1. virtual pet mascot

    Virtual Pets

    Welcome to the Virtual Pet list forum!
    We're a virtual pets and sim games community and the largest forum in our industry. Game owners can use our forum to their advatange by promoting/advertising their games to our users and receive feedback/reviews from those members that try their games out. We support developers of all kinds from RPG developers, sim game developers to virtual pet site developers. We want to see more games in our industry come across more success and that's why we try our best to release as many guides/articles regarding online gaming development as we can.
    We're unlike other forums in our industry because we try our best to be there for our users no matter what and give them advice whenever they ask for it. Running an online game isn't an easy task, but with our many resources that we've built since 2011, you'll learn a lot from our online community. Please don't ever be afraid to ask a question on the forums because if you never ask, then you'll never receive an answer to your question and you can only improve by asking other users for help/advice.
    We have a lot of virtual pet sites' owners and sim game owners that are very frequent visitors on our online community. Along with artists, writers and programmers that come here looking for work and games to work for. Our members who are artists sell art in our art marketplace and programmers are allowed to sell their scripts in the programming marketplace. We also allow game owners to sell their game in our general marketplace
    In early 2011, we decided to make a comeback to the internet because in 2010, we had a minor setback and we had to re-launch without any content, but with a lot of time, patience, hardwork and effort, we've managed to rebuild the Virtual pet list community into something better than it was before. We actually registered our domain name on November 4th, 2004, but we were only a directory then and all we had was a basic comments system for users to post things on their favorite games..
    So, what are you waiting for, why don't you join today? If you have any problems figuring out our security code, then here's a hint, it has millions upon users and has been around since 1997.
    Our list of virtual pet sites and directory of sim games have a lot of different games listed, so we're pretty sure that you may find some games that suits your needs as a player of sim games or virtual pet sites.
    If you're still curious about a certain game that you'd like to play, then please check out some of our game reviews that were written by some of our great contributors and our interviews with respective virtual pet site owners, sim game owners, artists, writers and programmers that have worked in this industry.

  2. Check out our latest guide on how to grow your user base!
    Paladore - Boopets - Icepets - Corepets open beta
    Virtual Pet Directory
    Are you looking for new virtual pet sites or sim games to play?
    VPL's sister site the virtual pets blog

Mysidia Adoptables Review

Discussion in 'Virtual Pet Information' started by nobackseat, Apr 12, 2011.

  1. nobackseat

    nobackseat Member VPL Member

    Reputations:
    0
    Joined:
    Jan 22, 2011
    Messages:
    508
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    Florida
    I posted this in "virtual pet information" because users could pick this as their choice for a site base. I figure this review will be viewed more in this category too.

    -------------------

    So, on another forum, I was prompted to review the Mysidia Adoptables script, after saying it was awful. I figured I should finally back up my claims, so I am posting this. You make the judgement.

    --------------

    I downloaded the latest version of Mysidia Adoptables v1.2.2.

    The first file I opened was login.php

    This single excerpt of code from the login.php page tells a LOT about the quality of the code.

    PHP:
    // Try to log the user in
    $password md5($password);
     
    $query "SELECT * FROM ".$prefix."users WHERE username = '$username'";
    $result = @runquery($query);
    $num = @mysql_numrows($result);
     
    //Loop out code
    $i=0;
    while (
    $i 1) {
     
    $luser=@mysql_result($result,$i,"username");
    $lpass=@mysql_result($result,$i,"password");
     
    $i++;
    }
    First, off they are using MD5()! MD5 is oudated; AKA twenty years old! And there are loads of websites that offer to "decrypt" almost any hash you can come up with.

    Secondly, they use SELECT *, (grab the entire user row) just for checking if the row exists! What a waste of processing time, and memory!

    Thirdly, they are using mysql_numrows! This function doesn't even exist on the PHP website itself. I'd say it's deprecated. The 'modern' alternative is mysql_num_rows, which is used in some places (it is pretty inconsistent throughout the script).

    Lastly, anyone who has almost any kind of programming knowledge can recognize that the loop runs once. It is designed to run once. Does anybody else see what is wrong with that?! Why loop when it is only going to run once? The loop part shouldn't even exist.

    ------------

    Also, I've noticed that they set their cookies as 'auser' and 'apass'. I don't think it could be any more obvious to specify what each is. Considering they are also using MD5, any XSS attack on the website, would not only let you replace the cookies to sign in as them, but also (most likely) get their actual password!

    Additionally, they are using PHP Globals. I don't think I need to explain this. Google why PHP Globals is bad practice, insecure, and generally awful.

    Look at these lines I pulled from functions.php. It should prove just how sloppy and unorganized it is.
    PHP:
        $GLOBALS['username'] = $username;
        
    $GLOBALS['loggedinname'] = $username// MESSY - I'm unsure of which {username/loggedinname} is the correct one to use.
    Apparently some programmer didn't know what variable was what. So they are using global variables to set the same values twice, for nothing? More wasted memory.

    The final thing I am going to mention is their habitual use of error suppression. I wrote about this in a blog post of mine on another site, but suppressing errors is very bad practice. Not only will the page show as blank, when an error exists, but sometimes the error lines in other places are thrown off. The interpreter 'gets confused' if I may, and can shoot out the wrong error line. What a debugging mess.

    I see posts everywhere on the forum, where users are getting errors concerning their database credentials. The user doesn't understand that it is what it means.

    They could simply add an 'or die('Your database information is wrong.')'.

    Just think of how easy it is to add that on the connection query, and it would save so much time and energy.

    Not to mention that errors give users and even hackers more information than they need to know. Should know.

    Well, that is my conclusion of the script, simply from viewing login.php and about 1/3 of functions.php.

    NBS
     
    Last edited by a moderator: Apr 12, 2011
  2. kami

    kami Moderator Moderator VPL Member

    Reputations:
    261
    Joined:
    Jan 21, 2011
    Messages:
    3,837
    Likes Received:
    749
    Trophy Points:
    113
    Location:
    Mars
    Re: Mysidia Adoptables

    That's pretty disgusting. A TON of people use those scripts that they offer, and they are all so easily open to attack? I'd be so ashamed if I wrote that >_>
     
  3. Gunmetal

    Gunmetal Member VPL Member

    Reputations:
    0
    Joined:
    Jan 21, 2011
    Messages:
    105
    Likes Received:
    2
    Trophy Points:
    18
    That's a frightening amount of problems you found from just two files! Hopefully they are corrected.
     
  4. cpvr

    cpvr Owner and Founder Administrator

    Reputations:
    183
    Joined:
    Jan 20, 2011
    Messages:
    30,894
    Likes Received:
    1,502
    Trophy Points:
    113
    Gender:
    Male
    Location:
    Texas
    Hopefully these problems are resolved soon.
     
  5. nobackseat

    nobackseat Member VPL Member

    Reputations:
    0
    Joined:
    Jan 22, 2011
    Messages:
    508
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    Florida
    I have spoken with the owner and some of the development team, and they have expressed genuine concern in the matter, and are working to improve as many of these problems for the next few releases.

    I still would like to stress that the current version of the script is in disorder.

    NBS
     
  6. nobackseat

    nobackseat Member VPL Member

    Reputations:
    0
    Joined:
    Jan 22, 2011
    Messages:
    508
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    Florida
    Unfortunately, it's been over 3 months since this and there is still no official release from the site repairing any of these issues.

    I can assume that, as volunteers, they have priorities but they have a moderately sized user base that needs these updates.

    I'm not sure if I should post on their forum again or not. Does anyone think it hasn't been enough time?

    Thanks,

    NBS
     
  7. Bessie11

    Bessie11 New Member VPL Member

    Reputations:
    0
    Joined:
    Jul 13, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    0
    Hello Everyone,
    what happened about your problem NBS.
     
  8. kami

    kami Moderator Moderator VPL Member

    Reputations:
    261
    Joined:
    Jan 21, 2011
    Messages:
    3,837
    Likes Received:
    749
    Trophy Points:
    113
    Location:
    Mars
    If they can put out updates at least once a month before, I don't see why this has taken three months with no updates. Even if it's just one fix at a time, that's better than nothing.
     
  9. Kesstryl

    Kesstryl Approved Artist Approved VPL Artist VPL Member

    Reputations:
    0
    Joined:
    Feb 29, 2012
    Messages:
    362
    Likes Received:
    41
    Trophy Points:
    38
    Just an update, I'm a user of their softward, and it has gone through several versions since the last post and all security issues have been addressed and dealt with. I'd post a link to their current release 1.3.0 but I'm new and I'm not allowed to post links yet. If the OP would like to download the current version and look into the current security and find any other weak spots, I'm sure they would appreciate the feedback.
     
  10. Corzeir

    Corzeir No longer here VPL Supporter Approved VPL Artist VPL Member

    Reputations:
    440
    Joined:
    Feb 1, 2011
    Messages:
    5,217
    Likes Received:
    921
    Trophy Points:
    123
    Gender:
    Female
    Location:
    Mineral Town
    Here is the new link http://www.mysidiaadoptables.com/forum/showthread.php?t=3495

    It was just released so there may still be some bugs.

    May I also say that Hall of famer's team has been working hard on this script and there has been many updates on the new script before it was posted. Maybe you guys should try being a active member on the forum before you harp on them. The team has been busy and the over haul needed to be pushed back a few times.

    Really I don't like the amount of nativity at the people who are volunteers and have school to deal with.
     
    Last edited: Mar 14, 2012
  11. cpvr

    cpvr Owner and Founder Administrator

    Reputations:
    183
    Joined:
    Jan 20, 2011
    Messages:
    30,894
    Likes Received:
    1,502
    Trophy Points:
    113
    Gender:
    Male
    Location:
    Texas
  12. Corzeir

    Corzeir No longer here VPL Supporter Approved VPL Artist VPL Member

    Reputations:
    440
    Joined:
    Feb 1, 2011
    Messages:
    5,217
    Likes Received:
    921
    Trophy Points:
    123
    Gender:
    Female
    Location:
    Mineral Town
    They have worked hard on the script and they kinda got it with all the problems of the old script when the original coder sold it.. I think they have done very well expanding and fixing it.
     
  13. cpvr

    cpvr Owner and Founder Administrator

    Reputations:
    183
    Joined:
    Jan 20, 2011
    Messages:
    30,894
    Likes Received:
    1,502
    Trophy Points:
    113
    Gender:
    Male
    Location:
    Texas
    Yup, and hopefully someone can re-review the script and see if everything is good. @nobackseat
     
    Last edited by a moderator: Oct 16, 2013
  14. nobackseat

    nobackseat Member VPL Member

    Reputations:
    0
    Joined:
    Jan 22, 2011
    Messages:
    508
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    Florida
    @cpvr,

    The script, through all its versions, has been consistently ludicrous to the point where it's amusing.

    My time only allots for a few files, but I'll see what I can find.

    It seems the registration page seems to top all of the script concerning security.

    Code:
    <input name='answer' type='hidden' id='answer' value='{$answer}'></p>
    <input name='ip' type='hidden' id='ip' value='{$_SERVER['REMOTE_ADDR']}'></p>
    
    That is an excerpt from the registration form. It stores the answer to the security question in a 'hidden' input field, as well as the user's IP address, in its own 'hidden' input field.

    Just because the browser chooses not to show it, doesn't mean that it's safe in any way. I can view the source of the page easily, and so can automated spamming software.

    This means that I can edit the IP sent to the server, and that automated spamming software can grab the security answer from the input field and use it to register an account in an automated fashion...essentially defeating the purpose of what they call a 'Security Question.' Lol. Oh, by the way, the security question is the same for everyone who registers. So actually, there's no need for it to grab the input field, it can simply be hard coded into the 'bot'.

    In addition, there is no real limit on the length of the username. There is a limit in the HTML, but that can be bypassed very easily. And there is no check on the birthdate at all. No check on if it's even a real date (Feb 30?) or even numbers. Lol. You can type whatever you want in the field. Extra profile room anyone? :p

    The majority of issues I have with Mysidia Adoptables continue to be efficiency and memory usage.

    Such as comparing the initially entered password with the 'confirmed' password, after each one has already been encrypted (and the encryption used doesn't make much sense and is pretty sloppy). And grabbing all the data from rows unnecessarily (such as when checking if a username exists...). And the frequent use of curly brackets around variables was meant for certain conditions when using arrays, instead they seem to use it for cosmetic reasons.

    Mysidia combines cookies and sessions, which is a good idea, except they seem to use it just to generate a unique ID for the cookie. Really just a waste.

    There's just signs of beginners coding it everywhere. The oddities are small, but they are E-VER-Y-WHERE, which makes it inefficient and annoying to study.

    Code:
    $article_content = $regsuccess."".$username."".$regsuccess2;
    
    You only need a single dot between variables. No quotes, and not the other period.

    Code:
    $pass1 = $_POST["pass1"];
    $pass1 = secure($pass1);
    $pass2 = $_POST["pass2"];
    $pass2 = secure($pass2);
    
    Uhhhh OK. Could just wrap the function around the array.

    Code:
    $salt = $_POST["salt"];
    $salt = secure($salt);
    
    It would be really funny if the salt really were stored in the login form. Alas, it's not so this code is... pointless. Actually, it uses up memory on your server, so at least it does that.

    Code:
    function passencr($username, $password, $salt){
        $pepper = grabanysetting("peppercode");
        $password = md5($password);
        $newpassword = sha1($username.$password);
        $finalpassword = hash('sha512', $pepper.$newpassword.$salt);
        return $finalpassword;
    }
    
    What a mess. Guys, are ya sure that's the final password...? :p

    Code:
    function __autoload($name) {
      // The autoload function, a bit messy if you ask me
      $classpath = strtolower("classes/class_{$name}");
      if(defined("SUBDIR")) include_once ("../{$classpath}.php");
      else include_once ("{$classpath}.php");
    }
    
    Who asked you? JK, totally agree. Now do something about it. Again, more showy brackets. Ooooo, aaaaah.

    I'm having fun with this, but I ought to go back to work.

    Before I forget, it still uses globals too, a point from my previous analysis. Globals are bad and messy!

    NBS
     
    Last edited by a moderator: Oct 16, 2013
    Gabby likes this.
  15. nobackseat

    nobackseat Member VPL Member

    Reputations:
    0
    Joined:
    Jan 22, 2011
    Messages:
    508
    Likes Received:
    46
    Trophy Points:
    28
    Location:
    Florida
    A recent thread inquired about this software which I have famously reviewed a couple of times lol. And a friend brought it to my attention. Out of pure curiosity I looked into the script again to see what I could find. ;)

    I'll keep it serious this time. No, seriously.

    Well a lot certainly has changed, for better or worse I'll leave for you to decide. The code has taken a more object-oriented approach and I'll touch on that later.

    A couple of the basic things that I expect from any type of script written by anyone anywhere are missing...

    There's no minimum password length. Does it really matter? Yes, it does. And it's something everyone's come to expect, because it exists on every site, and for good reason.

    Missing input validation in critical areas (though it really should be everywhere). Here's the code that updates your account profile:
    PHP:
    // Line 51 of account.php

            
    if($mysidia->input->post("submit")){
                
    $mysidia->db->update("users_profile", array("avatar" => $mysidia->input->post("avatar"), "nickname" => $mysidia->input->post("nickname"), "gender" => $mysidia->input->post("gender"), "color" => $mysidia->input->post("color"), "bio" => $mysidia->input->post("bio"), "favpet" => $mysidia->input->post("favpet"), "about" => $mysidia->input->post("about")), "username = '{$mysidia->user->username}'");
                return;
            }
    There's nothing! It goes straight into the database as-is. In fact, I was able to change my gender to gibberish although it was a radio input element ('one or the other' type of checkbox). This also means that it's stored as a VARCHAR (string) in the database, instead of an efficient way such as a TINYINT or even a CHAR as a numeric boolean.

    Oh, and I put symbols in the username when registering and then I couldn't view the profile of the account because they had to be encoded to be in the URL. It's obvious lack of proper validation is a common theme throughout the software.

    Speaking of profiles, you can enter any URL to be your "avatar". It doesn't have to be hosted on the site. Great feature right? No, how about a security issue. A user may enter a page URL instead of an image URL, and this causes the user who is viewing the profile to make a request to that URL. The real problem is, Mysidia has URLs that do actions just by accessing them and this is very wrong. The HTTP/1.1 spec states...
    And yet, Mysidia logs you out and even deletes a visitor comment just by calling a URL (/vmessage/delete/3). Logging out via GET is unfortunately common but is wrong, especially since browsers will pre-fetch pages for you automatically to have them load faster. But deletion? That's just disgusting.

    Basically, you can delete a comment on someone's page by having them go to your profile with the delete URL as the avatar. Unfortunate, since this is a very well known and documented vulnerability called CSRF.

    (For those who don't know, POST is when you submit a form and GET is when you simply access the URL.)

    It is a hobby project where the developers aren't paid, but that doesn't mean it has to have an overwhelming amateur feeling about it, which there is for me because of some minor annoyances and inconsistencies. For the sake of giving my bold statements credibility I'll list a few. Outputted quotes consistently had slashes preceding them, settings don't accept some valid emails, and the views are entirely in PHP. Yes, the V in MVC, where the presentation layer is, typically HTML. It's ENTIRELY in PHP, there's no HTML in sight. HTML is outputted using PHP classes. The opposite is typically done, all HTML with minimal PHP, to make it easier for designers or any non-PHP programmer who wants to edit the template. But with this framework that's intended for customization and modding, it's not possible. Also, the developer did mention he MVC implementation isn't complete, but the Models (M) are entirely missing. However, he said it would be complete the next iteration, and I have no idea how far along he thinks he is with this release, or if he plans on omitting the models, but just worth mentioning.

    "Well... good post but that's still not enough to make me stop using it. Nice try though."

    Ah but I have one more criticism left, and I'd call it a big one. Client side script execution, or in layman's terms: COOKIE GRABBERS. :eek:

    They implemented a PM system that uses a WYSIWYG editor. I simply clicked an option that let me edit the direct source of the message and the JavaScript I typed in was beautifully executed on the receiver's end. Guess there's no validation. Yes, among other things, I could theoretically grab your cookies and log in as you assuming there's no other precaution in place which I doubt.

    I would check for myself but honestly it's such a hassle. The script, (all 1,385 files...) is very abstract and was difficult to follow at times. The lead developer thinks a "perfect script must be fully object-oriented" which he strangely stated a couple times in the previous release post and also on PHPFreaks where they wholeheartedly disagreed.

    One of the purposes of MVC and OOP is to make things more organized and yet to me he managed to do just the opposite.

    So hopefully you non-programmers are more informed now about using the script. You can see for yourself that all of the releases are "security releases" and that alone should be enough to deter a potential user of the script. If you intend to have your site do anything other than what Mysidia provides out-of-the-box, then especially have your site custom built. Modifying this thing would be a pain in the ass (and probably as expensive as building a custom site anyway).

    If I was wrong or misinformed about anything I stated here then by all means correct me. Maybe one day it'll get there but it does not have, and for the record never has had, my recommendation (if it means anything to you lol). AVOID.

    btw would someone post this on mysidia's forums?

    NBS
     
    kami, Slashmaster and Gabby like this.
  16. Gabby

    Gabby Active Member Former VPL Staff VPL Member

    Reputations:
    205
    Joined:
    Apr 1, 2012
    Messages:
    7,788
    Likes Received:
    1,347
    Trophy Points:
    113
    Gender:
    Female
    Location:
    in a song, New York
    A huge thank you to @nobackseat for taking the time out of his busy schedule to write an updated review on Mysidia. I fully appreciate the effort and the read. I'm glad this has been posted to better inform the community.
     
  17. Tom

    Tom Member VPL Member

    Reputations:
    0
    Joined:
    Jan 24, 2011
    Messages:
    416
    Likes Received:
    29
    Trophy Points:
    28
    There must not be any free quality alternatives for a script like Mysidia to become this popular. There are so many excellent open source projects these days but I guess very very few in the pet site niche.
     
  18. SimPet

    SimPet New Member VPL Member

    Reputations:
    0
    Joined:
    Aug 1, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Gender:
    Female
    There's so much criticism but no one else steps up to the plate.

    I've looked and looked for a good pet script for years. Mysidia has flaws and I don't pretend to understand a lot of the coding errors being discussed here, so this is just my two cents. It also has a lot of love and TLC that shows through on the work being done. The coder does this all alone. He really has no help at all.

    I've tried VPet a few times, and while I love all the games and add ons ( something Mysidia needs desperately ), its buggy as can be as everyone knows, and its a shame no one who knows how has gotten into the script and just made it safe and good, because there is a LOT of good there. But a site has to be safe as well as fun, right?

    I read over and over the critiques but in all these years I have looked for a good script thats free or cheap at all, 7+ years now, I have yet to see anyone else step UP. I am not able, but there's so many of you out there who could take VPet or something like that and make it something we'd all love you for.

    At least Mysidia makes the effort.

    If anyone can do better, I think the pet site community would love to see it ?
     
    Last edited: Aug 13, 2014
  19. kami

    kami Moderator Moderator VPL Member

    Reputations:
    261
    Joined:
    Jan 21, 2011
    Messages:
    3,837
    Likes Received:
    749
    Trophy Points:
    113
    Location:
    Mars
    There is another option that's free, supported and actually good: http://www.virtualpetlist.com/threads/modular-gaming-open-source-pet-web-game-framework.15953

    Before you start tossing mud, keep in mind the enormous size of the project. How many hours of programming and work would go into it. Not everyone has the free time or option to work for hours and hours on end for free. Not to mention providing updates, bug fixes, support, etc. Unfortunately the world revolves around money, and people need that to live. Doing free projects with no return is not something everyone can do.

    The criticism isn't for the amount of effort or the fact that they're /trying/, it's on the code itself. The safety and quality just isn't there. That's a comment of the product, not of the people.
     
    judda and Vulpes like this.
  20. SimPet

    SimPet New Member VPL Member

    Reputations:
    0
    Joined:
    Aug 1, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Gender:
    Female
    Tossing mud?

    Wow.

    It isn't me that's tossing mud. Was just making a very valid point.
     

Share This Page