PHP Multiplayer Online Browser Fantasy RPG

[DanShadow]

Hey all,

I'm in the process of developing an online multiplayer fantasy RPG called Realm of Darkness!

Development is going pretty good so far, but i'd love some feedback, suggestions, and testers

The game is currently hosted at: http://www.danshadow.pcriot.com/

Thanks!!

[Drahcir]

Perhaps you should make a check so that it won't let me buy a certain item with id 47 for 1 gold in the shop by merely changing the html code.
Escaping quotes was a good idea. Good job on that one.
The layout uses too many tables. Although using tables to arrange data isn't incorrect, nesting tables within tables just seems wrong, and wastes the user's bandwidth. I'm guessing you're either generating the tables, or hard-coding them in the php files. Try making template files and outputting variables to your template. Google Model-view-controller architecture for more information about that.

And frames are really ugly. Honestly. If you need to use frames, then there's something wrong with the way you're programming it.

[DanShadow]

Hmm, the game's first exploit .
Thanks, when I was exploit-proofing the pages, I forgot that I set the price of a couple items to 1 gold because they weren't attainable in game.

I agree I do use too many tables.. but that's something I probably wont work on.. yet.

Frames are ugly.. but I used them for a (temporary) reason. The top "title" frame acts as an access log that logs when somebody accesses the web-site, and logs their IP address.
The bottom "chat" frame is a poorly coded PHP file-based chat with a HTTP refresher built in. I'm working on a Java Applet to replace it atm, and i'll likely get rid of the frames once im finished with it.

Thanks for the input, and pointing me in the direction of that exploit - much appreciated.

[DanShadow]

Btw, anybody interested in playing/testing this game should check out the Facebook page (http://www.facebook.com/pages/Realm-of-Darkness-MOG/158181007526032) for in-game promotional items!

[Drahcir]

I understand that the reason you made frames was because it was the only solution that you can think of, but I don't think it works very well. Why can't you have the access log on every content page, and thereby removing the top frame?
I wouldn't suggest making the chat with java. You should probably make it using AJAX, because it'll seem more like it's "part of the page" and not a third party widget. From all the other sites that used java chats, none of them made it work well. The only web chats that I've seen work well are the ones made from javascript.

Boohoo, I don't get to keep my hard-earned +99 damage exploit sword?

[Zren]

Bug: Can't equip weapon when your carrying a shield. You haft'a un-equip and re-equip after you equip ze weapon of le choice.

[Insectoid]

Are you supposed to be able to 1-shot imps on your first fight ever? I logged in, hit attack, and it died.

[DanShadow]

Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page.
You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe.

Thanks Zren for letting me know about that bug. It's supposed to be a feature so that you can't equip a bow and a shield at the same time, but the logic behind the if check seems to be flawed somewhere.. i'll look into it.

Yup Insectoid, the lowest monster in the game will (generally) always be able to be crushed with a single blow. If you removed your equipment, might be a different story though

Thanks again for the help guys!

[Drahcir]

Hmm, going back to my exploit bug, I don't think you really solved the problem. It's not that the problem is the unobtainable item is too cheap. It's the fact that I can buy ANY item in the game just by changing the ID of the shop in HTML. Here, let me show you what I did

Ragged Archer Chaps has item ID of 39
Now if I go into firebug and change it to 49 I can buy a different item

http://img15.imageshack.us/i/exploit1y.jpg/
http://img201.imageshack.us/i/exploit2.jpg/

And now I have a vagabond choker, whatever that is.

Don't rely on the user validate your input. Just because it's not an input box doesn't mean it can't be changed.

DanShadow @ Thu Sep 16, 2010 8:21 pm wrote:

Thanks for the suggestion Drahcir. I decided (at least for now) i'd just increase the refresh time of the chat to 30 seconds, and give an optional refresh link on the page.
You can keep you hard earned stats, but your weapon and most of the gold you gained with it were removed, hehe.

I wouldn't say they were hard earned stats. Before with unlimited energy, I wrote a greasemonkey script in about 5 minutes to automate the fighting process. That's how I got so high level so quickly. Now with limited energy, I run the script and my day is over in 30 seconds.

[DanShadow]

Ahh yes, makes sense.
Pretty easy fix, just gotta do an if check on the "buy item" page state and cross-reference it with the shops item list to ensure the shop actually sells the item. I'll fix that up soon, thanks again .

UPDATE: Just fixed the shops, so now you cant modify HTML forms to buy any item, only items that the shop is programmed to sell .

As for the implementation of energy, in the next upgrade I make to the game there will be a few more uses for energy, like focused stat training, and travelling through a 2D (likely text-based) map, which will be the focus of the game after the first 10 levels.
Rather than going into an arena to fight enemies, you'll have to travel and find new enemies, new shops, etc. Also you'll be able to fight players in the world as well, which will have some kind of reward (like an honor system).

UPDATE: Just added 'The World' expansion.

[DanShadow]

Just did an account security upgrade.
If anyone has any issues, let me know!

[Zren]

Bug: You can URL hack yourself to the arena.php even if your not in town.

Bug: If you have an item for sale, You can change the value of marketItem to x of another item on the market, then click retrieve item and you'll get that item for free. I pulled the top 2 items off the list. Be happy I didn't touch your eternal sword of ultimate wrath that causes the doomsday of far far away land.

Tip: Try separating the chat box and the chat submit, otherwise any text entered when the 30sec are up is gone and the person has to retype. All in all, I support AJAXy goodness.

[DanShadow]

Thanks Zren, i'll look into those later on tonight.

[DanShadow]

Thanks a lot Zren, those suggestions have helped me fix a few big issues .

URL Hacking should redirect you back to the main page.
Modifying form data on the market to retrieve items that aren't yours should now give an error message.
The chatbox is now seperate from the chat message submit form, so now nobody gets cut off when typing messages.

[Zren]

Alright! Now for today's exploit. xD

Bug: Once you've logged in as any registered user, the only thing regestering which user is logged in is a client side cookie. And in this cookie, you ONLY store the username. So, say if I changed that username after loggin in to say, DanShadow? My, my, my. I totally just stole your Vagabond necklace for 1g. Today's exploit was brought to you by: Tamper Data, a firefox addon!

Step by step what I did:
Logged in.
Went to town.
Opened Tamper Data. Started "Tampering".
Clicked Character Sheet. Popup asking if I want to tamper, click Tamper.
Looked at Cookie input: User=Shade, changed to User=DanShadow.
Submited that. Behold, I'm looking at your character sheet.

Basically from there, I repeated the process to Unequip the necklace, go to marketplace, new item for auction, put up necklace for 1g.
Then I stopped tampering and returned to being me, and bought the necklace. Alternately, I guess you could go into the browser cache and change the cookie permanently for this session. Now try and get it back without rolling back the server or editing the database.

By the way, you had me checking most of your forms to make sure tampering the HTML wouldn't work. Congrats, you won that round.