Ouch, that's gotta hurt!

I just use WS_FTP and upload with Auto everytime - never fails me :)

Just so I know how to help others, what was your initial problem? The swf file not loading?

When clicking the play tetris link the game tried to come up, but would appear to freeze with the game screen remaining solid (see pic)

http://www.mentalmingle.com/images/pic1.jpg

And the Explorer status bar would indicate that it was opening tetris.php but it would never fully load. The status bar continued to indicate 1 item remaing (to load), but would never do so. (see pic)

http://www.mentalmingle.com/images/pic2.jpg

Thanks again!

Great hack!

I was up and running within about 5 minutes!

Nice job!

Now we need someone to come up with a full arcade of games for our vB's!

Anyone have any ideas about the bug that doesn't record your score if you finish all 10 levels?

please please please dear John, could you do this:

would be great :banana:

regards,
Schorsch

It is still awfully easy to cheat...

Run that.

We're still looking for someone who's really good at Flash and can speak Italian...

New tetris.php fixes this:

This has got to be one of the best hacks I've seen, add's a whole new level to the forum :)

I'm using the new tetris.php file provided by john.eovie, I do have a quick question, what have you don't to prevent the cheating?

He posted a new file in the post just before yours. :rollseyes: :D

Basically, in older versions of tetris.php people could add a "get" string in the header of the page.

i.e. tetris.php?action=reg&points=10000000&userid=1

In the new file, a piece of code refuses to accept any point values in the header.

And the zip has also been updated - did any get the update email? The hack updater is playing up...

Riiiight... very nice game and all credit to you for that, but there are two glaring big holes in your script here which I feel somewhat obliged to point out.

First and foremost, even with your updated script, it's still 100% possible to cheat (by posting the values using a form instead of using the querystring). For example - this simple html form run on your own machine:

It just requires digging out your userid from the vB cookie. For a working example, register on our boards, and then give it a shot here.

Secondly, the comment system here is very open to abuse. For example, as your comment, try:

And you'll see what I mean. Luckily, the mysql comment column is restricted to 70 charaters, which limits the damage we can do with this (no XSS cookie harvesting kiddies, sorry)... but it can still be rather annoying.

Overall, a little more thought is needed here in order to secure the script properly. Let me know if you need any help with this, I'll be happy to help.

I've been aware that the script wasn't 100% secure for some time now, but I don't have the time to update it (I'm not familiar with the vB cookie system either).

If you could update the existing tetris.php and email it to me, we'd all be grateful.

Actually, it's possible to do it without knowing the userid (by setting s=something in the querystring). I don't have time to fix it tonight, but I'll see what I can do for you tomorrow... in the mean time, I updated my little example so it doesn't need the userid.

Tried it with sessions - sometimes, for some unknown reason the user doesn't have a sessionhash. Meaning they can't get to it at all... :s

Yeah, sometimes the session hash isn't present in the querystring, sometimes it is (never bothered to find out exactly why)... but that doesn't solve our problem anyway... I'll hopefully get back to you tomorrow with an updated version of the script.

You could use sessions for that.

When they are going to the play action (tetris?action=play) then you can set a session name for example:

Then by the code of reg (tetris?action=reg) you can check if the user has a session named test by the following code:

Quite right, but as far as I can see, the cheat0r could just start a game, and then while it's playing, submit the form. The session still exists, but it wasn't submitted by the script... the leaderboard would be none the wiser. $_SERVER["HTTP_REFERRER"] could always be checked to see if the user is indeed coming from the playfield, but there's no reason that can't be poisoned either....

$_SERVER['HTTP_REFERRER'] is not that reliable.

You could also put an extra useless value in the play action:

And then by reg action you can use something like this:

This also wouldn't be possible since the script is called *again* when the score is submitted, and hence any vars set when the user was playing won't still be set... I actually can't think of a 100% reliable way around this right now - the referrer is the best way I can think of, but as we all know, it can be easily poisoned.

Back to the drawing board :).

How can I intergrate this with Who's Online?

cool hack will be installing

lol, Lesane Vs. Stuwee - battle of the brains!

You can integrate this into your who's online by opening root/online.php

first find

case 'printthread.php':
$userinfo[activity] = 'printthread';
$blowup = explode('=', $token1);
$threadid = intval($blowup[1]);
$threadids .= ",$threadid";
$userinfo[threadid] = $threadid;
break;

+++++++ do not add this divider ++++++++

and AFTER THAT add

++++++ do not add this divider +++++++++

case 'tetris.php':
$userinfo[activity] = 'tetris';
break;

++++++ do not add this divider +++++++++

then find

+++++++do not add this divider ++++++++

case 'calendar':
$userinfo[where] = "Viewing <a href='calendar.php?s=$session[sessionhash]'>Calendar</a>";
break;

+++++++ do not add this divider ++++++++++++

and AFTER IT ADD

+++++++ do not add this divider ++++++++++++

case 'tetris':
$userinfo[where] = "Going for the King of Tetris Crown";
break;

++++++do not add this divider ++++++++++++++

save , and upload.

** As always , when you are installing a new hack , create a new folder called ' backup ( name of hack ) ' and before you do ANYTHING put the files that you are modifying in there. ALWAYS back your file up , that way if the modded file does not work , you simply upload the one from your new folder.

I added this to my root/online.php on version 2.2.6 and it works just fine.

I put " Going for the King of Tetris Crown " because I also have the crown hack installed.

enjoy.

Just a quick note, i'm not sure if anyone else has said this or not, but one of my users has just reported that he got a score of 108697 once he had completed the game - not dieing early but actually getting to the end...

He says that the score did not update or anything, might this be a bug?

I've had users tell me the same thing

I've just had to manually add a score for one of my new members because he compained about it LOL

Thx to john.eovie for the Great Hack.

I installed teris and the addon yesterday and now more and more from my users send me PM?s and say that after Lvl10 (theEND) no Score ist updated and the Site ist not refreshed to the leaderboard :(

I've only had the hack on the site for about 8 hours now, and already we are getting some REALLY high scores.

I think that the scores should be reset once a week or something and have a weekly leader board as well as an overall leader board.

In addition to this maybe it should be made harder, or indeed more level added to the game, etc....

oh, and the level complete bug thing needs to be fixed LOL :)

(I still think that this is a world class hack though)

............wow, what an amazing idea, great work

/me clicks on install

Just to spice things up a little bit more than they already are, I see from the database entrys that the table is called "arcade" and one of the fields is called "game".

this to me sounds like it's going to be used for future games, if so, that would be fantastic :)

Anyone interested in a Music Player addon?
Heres just a peek at my MusikHak v0.1 alpha...
http://www.crashsoftware.com/muzikhak/

Its not actually installed in VB, so no leaderboard etc. yet!

I need to add a preload for the loops to the dialup version & whip up some streaming files for the broadband version.

Let me know what ya think so far?

Cheers...ziggy

Yes, I had planned to expand this further - I've already got Space Invaders working locally on the same system.

But I can never release it while there are security holes in the script.

Good work Ziggy, could you send me the original FLA file please?

ziggy I think a music player addition to the fla file would be fantastic, but only if we could choose the music to be played.

john.eovie I think you are doing a fantastic job, keep up the good work, i'm very interested in seeing any future updates to this script as it fits in perfectly with my sites theme :)

just so you know, so far today I've had 9 new people sign-up to play tetris, obviously the sign of good work :)

Glad to hear it :)

On my vB board at the moment I already have a system where it shows you the day's highest scores, it's gone down well :)

Sorry, No player FLA! I'm under a NDA & the player was made with a non-public app.
I have a zip about ready to go with all the current files though.
I tried REAL hard to put a nice mix in the 10 choices just for that reason.
Its all done w/LoadMovie to make it modular. I guess I could make the menu just Track1,Track2 etc. so people could make their own SWF loops & name them track_1.swf, track_2.swf etc. ???
Don't have time right now though, spent ALOT longer on this sucker than I had planned already!

The zip is 13 files, the modified tetris.fla, music_player.swf, tetris.swf & the 10 loop.swf's
You just upload them to where your tetris.swf is , overwrite tetris.swf w/the new one & thats it!

You got tunes! :D

BTW John, did you get my email I sent you this morning?