing such things there =) if you don't have a test server.

On another note: Yes, your query looks sound, but you could drop "AND setting", if you want to reset ALL prefs. Else you just reset the setting "blah_blah_blah".
9  Modules, Themes and other customizations for your game / Completed Modules for version 1.x.x / Re: reCAPTCHA anti-spam for petition.php on: December 25, 2018, 12:55:52 PM
Never pass away a captcha (that can also do audio only and more).

here is my implementation, just enter your site key in the settings.
(PHP CURL is needed, though)
10  Game Administration, Installation and Configuration / The Idea Place / Re: Switch Accounts on: August 13, 2018, 02:30:06 PM
If you would do that right, you'd replace the entire login process with that, and attach characters to it. Would solve the multi-char-problem, and other numerous things.
But, you would have the replace the entire login process and so on...
11  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 06, 2018, 01:46:13 PM
You're welcome =)

As said, what must be deleted is in my gdpr mod I added Tongue

It does hook into the creationaddon and create a link there - so you can set up a perma-delete there.

The lotgd delete function (IF you either disable the charrestorer-savefile OR hash/delete the email address+ip+id) will do just fine if somebody wants to be deleted.
As said, it's not necessary to remove any footprint he/she left, just the personal stuff that can be tied to a natural person.
12  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 06, 2018, 11:15:18 AM
CreationAddon: http://www.orpgs.com/downloads
But it seems that's offline =/
I added my copy, but it's modified, I commented some stuff out I didn't need.

@removal of data / deletion
you *only* need to delete personal data. any items, achievements... no worries.
but email, name, cookie id, ip ... that's personal and can be requested to be deleted.

You can keep dwellings etc too...
13  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: June 03, 2018, 01:46:05 PM
Just a few things in the posts I picked up and wanted to give my 2 cents:

 -> the cookie in lotgd (the lgi) stores i.e. the unique cookie ID which identifies PCs (last accessed) --> that *needs* to be in your data privacy statement, it is a tracker
     it also has the template i.e.the user selected stored, but that's rather uninteresting (no personal data)
 -> as soon as you store personal data, you need either a deletion date or a consent for the being-stored. If somebody deletes himself and can choose what he wants (also a statement how he can later request deletion) that is fine. But what about expired chars? There is no consent really... which is the major problem that forced me to hash the emails.
  -> The "creationaddon" is a really nice thing to put up. You should use it. (maybe expand to make all users agree as I did)

From what I have seen currently, not much is enforced - so it's a bit of a breather.

@the argument "I'm outside the EU, why should it apply" --> "do you deny EU citizens your service? if not, you have to protect their data according to GDPR"
it's that simple. A EU citizen could go to court if you don't. "could" being the word.

14  Game Administration, Installation and Configuration / Game Administration Chat / Re: GDPR Privacy in the EU (and those who accept EU players) - Issues with Lotgd on: May 20, 2018, 09:38:25 AM
Well, busy on the last couple of days.

I used the "creationaddon" to show my privacy policy statements, but it has one drawback: it *only* confirms them on creation(hence the name), and it has no way to do so afterwards. I had to expand that function, and also add a date as to when the privacy was accepted.
If somebody needs it, I will attach it.

here is the last version of the gdpr extension (=manages only the data export for the user and the 100% safe deletion and no restoral - if you push the mysql functions in you have to execute after you pushed the data in, but that can be set automatically if you need to).

Due to the fact that it's not install-and-done, but needs mysql adaptions, I apologize.
The mysql stuff has to be done in the db, which is something not being able to easily put into a module (no synctable for functions).

EDIT: Just as a summary, you need(!) a privacy statement accessible like an imprint on any page, it has to declare a lot of things. That's mandatory. Mine: https://shinobilegends.com/gdpr/SL%20Data%20Privacy%20Agreement%20and%20Transparency%20Report.pdf
15  Modules, Themes and other customizations for your game / Completed Modules for version 1.x.x / Re: reCAPTCHA anti-spam for petition.php on: April 03, 2018, 01:35:30 PM
You should really check before you make any statement. Source: https://support.google.com/recaptcha/answer/6175971?hl=en

"ReCAPTCHA works with major screen readers such as ChromeVox, JAWS, NVDA and VoiceOver. ReCAPTCHA will alert screen readers of status changes, such as when the reCAPTCHA verification challenge is complete. The status can also be found by looking for the heading titled recaptcha status in the recaptcha widget section of the page."
Pages: [1] 2 3 ... 15

*
DragonPrime Notices
Welcome to DragonPrime - The LoGD Resource Community!

Support Us
No funds raised yet this year
Your help is greatly appreciated!
Recent Topics
DragonPrime LoGD
Who's Online
100 Guests, 0 Users
Home Forums News Downloads Login Register Advanced Search