Mechanical Turk - allow players to submit monster ideas

[kickme]

After you've retrieved them, it's fine to use stripslashes().

This is one reason why I'm happy the magic_quotes are being removed in PHP6

[CavemanJoe]

Hokay.  This returns values without slashes, and escapes them when they're being submitted.  Could I trouble you guys to give it one more quick check to make sure it's secure, and if not, provide some much-needed recommendations to this poor clueless PHP noob?  Ta.

Code:

<?php

function mechanicalturk_getmoduleinfo(){
$info = array(
"name"=>"Mechanical Turk",
"author"=>"Dan Hall",
"version"=>"2008-09-24",
"category"=>"Administrative",
"download"=>"",
"settings"=>array(
"Mechanical Turk Module Settings,title",
"addpoints"=>"How many Donator Points will be awarded when the player's monster is accepted?,int|50",
),
);

return $info;
}

function mechanicalturk_install(){
$mechanicalturk = array(
'creatureid'=>array('name'=>'creatureid', 'type'=>'int(11) unsigned', 'extra'=>'auto_increment'),
'creaturename'=>array('name'=>'creaturename', 'type'=>'text'),
'creatureweapon'=>array('name'=>'creatureweapon', 'type'=>'text'),
'creaturewin'=>array('name'=>'creaturewin', 'type'=>'text'),
'creaturelose'=>array('name'=>'creaturelose', 'type'=>'text'),
'creaturelevel'=>array('name'=>'creaturelevel', 'default'=>'0', 'type'=>'int(11) unsigned'),
'forest'=>array('name'=>'forest', 'default'=>'0', 'type'=>'int(11) unsigned'),
'graveyard'=>array('name'=>'graveyard', 'default'=>'0', 'type'=>'int(11) unsigned'),
'description'=>array('name'=>'description', 'type'=>'text'),
'submittedby'=>array('name'=>'submittedby', 'type'=>'text'),
'uid'=>array('name'=>'uid', 'type'=>'int(11) unsigned'),
'key-PRIMARY'=>array('name'=>'PRIMARY', 'type'=>'primary key', 'unique'=>'1', 'columns'=>'creatureid'),
);
require_once("lib/tabledescriptor.php");
synctable(db_prefix('mechanicalturk'), $mechanicalturk, true);
module_addhook("forest");
module_addhook("superuser");
return true;
}

function mechanicalturk_uninstall(){
$sql = 'DROP TABLE IF EXISTS '.db_prefix( 'mechanicalturk' );
db_query( $sql );
return true;
}

function mechanicalturk_dohook($hookname,$args){
global $session, $enemies;
switch($hookname){
case "forest":
addnav(array("`0`bOther Actions`b`0"),"");
addnav("Report a monster sighting","runmodule.php?module=mechanicalturk&creatureaction=report");
break;
case "superuser":
addnav("Show list of submitted monsters","runmodule.php?module=mechanicalturk&creatureaction=showsubmitted");
break;
}
return $args;
}

function mechanicalturk_run(){
global $session;
require_once("common.php");
require_once("lib/http.php");
page_header("Report a Monster Sighting");
$points = get_module_setting("addpoints");
switch (httpget("creatureaction")){
case "report":
require_once("lib/showform.php");
// $level = 1;
output("You head into a little hut on the outskirts of the Outpost, close to where the clearing turns to jungle.`n`nAn excitable-looking man sits behind a desk, a pair of binoculars slung around his neck.`n`n\"Hello!\" he calls to you, practically bouncing with geeky excitement.  \"Have you come to report a sighting of a new monster?  I do so enjoy writing them up!\"  He opens a little ledger and whips out a pen, ready for your report.`n`nYou've heard rumours about this guy.  Billing himself as a monster expert, he listens to the reports of new monsters that players find, and writes them down in his book.  Sauntering into his hut and providing deadly serious reports of completely made-up monsters is a game that many contestants enjoy playing.  However, given the aura of Improbability surrounding his innocent-looking ledger, the rumours contain a dark side as well; sometimes, if a made-up monster is deemed to be Improbable enough by the standards of whatever strange powers control the Island, it takes on a physical form in the Jungle...`n`n");
output("As you're thinking this, a splintering CRUNCH from your left causes you to jump three feet into the air.  `%Admin `4Caveman`\$Joe`0 is standing in the remains of the fourth wall of the hut, holding a large axe.  He strikes an attractive pose and says \"`4This is Improbable Island's monster submission hut.  Think of a new monster, and submit it here.  If your idea is accepted, you'll get %s Donator Points!`0\"`n`nHe turns to the little man sat behind the desk, who at this moment is picking bits of wood out of his tea, hair and person in general.  `%Admin `4Caveman`\$Joe`0 shows him a smile.  \"`4I'd say 'Sorry about your wall,' mate, but I'm not.  All part of the job, you see.`0\"`n`nWith that, he walks back out of the hole in the fourth wall, attaches his Admin Goggles, leaps into the sky and flies away.`n`n",$points);
output("\"What a very, very strange man,\" says the little man behind the desk.  Quietly.`n`n");
rawoutput("When writing descriptions, please use `n to go down one line, and `n`n to leave a blank line.  That's `n, not 'n.  The ` key is usually in the top left corner of your keyboard - it's the same key you use for colour codes.");
$form = array(
"Creature Properties,title",
"creatureid"=>"Creature id,hidden",
"creaturename"=>"Creature Name",
"creatureweapon"=>"Weapon",
"creaturewin"=>"Win Message (Displayed when the creature kills the player)",
"creaturelose"=>"Death Message (Displayed when the creature is killed by the player)",
// 18 to make a non-forest available monster
// (ie, graveyard only)_
"creaturelevel"=>"Level,range,1,18,1",
"forest"=>"Creature is in Jungle?,bool",
"graveyard"=>"Creature is on FailBoat?,bool",
"description"=>"A long description of the creature",
);
$row = array("creatureid"=>0);
addnav("I honestly don't have any ideas.  Back to the Jungle.","forest.php");
rawoutput("<form action='runmodule.php?module=mechanicalturk&creatureaction=save' method='POST'>");
showform($form, $row);
rawoutput("</form>");
addnav("", "runmodule.php?module=mechanicalturk&creatureaction=save");
break;
case "save":
$creatureid = httppost('creatureid');
$creaturename = httppost('creaturename');
$creatureweapon = httppost('creatureweapon');
$creaturewin = httppost('creaturewin');
$creaturelose = httppost('creaturelose');
$creaturelevel = httppost('creaturelevel');
$forest = httppost('forest');
$graveyard = httppost('graveyard');
$description = httppost('description');
$submittedby = $session['user']['name'];
$uid = $session['user']['acctid'];
// $creatureid = db_insert_id();
// $creatureid++;
// $sql = 'LOCK TABLES '.db_prefix( 'mechanicalturk' ).' WRITE;';
// db_query( $sql );
// $sql = "INSERT INTO ".db_prefix("mechanicalturk")."(creatureid,creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,submittedby) VALUES ($creatureid,$creaturename,$creatureweapon,$creaturewin,$creaturelose,$creaturelevel,$forest,$graveyard,$submittedby)";
$sql = "INSERT INTO ".db_prefix("mechanicalturk")." (creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid) VALUES ('" . mysql_real_escape_string($creaturename) . "','" . mysql_real_escape_string($creatureweapon) . "','" . mysql_real_escape_string($creaturewin) . "','" . mysql_real_escape_string($creaturelose) . "','" . (int)$creaturelevel . "','" . (int)$forest . "','" . (int)$graveyard . "','" . mysql_real_escape_string($description) . "','".mysql_real_escape_string($submittedby)."',$uid)";
// $result = db_query($sql);
db_query( $sql );
debug ($sql);
// $sql = 'UNLOCK TABLES;';
// db_query( $sql );
output("`4The monster \"`^%s`4\" has been submitted.`n`nDue to the high volume of monster submissions, it may take several days or even weeks before you hear back from us.  Please be patient!`0`n`nThe little man behind the desk looks around, confused.  \"Who said that?!\"`n`nYou decide it'd be best to get out of here.", $creaturename );
addnav("Back to the Jungle","forest.php");
break;
case "showsubmitted":
$sql = "SELECT creatureid,creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid FROM " . db_prefix("mechanicalturk");
$result = db_query($sql);
for ($i=0;$i<db_num_rows($result);$i++){
$row=db_fetch_assoc($result);
output("Monster submission by %s`n`n",$row['submittedby']);
output("%s`n`n",stripslashes($row['description']));
output("You have encountered %s which lunges at you with %s!`n`n",stripslashes($row['creaturename']),stripslashes($row['creatureweapon']));
output("Creature win message: %s`n",stripslashes($row['creaturewin']));
output("Creature lose message: %s`n",stripslashes($row['creaturelose']));
output("Creature level: %s`n",$row['creaturelevel']);
output("Jungle: %s - FailBoat: %s`n`n",$row['forest'],$row['graveyard']);
rawoutput("<a href=\"runmodule.php?module=mechanicalturk&creatureaction=edit&id=".$row['creatureid']."\">Edit this monster</a> | <a href=\"runmodule.php?module=mechanicalturk&creatureaction=reject&id=".$row['creatureid']."\">Reject this monster</a> | <a href=\"runmodule.php?module=mechanicalturk&creatureaction=accept&id=".$row['creatureid']."\">Accept this monster</a>");
addnav("", "runmodule.php?module=mechanicalturk&creatureaction=edit&id=".$row['creatureid']);
addnav("", "runmodule.php?module=mechanicalturk&creatureaction=reject&id=".$row['creatureid']);
addnav("", "runmodule.php?module=mechanicalturk&creatureaction=accept&id=".$row['creatureid']);
output("`n`n====================`n`n");
}
addnav("Back to the Superuser grotto","superuser.php");
break;
case "edit":
$id=httpget("id");
require_once("lib/showform.php");
addnav("Back to the Jungle","forest.php");
$form = array(
"Creature Properties,title",
"creatureid"=>"Creature id,hidden",
"creaturename"=>"Creature Name",
"creatureweapon"=>"Weapon",
"creaturewin"=>"Win Message (Displayed when the creature kills the player)",
"creaturelose"=>"Death Message (Displayed when the creature is killed by the player)",
// 18 to make a non-forest available monster
// (ie, graveyard only)_
"creaturelevel"=>"Level,range,1,18,1",
"forest"=>"Creature is in Jungle?,bool",
"graveyard"=>"Creature is on FailBoat?,bool",
"description"=>"A long description of the creature",
);
$sql = "SELECT creatureid,creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = $id";
$result = db_query($sql);
$row=db_fetch_assoc($result);
debug ($row);
$row['creaturename'] = stripslashes($row['creaturename']);
$row['creatureweapon'] = stripslashes($row['creatureweapon']);
$row['creaturewin'] = stripslashes($row['creaturewin']);
$row['creaturelose'] = stripslashes($row['creaturelose']);
$row['description'] = stripslashes($row['description']);
rawoutput("<form action='runmodule.php?module=mechanicalturk&creatureaction=update' method='POST'>");
showform($form, $row);
rawoutput("</form>");
addnav("", "runmodule.php?module=mechanicalturk&creatureaction=update");
addnav("Back to the submission list","runmodule.php?module=mechanicalturk&creatureaction=showsubmitted");
addnav("Back to the Superuser grotto","superuser.php");
break;
case "update":
addnav("Back to the submission list","runmodule.php?module=mechanicalturk&creatureaction=showsubmitted");
addnav("Back to the Superuser grotto","superuser.php");
$creatureid = httppost('creatureid');
$creaturename = httppost('creaturename');
$creatureweapon = httppost('creatureweapon');
$creaturewin = httppost('creaturewin');
$creaturelose = httppost('creaturelose');
$creaturelevel = httppost('creaturelevel');
$forest = httppost('forest');
$graveyard = httppost('graveyard');
$description = httppost('description');
$sql="UPDATE " . db_prefix("mechanicalturk") . " SET creaturename = '$creaturename', creatureweapon = '$creatureweapon', creaturewin = '$creaturewin', creaturelose = '$creaturelose', creaturelevel = '$creaturelevel', forest = $forest, graveyard = $graveyard, description = '$description' WHERE creatureid = $creatureid";
db_query( $sql );
debug ($sql);
output("All done!");
break;
case "reject":
$id=httpget("id");
$sql = "SELECT creatureid,creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = $id";
$result = db_query($sql);
$row=db_fetch_assoc($result);
$message = translate_mail(array('It\'s not good news to hear, but I\'m afraid your monster idea (the one named %s) just wasn\'t what we were looking for.  Please feel free to try again, though!',$row['creaturename']));
require_once("lib/systemmail.php");
systemmail($row['uid'],"Your monster has been rejected!",$message);
$sql = "DELETE FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = '$id'";
db_query( $sql );
output("The monster has been deleted, and the author notified.");
addnav("Show list of submitted monsters","runmodule.php?module=mechanicalturk&creatureaction=showsubmitted");
break;
case "accept":
$id=httpget("id");
$sql = "SELECT creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = $id";
$result = db_query($sql);
$row=db_fetch_assoc($result);
debug ($row);
$row['creaturename'] = stripslashes($row['creaturename']);
$row['creatureweapon'] = stripslashes($row['creatureweapon']);
$row['creaturewin'] = stripslashes($row['creaturewin']);
$row['creaturelose'] = stripslashes($row['creaturelose']);
$row['description'] = stripslashes($row['description']);
output("Sending this to creatures.php.");
require_once("lib/showform.php");
$form = array(
"Creature Properties,title",
"creatureid"=>"Creature id,hidden",
"creaturename"=>"Creature Name",
"creatureweapon"=>"Weapon",
"creaturewin"=>"Win Message (Displayed when the creature kills the player)",
"creaturelose"=>"Death Message (Displayed when the creature is killed by the player)",
// 18 to make a non-forest available monster
// (ie, graveyard only)_
"creaturelevel"=>"Level,range,1,18,1",
"forest"=>"Creature is in forest?,bool",
"graveyard"=>"Creature is in graveyard?,bool",
"creatureaiscript"=>"Creature's A.I.,textarearesizeable",
);
rawoutput("<form action='creatures.php?op=save' method='POST'>");
showform($form, $row);
rawoutput("</form>");
output("Monster description:`n`n");
rawoutput("".$row['description']."");
output("`n`n`bCOPY THIS TO YOUR CLIPBOARD NOW.`b  The Description is not automated and must be input manually.");
$message = translate_mail(array('Congratulations!  Your monster idea (the one named %s) has been accepted!  Your Donator Points have also been applied to your account.  Enjoy them!',$row['creaturename']));
require_once("lib/systemmail.php");
systemmail($row['uid'],"Your monster idea has been accepted!",$message);
addnav("","creatures.php?op=save");
$acctid = $row['uid'];
addnav("Go back to the list of submitted monsters","runmodule.php?module=mechanicalturk&creatureaction=showsubmitted");
$sql="UPDATE ".db_prefix("accounts")." SET donation=donation+$points WHERE acctid=$acctid";
db_query($sql);
$sql = "DELETE FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = '$id'";
db_query($sql);
break;
}
page_footer();
}
?>

[backflip]

Code:

$sql = "SELECT creatureid,creaturename,creatureweapon,creaturewin,creaturelose,creaturelevel,forest,graveyard,description,submittedby,uid FROM " . db_prefix("mechanicalturk") . " WHERE creatureid = $id";

I would still cast $id to int. Probably safe anyway, but better safe than sorry. (This occurs several times.)

Code:

$sql="UPDATE " . db_prefix("mechanicalturk") . " SET creaturename = '$creaturename', creatureweapon = '$creatureweapon', creaturewin = '$creaturewin', creaturelose = '$creaturelose', creaturelevel = '$creaturelevel', forest = $forest, graveyard = $graveyard, description = '$description' WHERE creatureid = $creatureid";

I know, trust your admins and so on, but I think you should escape them. Even if they're not malevolent, they could be confused by SQL errors when they enter apostrophes.

Code:

$sql="UPDATE ".db_prefix("accounts")." SET donation=donation+$points WHERE acctid=$acctid";

I can't see how someone could taint $points or $acctid, but casting them to int probably won't hurt you.

[Iori]

$creatureid = httppost('creatureid');
         $creaturename = httppost('creaturename');
         $creatureweapon = httppost('creatureweapon');
         $creaturewin = httppost('creaturewin');
         $creaturelose = httppost('creaturelose');
         $creaturelevel = httppost('creaturelevel');
         $forest = httppost('forest');
         $graveyard = httppost('graveyard');
         $description = httppost('description');

Use httpallpost() instead of this. You get the added benefit of apostrophes and such being escaped automatically for you (not sure if httppost also has the same behaviour). This does not replace the need for security (you should still ensure numerical fields are numerical, etc).

And...correct me if I'm wrong, but the lock/unlock tables before and after the insert seems redundant.

[backflip]

$creatureid = httppost('creatureid');
         $creaturename = httppost('creaturename');
         $creatureweapon = httppost('creatureweapon');
         $creaturewin = httppost('creaturewin');
         $creaturelose = httppost('creaturelose');
         $creaturelevel = httppost('creaturelevel');
         $forest = httppost('forest');
         $graveyard = httppost('graveyard');
         $description = httppost('description');

Use httpallpost() instead of this. You get the added benefit of apostrophes and such being escaped automatically for you (not sure if httppost also has the same behaviour). This does not replace the need for security (you should still ensure numerical fields are numerical, etc).

My vanilla lib/http.php says:

Code:

function httpallpost(){
return $_POST;
}

So no added apostrophes apart from magic_quotes... And if you have magic_quotes activated, all httppost() vars will be escaped to. More or less. httpallpost() is brief and handy, but probably not too much faster.

And...correct me if I'm wrong, but the lock/unlock tables before and after the insert seems redundant.

I'm pretty sure that was just training. They're commented out anyway

[KaosKaizer]

Sorry to have to use my shovel on this one, guys,  , but I wanted to run something by y'all...

I love this, and I decided to do something a little different than you had in mind...I added a check for users Donator points, and set the setting to a negative number, my site allows people with 500 Donator Points to submit monsters, and I figured after finding this I could use this. No one minds do they?(so if they have at least 500, they see the link, and when accepted, they LOSE 500)

[CavemanJoe]

So that folks could help out your server by submitting new content and also pay for the privilege, you mean?

That's possibly the most low-down, dirty, rotten, mercenary thing I've ever heard in the world of LotGD.  I love it.  I'm also extremely surprised that I didn't think of it myself.  You, sir, are truly an evil genius. 

A caveat, though - in my experience of running this module, I've declined a good ninety per cent of monster submissions, 'cause a good ninety per cent of them were awful.  When someone's paying money to have their monster put in, it could go one of two ways - the money they're spending could give them extra incentive to write the monster properly and put some more thought into its creation, OR you could end up with lots of money and lots of very dull monsters.

This module is due for a rewrite (and automation of the descriptions), but if you want to code up your version in the meantime, go for it.

[KaosKaizer]

Thank you, and I am 

And thanks for the heads-up on that, hopefully my donators will think more about the creatures. I am planning on looking at the code, and will be adding some more options. Thank you for you evil genius compliments, and of course for the caveat on doing such a thing.

[Afkamm]

So that folks could help out your server by submitting new content and also pay for the privilege, you mean?

I have this option on my site, but to just send them in a petition/YoM as I don't have a module to make it automated yet.

A fee to create 5 forest creatures.
A fee to have a forest creature named after yourself.

I got the idea a while back from http://www.dragonsofmyth.com

[KaosKaizer]

I got the idea when I installed your Lodge Incentives, but I changed it around a little bit.

I am currently looking at the code, and it would seem I made a mistake on my part when checking donator points(it doesn't check properly), but I will fix that. I have decided to add the following options:

Do you want to give to players on acceptance?
If you set this to No then you will be taking from them.
How much gold to give/take?
How many gems to give/take?
How many donator points to give/take?
Set any of these to 0 to disable

So, while I am coding in these updates, you guys think of some other ideas for me to put in

[Draco Straybyrn]

Any word on updates for this? Glad to have it in the first place but I'd love to see more development.

[KaosKaizer]

Any word on updates for this? Glad to have it in the first place but I'd love to see more development.

No, unfortunately, it has been a while since I had said that. I haven't made any updates, and right now I am too busy working on a far larger project to update this.

However, since Joe is the author, he may make an update, or he may not. That will be up to him.

[Michelina]

I just installed the without descrip version of this mod on a 1.1.2 site.
I love this module!

Fixed below with this..
http://dragonprime.net/index.php?topic=11460.msg96451#msg96451

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Type=INNODB' at line 12

CREATE TABLE mechanicalturk (
creatureid int(11) unsigned NOT NULL auto_increment,
creaturename text NOT NULL ,
creatureweapon text NOT NULL ,
creaturewin text NOT NULL ,
creaturelose text NOT NULL ,
creaturelevel int(11) unsigned NOT NULL default '0' ,
forest int(11) unsigned NOT NULL default '0' ,
graveyard int(11) unsigned NOT NULL default '0' ,
submittedby text NOT NULL ,
uid int(11) unsigned NOT NULL ,
PRIMARY KEY (creatureid)) Type=INNODB

I am assuming I need to change a setting somewhere in mysql.. but where?

The problem is that I've gone to the forest and created a new monster.
Gone to the grotto and pulled up the list.. and its empty.
My guess is, that if I look in the db it will be there but its not making it to the showing up list for SU's.

Help?

[Aeo •]

Try this.

[Michelina]

Thanks.. that worked perfect. I appreciate it tons!