Virtual pets and Sim games community

Would you like to become a member of the most successful virtual pets and sim games community on the internet? Virtual pet list has been opened since 2011 and we've been providing game developers(owners), artists, players and writers with the most relevant, up to date, quality and in depth content covering the entire online pet games, sim games and browser based games industry. So, if if you're interested in discussing virtual pet games, game development or online sims, our flourishing forum is perfect for you. Our sneak peeks forum is designed for new owners to showchase their upcoming in development games.

You can learn how to manage, make money and learn all aboutonline pet game management or discuss the best ways of developing a sim game. Find new sites to play in our online games directory. Currently, there's a total of over 80 pet games and over 70 sim games in our directory. So, feel free to post a review, a comment, or leave a like on any online game that we have listed. If you like a game that we have listed, please help us out by sharing it on social media.

  1. An upcoming virtual pet site that's owned by one of our moderators, Pepper-headIn icey them pet game Kaylune, a virtual pet site Breed online pet eliyo
    VigLink badge
    Gaming Reinvented

    breed horses on this very active sim game

    Browse our Online Games Directory
    Promote VPL - advertise here
    Admin and webmasters community - Browser games

Mysidia Adoptables Review

Discussion in 'Pet game management' started by nobackseat, Apr 12, 2011.

  1. I posted this in "virtual pet information" because users could pick this as their choice for a site base. I figure this review will be viewed more in this category too.


    So, on another forum, I was prompted to review the Mysidia Adoptables script, after saying it was awful. I figured I should finally back up my claims, so I am posting this. You make the judgement.


    I downloaded the latest version of Mysidia Adoptables v1.2.2.

    The first file I opened was login.php

    This single excerpt of code from the login.php page tells a LOT about the quality of the code.

    // Try to log the user in
    $password md5($password);
    $query "SELECT * FROM ".$prefix."users WHERE username = '$username'";
    $result = @runquery($query);
    $num = @mysql_numrows($result);
    //Loop out code
    while (
    $i 1) {
    First, off they are using MD5()! MD5 is oudated; AKA twenty years old! And there are loads of websites that offer to "decrypt" almost any hash you can come up with.

    Secondly, they use SELECT *, (grab the entire user row) just for checking if the row exists! What a waste of processing time, and memory!

    Thirdly, they are using mysql_numrows! This function doesn't even exist on the PHP website itself. I'd say it's deprecated. The 'modern' alternative is mysql_num_rows, which is used in some places (it is pretty inconsistent throughout the script).

    Lastly, anyone who has almost any kind of programming knowledge can recognize that the loop runs once. It is designed to run once. Does anybody else see what is wrong with that?! Why loop when it is only going to run once? The loop part shouldn't even exist.


    Also, I've noticed that they set their cookies as 'auser' and 'apass'. I don't think it could be any more obvious to specify what each is. Considering they are also using MD5, any XSS attack on the website, would not only let you replace the cookies to sign in as them, but also (most likely) get their actual password!

    Additionally, they are using PHP Globals. I don't think I need to explain this. Google why PHP Globals is bad practice, insecure, and generally awful.

    Look at these lines I pulled from functions.php. It should prove just how sloppy and unorganized it is.
        $GLOBALS['username'] = $username;
    $GLOBALS['loggedinname'] = $username// MESSY - I'm unsure of which {username/loggedinname} is the correct one to use.
    Apparently some programmer didn't know what variable was what. So they are using global variables to set the same values twice, for nothing? More wasted memory.

    The final thing I am going to mention is their habitual use of error suppression. I wrote about this in a blog post of mine on another site, but suppressing errors is very bad practice. Not only will the page show as blank, when an error exists, but sometimes the error lines in other places are thrown off. The interpreter 'gets confused' if I may, and can shoot out the wrong error line. What a debugging mess.

    I see posts everywhere on the forum, where users are getting errors concerning their database credentials. The user doesn't understand that it is what it means.

    They could simply add an 'or die('Your database information is wrong.')'.

    Just think of how easy it is to add that on the connection query, and it would save so much time and energy.

    Not to mention that errors give users and even hackers more information than they need to know. Should know.
    origins virtual pet site origins kickstarter
    Well, that is my conclusion of the script, simply from viewing login.php and about 1/3 of functions.php.

    #1 nobackseat, Apr 12, 2011
    Last edited by a moderator: Apr 12, 2011
    origins virtual pet site origins kickstarter

    Your banner/button can be located here for an entire month or year, please see our advertising on virtualpetlist thread for more information.

  2. Re: Mysidia Adoptables

    That's pretty disgusting. A TON of people use those scripts that they offer, and they are all so easily open to attack? I'd be so ashamed if I wrote that >_>
  3. That's a frightening amount of problems you found from just two files! Hopefully they are corrected.
  4. Hopefully these problems are resolved soon.
  5. I have spoken with the owner and some of the development team, and they have expressed genuine concern in the matter, and are working to improve as many of these problems for the next few releases.

    I still would like to stress that the current version of the script is in disorder.

  6. Unfortunately, it's been over 3 months since this and there is still no official release from the site repairing any of these issues.

    I can assume that, as volunteers, they have priorities but they have a moderately sized user base that needs these updates.

    I'm not sure if I should post on their forum again or not. Does anyone think it hasn't been enough time?


  7. Hello Everyone,
    what happened about your problem NBS.
  8. If they can put out updates at least once a month before, I don't see why this has taken three months with no updates. Even if it's just one fix at a time, that's better than nothing.
  9. Just an update, I'm a user of their softward, and it has gone through several versions since the last post and all security issues have been addressed and dealt with. I'd post a link to their current release 1.3.0 but I'm new and I'm not allowed to post links yet. If the OP would like to download the current version and look into the current security and find any other weak spots, I'm sure they would appreciate the feedback.
  10. Here is the new link

    It was just released so there may still be some bugs.

    May I also say that Hall of famer's team has been working hard on this script and there has been many updates on the new script before it was posted. Maybe you guys should try being a active member on the forum before you harp on them. The team has been busy and the over haul needed to be pushed back a few times.

    Really I don't like the amount of nativity at the people who are volunteers and have school to deal with.
    #10 Corsair, Mar 14, 2012
    Last edited: Mar 14, 2012
  11. They have worked hard on the script and they kinda got it with all the problems of the old script when the original coder sold it.. I think they have done very well expanding and fixing it.
  12. Yup, and hopefully someone can re-review the script and see if everything is good. @nobackseatnobackseat
    #13 cpvr, Apr 28, 2012
    Last edited by a moderator: Oct 16, 2013
  13. @cpvrcpvr,

    The script, through all its versions, has been consistently ludicrous to the point where it's amusing.

    My time only allots for a few files, but I'll see what I can find.

    It seems the registration page seems to top all of the script concerning security.

    <input name='answer' type='hidden' id='answer' value='{$answer}'></p>
    <input name='ip' type='hidden' id='ip' value='{$_SERVER['REMOTE_ADDR']}'></p>
    That is an excerpt from the registration form. It stores the answer to the security question in a 'hidden' input field, as well as the user's IP address, in its own 'hidden' input field.

    Just because the browser chooses not to show it, doesn't mean that it's safe in any way. I can view the source of the page easily, and so can automated spamming software.

    This means that I can edit the IP sent to the server, and that automated spamming software can grab the security answer from the input field and use it to register an account in an automated fashion...essentially defeating the purpose of what they call a 'Security Question.' Lol. Oh, by the way, the security question is the same for everyone who registers. So actually, there's no need for it to grab the input field, it can simply be hard coded into the 'bot'.

    In addition, there is no real limit on the length of the username. There is a limit in the HTML, but that can be bypassed very easily. And there is no check on the birthdate at all. No check on if it's even a real date (Feb 30?) or even numbers. Lol. You can type whatever you want in the field. Extra profile room anyone? :p

    The majority of issues I have with Mysidia Adoptables continue to be efficiency and memory usage.

    Such as comparing the initially entered password with the 'confirmed' password, after each one has already been encrypted (and the encryption used doesn't make much sense and is pretty sloppy). And grabbing all the data from rows unnecessarily (such as when checking if a username exists...). And the frequent use of curly brackets around variables was meant for certain conditions when using arrays, instead they seem to use it for cosmetic reasons.

    Mysidia combines cookies and sessions, which is a good idea, except they seem to use it just to generate a unique ID for the cookie. Really just a waste.

    There's just signs of beginners coding it everywhere. The oddities are small, but they are E-VER-Y-WHERE, which makes it inefficient and annoying to study.

    $article_content = $regsuccess."".$username."".$regsuccess2;
    You only need a single dot between variables. No quotes, and not the other period.

    $pass1 = $_POST["pass1"];
    $pass1 = secure($pass1);
    $pass2 = $_POST["pass2"];
    $pass2 = secure($pass2);
    Uhhhh OK. Could just wrap the function around the array.

    $salt = $_POST["salt"];
    $salt = secure($salt);
    It would be really funny if the salt really were stored in the login form. Alas, it's not so this code is... pointless. Actually, it uses up memory on your server, so at least it does that.

    function passencr($username, $password, $salt){
        $pepper = grabanysetting("peppercode");
        $password = md5($password);
        $newpassword = sha1($username.$password);
        $finalpassword = hash('sha512', $pepper.$newpassword.$salt);
        return $finalpassword;
    What a mess. Guys, are ya sure that's the final password...? :p

    function __autoload($name) {
      // The autoload function, a bit messy if you ask me
      $classpath = strtolower("classes/class_{$name}");
      if(defined("SUBDIR")) include_once ("../{$classpath}.php");
      else include_once ("{$classpath}.php");
    Who asked you? JK, totally agree. Now do something about it. Again, more showy brackets. Ooooo, aaaaah.

    I'm having fun with this, but I ought to go back to work.

    Before I forget, it still uses globals too, a point from my previous analysis. Globals are bad and messy!

    #14 nobackseat, Apr 28, 2012
    Last edited by a moderator: Oct 16, 2013
    • Like Like x 1
  14. A recent thread inquired about this software which I have famously reviewed a couple of times lol. And a friend brought it to my attention. Out of pure curiosity I looked into the script again to see what I could find. ;)

    I'll keep it serious this time. No, seriously.

    Well a lot certainly has changed, for better or worse I'll leave for you to decide. The code has taken a more object-oriented approach and I'll touch on that later.

    A couple of the basic things that I expect from any type of script written by anyone anywhere are missing...

    There's no minimum password length. Does it really matter? Yes, it does. And it's something everyone's come to expect, because it exists on every site, and for good reason.

    Missing input validation in critical areas (though it really should be everywhere). Here's the code that updates your account profile:
    // Line 51 of account.php

    $mysidia->db->update("users_profile", array("avatar" => $mysidia->input->post("avatar"), "nickname" => $mysidia->input->post("nickname"), "gender" => $mysidia->input->post("gender"), "color" => $mysidia->input->post("color"), "bio" => $mysidia->input->post("bio"), "favpet" => $mysidia->input->post("favpet"), "about" => $mysidia->input->post("about")), "username = '{$mysidia->user->username}'");
    There's nothing! It goes straight into the database as-is. In fact, I was able to change my gender to gibberish although it was a radio input element ('one or the other' type of checkbox). This also means that it's stored as a VARCHAR (string) in the database, instead of an efficient way such as a TINYINT or even a CHAR as a numeric boolean.

    Oh, and I put symbols in the username when registering and then I couldn't view the profile of the account because they had to be encoded to be in the URL. It's obvious lack of proper validation is a common theme throughout the software.

    Speaking of profiles, you can enter any URL to be your "avatar". It doesn't have to be hosted on the site. Great feature right? No, how about a security issue. A user may enter a page URL instead of an image URL, and this causes the user who is viewing the profile to make a request to that URL. The real problem is, Mysidia has URLs that do actions just by accessing them and this is very wrong. The HTTP/1.1 spec states...
    And yet, Mysidia logs you out and even deletes a visitor comment just by calling a URL (/vmessage/delete/3). Logging out via GET is unfortunately common but is wrong, especially since browsers will pre-fetch pages for you automatically to have them load faster. But deletion? That's just disgusting.

    Basically, you can delete a comment on someone's page by having them go to your profile with the delete URL as the avatar. Unfortunate, since this is a very well known and documented vulnerability called CSRF.

    (For those who don't know, POST is when you submit a form and GET is when you simply access the URL.)

    It is a hobby project where the developers aren't paid, but that doesn't mean it has to have an overwhelming amateur feeling about it, which there is for me because of some minor annoyances and inconsistencies. For the sake of giving my bold statements credibility I'll list a few. Outputted quotes consistently had slashes preceding them, settings don't accept some valid emails, and the views are entirely in PHP. Yes, the V in MVC, where the presentation layer is, typically HTML. It's ENTIRELY in PHP, there's no HTML in sight. HTML is outputted using PHP classes. The opposite is typically done, all HTML with minimal PHP, to make it easier for designers or any non-PHP programmer who wants to edit the template. But with this framework that's intended for customization and modding, it's not possible. Also, the developer did mention he MVC implementation isn't complete, but the Models (M) are entirely missing. However, he said it would be complete the next iteration, and I have no idea how far along he thinks he is with this release, or if he plans on omitting the models, but just worth mentioning.

    "Well... good post but that's still not enough to make me stop using it. Nice try though."

    Ah but I have one more criticism left, and I'd call it a big one. Client side script execution, or in layman's terms: COOKIE GRABBERS. :eek:

    They implemented a PM system that uses a WYSIWYG editor. I simply clicked an option that let me edit the direct source of the message and the JavaScript I typed in was beautifully executed on the receiver's end. Guess there's no validation. Yes, among other things, I could theoretically grab your cookies and log in as you assuming there's no other precaution in place which I doubt.

    I would check for myself but honestly it's such a hassle. The script, (all 1,385 files...) is very abstract and was difficult to follow at times. The lead developer thinks a "perfect script must be fully object-oriented" which he strangely stated a couple times in the previous release post and also on PHPFreaks where they wholeheartedly disagreed.

    One of the purposes of MVC and OOP is to make things more organized and yet to me he managed to do just the opposite.

    So hopefully you non-programmers are more informed now about using the script. You can see for yourself that all of the releases are "security releases" and that alone should be enough to deter a potential user of the script. If you intend to have your site do anything other than what Mysidia provides out-of-the-box, then especially have your site custom built. Modifying this thing would be a pain in the ass (and probably as expensive as building a custom site anyway).

    If I was wrong or misinformed about anything I stated here then by all means correct me. Maybe one day it'll get there but it does not have, and for the record never has had, my recommendation (if it means anything to you lol). AVOID.

    btw would someone post this on mysidia's forums?

    • Like Like x 3
  15. A huge thank you to @nobackseatnobackseat for taking the time out of his busy schedule to write an updated review on Mysidia. I fully appreciate the effort and the read. I'm glad this has been posted to better inform the community.
  16. There must not be any free quality alternatives for a script like Mysidia to become this popular. There are so many excellent open source projects these days but I guess very very few in the pet site niche.
  17. There's so much criticism but no one else steps up to the plate.

    I've looked and looked for a good pet script for years. Mysidia has flaws and I don't pretend to understand a lot of the coding errors being discussed here, so this is just my two cents. It also has a lot of love and TLC that shows through on the work being done. The coder does this all alone. He really has no help at all.

    I've tried VPet a few times, and while I love all the games and add ons ( something Mysidia needs desperately ), its buggy as can be as everyone knows, and its a shame no one who knows how has gotten into the script and just made it safe and good, because there is a LOT of good there. But a site has to be safe as well as fun, right?

    I read over and over the critiques but in all these years I have looked for a good script thats free or cheap at all, 7+ years now, I have yet to see anyone else step UP. I am not able, but there's so many of you out there who could take VPet or something like that and make it something we'd all love you for.

    At least Mysidia makes the effort.

    If anyone can do better, I think the pet site community would love to see it ?
    #18 SimPet, Aug 13, 2014
    Last edited: Aug 13, 2014
  18. There is another option that's free, supported and actually good:

    Before you start tossing mud, keep in mind the enormous size of the project. How many hours of programming and work would go into it. Not everyone has the free time or option to work for hours and hours on end for free. Not to mention providing updates, bug fixes, support, etc. Unfortunately the world revolves around money, and people need that to live. Doing free projects with no return is not something everyone can do.

    The criticism isn't for the amount of effort or the fact that they're /trying/, it's on the code itself. The safety and quality just isn't there. That's a comment of the product, not of the people.
    • Like Like x 2
  19. Tossing mud?


    It isn't me that's tossing mud. Was just making a very valid point.

Share This Page

  • About VPL, the #1 forum for pet sites, and online sims

    We are an online community of passionate artists, writers, game developers and general users who have a vested interest in virtual pet games, game dev & sim games. Our members are from different backgrounds and yet we group together with one goal, to ensure our pet games, game dev, and sims forum is one of the best!
  • Like VPL on Facebook!

  • Support VPL

    If you love our community and you'd like to help us cover our monthly costs, we'd greatly appreciate it if you could help us out by supporting us! If you can't donate, we totally understand. You can also support us by using our social media sharing buttons or by writing about us on other sites.

    Donate to VPL!