Planning out your web game/PBBG
So, you have your design *completed* now and you are ready to crack up Zend or Dreamweaver or maybe even Notepad (I suggest Zend).
STOP!
Don’t go any further. Before you even think of scripting your game, go out and buy some cue cards or do it on your PC. It really doesn’t matter but plan out each and every page! I tell you this from personal experience: without this plan you will site around for while trying to remember how you had two pages connected, or what tables need to be updated on a event. And if you get really detailed (which I will be doing on my next game), which variables were used and what they contain.
So if you actually believe me, which I really hope you do, it will help, grab a piece of paper. First plan out ALL your tables. You*will* come back to these later to add new columns which you didn’t think of at the time. It always happens when working on a project of these size. But thats fine, since this plan isn’t set in stone. This is meant to guide you and keep track of everything that needs to be done, what has been done and how things connect.
You now have your tables designed to some extent on paper hopefully. Next is designing the pages on paper (or virutally. your choice). The way I do it is first going through and just think of all the pages I need and writing them down without the details and connecting them. You may want to do the details as you go, but I find it easier to connectthe pages before adding the details. You will also want to draw arrows to and from the databased when needed. So a grab from the database to display character information, or an arrow to it to show a field Update. If you are following my path, you will now need to fill out the details of each page. Again, you will likely come back to edit this once you start coding, but you at least now have a visual of everything you need, how its connected and most of the details or each page.
You should now be looking at a page filled with mad scribbling and a bunch of arrows. You may want to tidy it up or put each page/table on a cue card and stick ‘em up on your wall. Anyway you look at it, you now have a plan instead of an idea.
You can also apply part of my idea’s to your development too. I mentioned before when planning to start with the basic name then filling out the details. Well the way I work is I go through and try to get the basic functionality of each page down and then will go back later and fill in the details (Proper text, messages), make tweaks, apply styles, graphics, etc. I do this for two main reasons. One is to make connections. I find if you make a pages completely then go to work on a page that is connected to it, you will eventually need to go back and start changing things on the so called completed page, and two, because if I stare at the same script for too long I start to get annoyed with it.
I hope this has helped you along with your development. And as usual, feedback is MORE than welcomed. Without your input, how can I/we create a blog with the best tips/guides/ideas for us developers/designers. Remember you aren’t alone and there are people similar to you that can help you with your game. All you need to do is ask 
Design – Early Stages
When you play a web game, what is that you look for? Personally, I look for a challenge, things to do and interaction with other players. If I’m not just odd, and other people agree with this, why the hell do other pages lack so badly in these fields?
I worked solely on the design aspect of my current game in development, for about 2 or 3 months. Though my game is similar to others out there, it’s in the details where I hope to make my stand. I simply had to look and see where other games failed, such as TornCity. In TC player interaction is minimal, as is communication and development. To be honest it lacks horribly in many fields that truly make a game addicting.
Lets look at StarKingdoms. Great player interaction, great communication, and is a challenge. It’s a good game. The only qualm I have is I am forced to play with others I don’t choose too. I would rather be able to choose you I interact with and when I do it.
These are just personal views but as you can see these are all things that must be taken into consideration before you start your code and even before you start your design. You have to decide how to want you players to interact and how you want them to develop.
Here one of the better ways to start your development. Think of you game, get the genre, the setting all that planned out. Then think of a goal. Then as many ways to achieve that goal as possible. In my case I have multiple goals. You can either aim to be the strongest, the best hacker, the biggest gang.. whatever you want.
Next, how do I want my players to interact? Do I want to force them or do I trust their abilities to want to branch out and interact or do I want to kick them in the path of interacting? I personally want to kick them. And hard. Then you encounter what is too hard? Well too hard is when you make the game unplayable unless they work with others all the time. There should be the element of being a single entity in the universe.
After you have all this planned out, your core to the game, you then fill in details and backgrounds. You flesh the game out.
And this simple path will also guide you in coding. You work on the core first, coding everything that makes the game playable, even if its just a little. This wil, and trust me from experience, keep you on a track that allows for a early alpha launch and makes your life easier.
Right now I am just breaking out of the details and moving back to the core development to try and launch an alpha. The details and hold you back. But that is another post that will come soon. I hope this helps you design more efficiently. I have designed a number of table top games and have several web game designs floating. Working that path I explained will not only make it easy but help you in working out the flaws in the core, which is far more important that details.
PHP web game security overview
As a game developer myself, one of the biggest fears I have is that someone is going to end up hacking my game and ruining it for everyone else. So, seeing that I am a member of a PBBG game dev board (here), I posed the question to the community;
How do people cheat in web based games other than using bots? Do they manipulate URLs or text boxes? Or is it mainly exploiting bugs?
Not long after the question was asked, I received a reply from one known as Nerdmaster(site). Now, the following is not the end guide to securing your game, but it does a damn good job of outlining ares where common problems occur.
But before that I will tell you the best way to prevent hacking which will be re-enforced as you read the reply: Don’t trust user input. You must always make sure the player has supplied you with legtimate data.
As a long-time security hobbyist, I have learned a few minor tricks for exploiting web games, and I was very successful with Mobster World (as I already mentioned). The most important rule is NEVER trust anything user-submitted without validation. URL arguments, form arguments, cookies, etc are all *very* easy to manipulate.
In mobster world, for instance, there was a place to go and buy guns. The page would load up a form, and you’d choose the gun you wanted. It did something with hidden fields to where your URL would just hit something like /buyweapon.php, and I guess the admin thought that made it secure. But if you looked at the form, it was sending across a few values. One was itemcost=xxx and one was weaponid=xxx. You could set itemcost to 1, and get any weapon for a dollar. These hidden fields were the worst kind of exploit because they would be so easy to fix – don’t rely on the user to supply the price; look it up based on weaponid!
Another problem with that game stemmed in the messaging system. When you read a private message, it would generate a URL like this: “/messages.php?action=read&id=xxx”. You could read *anybody’s* messages this way, just by changing the id in the URL. This was a case where user-supplied input should have been validated (and eventually it was, but by then the game was being exploited so much, it was too little too late). A simple if block fixes this – if message id xxx doesn’t belong to the currently-logged-in player (via session data or whatever auth method you use), DON’T SHOW IT!
Then there’s the issues with things like pulling off jobs – when you went to the “big jobs” option, you usually had two options. One was going to be successful and one wasn’t. By viewing the form, however, you could always tell which job would be successful. NEVER put that kind of data in the forms – you want to make random decisions happen only *after* the user decides what to do, never before.
Another issue is with SQL injection. In PHP this can be a problem because a lot of the examples you’ll find on the internet don’t properly handle SQL code. PHP has some stuff for automatically escaping quotes and such, but you can’t always rely on the server settings for your app, so it’s something you need to at least be aware of. I don’t know enough about SQL injection, but in a lot of languages, you have access to special DB commands where you use a ‘?’ in place of arguments and they get scrubbed by the DB layer so you never have to worry. If you have cookies that don’t get auto-scrubbed by PHP, this kind of knowledge can be very important.
Another important tip is do *not* store simple information in cookies. For instance, say you want to know who is logged in but you obviously do not want the user to have to log in on every page. If you take the quick way out, you might have a cookie that holds the user’s id. Well, once a user realizes this, they just change the id and become anybody they want! Similar issues can arise with cookies that store session ids (since those map to the server-side data for logins), but generally it’s much much safer to use sessions for storing login credentials than using cookies.
A final tip is to be careful of XSS attacks. In Rails there is a function (I think it’s from a ruby library, not specific to rails, but I don’t recall which library) that auto-scrubs data to keep html out of user input. The issue here is that if your users can put in angled brackets (“<” and “>”), they can very effectively destroy the game for everybody else. In mobster world, I used this technique to create a private message that would add a button to the form that seemed to be the normal “Delete Message” button. But when clicked, it would take that user to the “shoot another player” action, with a specific player id of somebody I wanted to torment. I never actually used this cheat, as I started feeling bad, but I tested it with a friend, and by cleverly constructing emails I could force players to take actions of any kind within the game. More malicious hackers can do a lot worse, such as hijacking passwords for other sites. I’m not sure how that happens, but the point is that you need to find a library in your language of choice that you use to scrub html out of user data. If there is data ANYWHERE in the game that one user enters and other users see, it *must* be kept clean of HTML. You could theoretically allow only certain HTML, but with all the very clever uses of html that can exist, I think it’s safest to just not allow users to enter HTML. In my Rails game I use RedCloth (a Ruby library to the Textile markup system) to allow users to do formatting without having to worry about XSS attacks.
For an example of how easy it is to have dangerous XSS even when you think you’re safe, watch this. This site’s forums allow “safe” HTML. You cannot, for instance, do a <script> tag:
<script src=”http://www.nerdbucket.com/js/common.js” type=”text/javascript”></script>
But you can use some tags, such as bolding, as I just did. Well consider this – inside a bolded element you can specify onMouseOver behavior. Hover your mouse below and watch as I change the element text (only works in DOM-capable browsers):
or am I?’;” id=”foo” style=”font-size: 150%”>I’m a safe HTML tag.
If somebody more malicious wanted to, they could probably hijack cookies and passwords from this forum. (Obviously I’ll have to alert the admin).
Now, you have the basics of how some attacks are made, you may be wanting more specfic examples with more detail. Well you’re in luck (as was I).
Not long after I asked this questio, Nerdmaster wrote a much more detailed description using an example in his blog (here) If you want a rather more details and examples of how people hack web (PBBG) games, you best check that link.
Getting started on web game dev
Have you ever wanted to create your own web game but were unsure how to go about it or what languages you would need to learn to do it? Or even know what languages to use but not how to get them to work on your home machine? Well this post should give you a starting hand.
Currently on the web, most browser based/PBB games are written in PHP/MySQL. Yes there are other languages used but I will cover these first. Both PHP and MySQL are open source languages, meaning they are free and have a ton of online communities and support. Personally I am using those languages for the few games I am working on/plan on working on.
So, what is PHP? PHP put simply is a server side scripting language which returns html to the clients browser. What this means is that PHP isn’t ran on the players machine, but ran on your server. This give’s a little security because players can’t see your code, meaning they don’t know passwords, variable names, equations.
MySQL? MySQL is your datbase. It is the thing that stores your players information, such as names, experience, levels. You can even use it to record money transfer in game, mail, friends, and any other form of information you would like to view later.
Now, you have an idea hopefully what both of these languages can do for you. But how do you get server side languages to work on your home pc so you can build and test? Well the easiest way is to download and install WAMP if you are using a Windows PC. (Mac version : MAMP Linux – A guide on setting up a LAMP )
WAMP is Windows Apahce MySQL PHP. Basically it installs a server (Apache) which is needed, since it basically turns your pc into a mini server to run PHP/MySQL which have files that interpurt the scripts. After you have WAMP installed, are good to go. Browse into your wamp directory and you’ll see a folder called www. You will want to place your scripts there for testing. So lets say you write your first PHP script :
<?php
echo “Hello world”;
?>
You save it out and drop it in your WAMP www folder. You go to your browser (no need to be online) and type in http://localhost/*name of file*
To create databases is also pretty simple. Click on the wamp symbol in your system tray and click PHPmyAdmin. There you can set permissions, create databases, and insert info. I will write a starters guide for myAdmin at a later date and demonstrate the basic way to connect, insert, delete, whatever using PHP.
So after that you may think that PHP/MySQL isn’t for you but you still want to create web games. Well for web games you need a back end (database) be it SQL, MySQL, Access (*shudder*), Oracle or whatever database language/server to have access to. You also need a scripting language of some sort, the two most popular PHP and ASP.NET, though others do exist.
You can also use other languages such as JavaScript, Java and XML to handle some of your information instead of relying on just your scripting language.
I hope this has given you the knowledge you need to know, not to script, but to know where to start looking. I know personally when I first started I didn’t know what languages to use, or what options I had.
Also, for anyone that develops, please feel free to post the languages and set up you use.
PBBG
Persistent Browser-Based Games
Thats what PBBG is, and many of us developers/players work on/play.
Bud (the guy that owns the PBBG I linked to) was trying to define the genre because it’s not quite a MMOG because it’s played in a browser. And this is what he came up with.
If you are unsure of what style of game this describes, its a game played through the browser where after you long off, the game world still exists and so does your character. It is often defined by 1000’s of players playing a game where they interact very much like a MMOG.
If you a player/developer support this project! This is our chance to make it known that we exist. To make our little corner of the net larger, better… and overall, provide a better playing experience to everyone.
