- Joined
- Apr 16, 2007
- Messages
- 266
- Reaction score
- 61
Must Have Knowledge to Have a Good Secure KalOnline Server Site
Table of Contents
0. Introduction
1. Basic Design
2. Operating System Requirements
3. Software Requirements
4. User Registration/Login
5. SSL Why this is a must have
6. Database Structure & Organization
7. PHP & SQL Performance.
0. Introduction
There's a lot I do not know about the in game stuff, so I won't cover that.
What I will cover is what you really need to know, to have a basic website for your
kalonline server.
I have been a player for kalonline for about 7 years, since 2004.
I have lead over 38 guilds, 5+ alliances, won c/w, lost c/w. But back in 2007, I started my own server
with a help of a few good friends, called Asgard.
I made a lot of mistakes, but I also learned alot.
Here are a few lessons I learned.
1. Never host your site on your home pc, both because of security concerns and bandwidth concerns.
While it is technically doable, if your planning it for just a few friends, but in the process, as soon as you get public
you will be targeted by other hackers and other servers, to take you down, so that they get more votes and ranked higher.
2. Always surround yourself with a good team, of people you know you can really trust. And make 100% clear to them, what they can get and gain for all their hard work.
3. Do not give gm powers to people that are just not mature and stable enough to handle it. This will clusterfuck your server more than ever.
4. Divide gm responsibilities two-ways, one for hidden gm security people, who check/block/find hackers, and others to help plan/run events nad socialize with players.
5. Players love growth and stability, they want a server, they know will stay up, and be reasonably lag-free, and that is constantly adding things or being well run.
Anyone can have a cool server, but if it is not well run, or people feel like you do not care, they will leave.
Once you start your server, and make it public, that was only like 10% of what it takes to be a good owner.
Good owners need to keep players happy, not just sit there quietly in a corner, and avoiding players.
6. Strictly limit what powers gm's have, so that they can not give items or help players with anything. They can give advice/suggestions, but not items or help give players xp. Make them unable to create items, join parties.
7. I know privacy is important, but as owner, if you have a life outside the server, you need to know what's going on, and to allow for that, you must enable the chat log, so that you can see daily logs of who said what. You must know who is saying what, doing what, helping people. Especially if there is corruption of any kind..
8. Once people register/create account, most will not ever visit the site again, unless it is to check rankings or check the forums. Forums are a very powerful way for a server community to grow. So I highly recommend you get a forums software of some kind, either installed on your site, or linked to a free one, hosted soemwhere else.
9. Every month make a new plan, and discuss it with your team, to keep improving it.
10. Have a way either via forums or a helpdesk where users can report any kind of problems.
There's a lot for me to share, and hopefully a few will sink into your brain.
Let's get started.
Chapter 1. Basic Design
There are tons of great free templates out there, you can google and find any you like.
But I would like to give you a piece of advice that may be new to you.
Have you ever heard of responsive design?
Well Responsive Design is a new type of html/css template, that will change it's look and resolution, based on what device is viewing it.
Back a few years ago, if you wanted a regular site, mobile site, etc, you had to have seperate site designs, so that you'd have some code that would load
different css based on what device you were viewing the site on. And it was a pain to create and manage.
However Responsive Design are templates that will make your site look reasonably good in all or most devices.
Also when you pick a design or template, try it out in different resolutions to make sure it looks good.
I just saw someone's site yesterday, and the width was narrower then the list of navigation items they had, making it look not very professional.
Let's be honest, each of us has different styles and that's totally okay, just make sure you did a good job, looks good on different resolutions.
But once you pick out the design, you must convert the template into php page.
PHP is the programming language, that most kal sites are written on, so that they can get data back and forth.
Okay here is how the kalonline server basically works.
Once you login via your client, it is connecting to the remote server software that interact with the SQL Server database, which stores all the data about the player, the items, the guilds etc.
So your web page, for registration, login, userpanel to work, must be able to talk to the server database.
And for that requires PHP, although you can use other programming languages, there are a lot out there.
You can use whatever language you like as long as it can talk to SQL Server.
There are pros and cons to every language, the main reason I use php, is because most of the other site server scripts are programmed in php, so that makes it easier to use their scripts.
Chapter 2. Operating System Requirements
Now personally you can use any version of Windows, but I would recommend you install and use a server based one, that is more capable of handling security and bandwith issues.
Once you have your operating system installed, and setup. I would highly recommend you uninstall all non-server related software. Eliminate any background running software etc. The more bandwidth, cpu, memory that is available for the running server software, the more stable and secure the server will be.
Chapter 3. Software Requirements
You will need to install a version of SQL Server, but note there are slight differences in different versions, such as command differences, and character set differences, and so forth.
So it behooves you, unless you really know alot about sql server,to use versions that were used for most servers, sql server 2000 or 2005 or 2008.
If you go newer than that, you may have to review the sql code inside your engine to make any changes.
You will need a web server installed, most people pick either IIS or Apache. Either can work, but both take time and skill to setup right.
I myself prefer Apache, because there are a ton of tutorials and guides out there, how to setup correctly, and to make secure and stable.
But you can also go IIS, but make sure to get the very newest version of IIS, has a brand new interface, but may have easier way to install addons.
If you are totally new to setting up websites, servers etc. I would highly recommend you use your own home pc or a spare pc, as a test server, to learn all this on before paying for a hosted server to learn on.
It is better to practice and learn on your own home pc/spare pc, before paying money when you don't know anything yet.
Chapter 4. User Login/Registration
Because of the way the kalonline database was created, all passwords can not be longer than 8 characters. And has a limit of what characters are acceptable.
function passConvert($password) {
$encar = array('!'=>'95', '"'=>'88', '#'=>'9D', '$'=>'4C', '%'=>'F2', '&'=>'3E', '\''=>'BB', '('=>'C0', ')'=>'7F', '*'=>'18', '+'=>'70', ','=>'A6', '-'=>'E2', '.'=>'EC', '/'=>'77',
'0'=>'2C', '1'=>'3A', '2'=>'4A', '3'=>'91', '4'=>'5D', '5'=>'7A', '6'=>'29', '7'=>'BC', '8'=>'6E', '9'=>'D4', ':'=>'40', ';'=>'17', '<'=>'2E', '='=>'CB', '>'=>'72', '?'=>'9C',
'@'=>'A1', 'A'=>'FF', 'B'=>'F3', 'C'=>'F8', 'D'=>'9B', 'E'=>'50', 'F'=>'51', 'G'=>'6D', 'H'=>'E9', 'I'=>'9A', 'J'=>'B8', 'K'=>'84', 'L'=>'A8', 'M'=>'14', 'N'=>'38', 'O'=>'CE',
'P'=>'92', 'Q'=>'5C', 'R'=>'F5', 'S'=>'EE', 'T'=>'B3', 'U'=>'89', 'V'=>'7B', 'W'=>'A2', 'X'=>'AD', 'Y'=>'71', 'Z'=>'E3', '['=>'D5', '\\'=>'BF', ']'=>'53', '^'=>'28', '_'=>'44',
'`'=>'33', 'a'=>'48', 'b'=>'DB', 'c'=>'FC', 'd'=>'09', 'e'=>'1F', 'f'=>'94', 'g'=>'12', 'h'=>'73', 'i'=>'37', 'j'=>'82', 'k'=>'81', 'l'=>'39', 'm'=>'C2', 'n'=>'8D', 'o'=>'7D',
'p'=>'08', 'q'=>'4F', 'r'=>'B0', 's'=>'FE', 't'=>'79', 'u'=>'0B', 'v'=>'D6', 'w'=>'23', 'x'=>'7C', 'y'=>'4B', 'z'=>'8E', '{'=>'06', '|'=>'5A', '}'=>'CC', '~'=>'62');
$newpass = "0x";
for ($i = 0; $i < strlen($password); $i++)
{
$newpass .= $encar[$password[$i]];
}
return $newpass;
}
If you look at the php code above, what it does is convert normal alpha numeric characters into hexadecimal characters that are acceptable for the user password inside the database.
Because of this, all user passwords can not be more than 8 characters, so that when it converts it to be inserted into the database, it has to use the same encryption/decryption method as what is used when people try to login via the client to the server.
So that means that all login/register scripts must have an encrypt/decrypt function to translate the password to and forth to this hexadecimal version.
And this isn't too hard, but neither is it too easy.
If you allow a bad or incorrect password, people will not be allowed to login to the server. And they will only endlessly complain.
So you must set this up correctly, to make it easy for people to register and login.
But web security these days is far more advanced then back in the early 2004-2005, we have a lot of new ways to help solve security problems.
First off, here are a few things you need to do, if you really want a secure server.
Do you care if people create tons and tons of accounts, or do you prefer one person gets one account.
It is up to you.
If you think security matters, then you need a stronger registration system, more than a captcha with an iframe to register people with.
Iframes are a horrible way to setup registration, any idiot can look at your source, and find the ip address of your server, and there you just opened a hole to your server.
I have invented my own registration logic or process, I recommend you do something similar to this, if you want a secure site registration.
I created a queue based registration, when you register it adds a record to a queue for people to be given accounts.
I grab their unique ip address, email address, username.
Then I have an automated script to send emails to people in the queue, demanding that they click on the link within 24 hours, or their request for an account will be deleted.
If they fail to verify then, their request is deleted.
I also had a long uuid code I generated as part of the verification process, to make sure their request was a valid one.
If they verify correctly, then I send a seperate email, with their own username and a password that I generated myself.
I had my own kal acceptable password generator, because when people pick their own non-random passwords, it makes it easier for gm/owners from one server look at their password there, and then, steal their accounts/items on other servers.
I never let users pick their own passwords, but you can, if you want to, let them enter their own password, but then you make it easier for hackers to hack their account. It's your choice.
After their account is created and email sent, then I mark their account for requiring a new password in 30-60 days.
This way passwords are always updating and changing, and random, and less likely of them being hacked.
You must find your own balance of ease of registration and security. Your choice and your consequences.
I find that just having a good solid user registration can go along way to secure your server. It won't be perfect, but the more you do now, setting up solid password security, the less problems you will face later on.
Chapter 5. SSL Encryption
When you go to register or login on a kal server, and do not see that locked box near the address bar, that means you are sending your username and password unencrypted in clear text, that any hacker can easily intercept.
So if you are going to be serious, then you must get an SSL Certificate. I have not done many of these myself, but this is one of the best ways to improve security.
So google it, find someone who is trustworthy, which may not be very easy, then install it, and get it done.
Chapter 6. Database Organization & Structure & Security
Well when you get your server repack, it includes two seperate database files aka .db, each is a part of the kal server database.
There is kal_auth, and kal_db. Each has a seperate function, and different data has stored.
After you have installed your database, I would start playing and looking at the data. Look at the list of tables, look at the data stored.
Try writing different sql queries getting data from different tables.
Now sql server database security should be easy by default, but if you ever write your own php code then it becomes important.
Lets say you want to write a sql query that gets data from both databases, then you need to make sure the user setup for your database dsn has security permissions to access both databases and tables.
To setup your database access for use in websites, you need to setup a system odbc datasource.
This allows you to refer to a name, to refer to different databases.
I normally setup an dsn/datasource for each database, so that I can write php scripts that can access data from either database.
Now inside the database it has it's own internal security, which is used when you setup the dsn, because you have to use the username and passwords that sql server has setup.
Now this next topic may be a bit advanced, if you don't feel comfortable then go ahead and skip it.
One thing I have learned from my years as a web programmer, is to limit access to the data for the website.
Since each dsn has it's own username/password, and if someone somehow gains access to the web server, I want to limit what data and what they can do with it.
So for example, I will allow selects, inserts and updates, but not allow deletes or table changes.
So to do this, I go to the permissions for each sql user and limit what it has access to, in terms of permissions.
This can be a pain in the butt and tricky, because you can also screw it up, and lose access to any data, so be very careful and take notes, and take backups.
Chapter 7. PHP & SQL Performance.
I admit, I am kind of a nut about web performance, I love smooth fast loading, secure sites. But it does take time to learn how to create those.
I have a few tips for basically improving site performance.
If you have pages, that have rarely updated information, or update every x hours or so, then you may want to convert it to a static html page.
Everytime you run a php page, it has to convert the output to html, get data or store data into the database and so forth, and that adds time to the load time.
Where as, if you store parts of the content that doesn't change a lot, like for example the rankings page, into a static html page.
Then it loads a lot faster.
So what is a static html page?
Basically it's just a normal html page, but you use a php script to convert the php output to an html page.
Here is an example.
<?php
// start cache
ob_start();
// do your ranking php code
bla bla bla bla
$links_html = ob_get_clean();
// fix nlbr
$ranking_html = nl2br($ranking_html);
// now save this to the static html file
$file='/var/www/static/ranking.html';
file_put_contents($file, $ranking_html);
?>
Then what this script will do is grab the html output of your ranking page, with no css, no navigation, no nothing, just the pure ranking html, images, etc.
Then saves it to a physical page in a folder called static, you can call it whatever you like.
Then in your normal ranking page, you just include this static html file.
So you can still have your user cookies/logins etc, but faster loading pages.
Another trick for performance is to either use Yslow or Google PageSpeed AddOn to look at your site, and give you specific advice to how to tweak your design/code/web server setup to improve it for performance.
If your site design has a ton of graphics, that will make it load slower, so I usually suggest some graphics, like a really optimized header logo, and that's it.
Your home page, should be the fastest loading, since that is the page most people visit first.
There is alot to know and learn, so take the time to do so. The more you learn and master, the more well run your site will be.
Another of my favorite php tricks is script automation.
I love automating stuff, so that the owner/admin has to do less hands on work.
Such as for example, when someone get's to level 50, you want their animal to automatically be upgraded to g11. Well in the way back past, we had to manually go into the database, wait till they were logged off, and then run that change manually.
Where as if you have a script that does the change, and using some kind of task scheduler or cron script, can have it run every x hours, and automatically upgrade people's animal to g11 when they turn level 50.
And there's lots of other things you can automate.
Like setting up guilds and alliances for war.
Cleaning out old and deleted users and their items.
Maintenance of the database, because kal databases always get kludgy over time, and need to remove old data, old users, especially in the items table.
Or automate backups of your players, guilds, and alliances into a text file, that you can easily roll back if there were any database glitches.
Let's say you have a set of maps, animals, events that change every week or every month or every x whenever.
So you can setup seperate folders for each grouping, and use php to rotate those as needed, then force server restart of the software, and wham, automatic server changes.
So you think it, you plan it, you can automate a ton of things.
Then going back to sql performance, writing sql queries is very hard at first, because it demands perfection.
But if you write bad sql queries, you can make site performance slower.
So that's where people get into using views and stored procedures.
A view is basically a way to take a commonly used sql query that grabs data from different tables, databases, etc, and then save it, to the database, and then just get the data you need, and then let the database manage the performance and joining, so that it will make it faster loading, then running the same straight query in php.
A stored procedure is more than a view, you can do logic, a lot of stuff that you can do in php, but only in terms of working with data in the database.
Such as imperializing weapons, reborn system, etc.
But stored procedures are very tricky to create, because you have to create them perfectly or they fail, and even then doesn't mean it's a well written stored procedure.
In Conclusion, there is a lot of information and tips here, I hope I made it as easy to understand as possible.
And I may need to rewrite this a few times, to get it well written, and that's okay by me.
I am willing to help people, but do not expect me to do all the hard work, and you do nothing.
You must be working hard to learn and improve, and I'll help as I can. But if you expect me to do all your thinking, and you just be lazy,
then screw that idea.
Good luck guys.
LordJustice
-Live with honor
Table of Contents
0. Introduction
1. Basic Design
2. Operating System Requirements
3. Software Requirements
4. User Registration/Login
5. SSL Why this is a must have
6. Database Structure & Organization
7. PHP & SQL Performance.
0. Introduction
There's a lot I do not know about the in game stuff, so I won't cover that.
What I will cover is what you really need to know, to have a basic website for your
kalonline server.
I have been a player for kalonline for about 7 years, since 2004.
I have lead over 38 guilds, 5+ alliances, won c/w, lost c/w. But back in 2007, I started my own server
with a help of a few good friends, called Asgard.
I made a lot of mistakes, but I also learned alot.
Here are a few lessons I learned.
1. Never host your site on your home pc, both because of security concerns and bandwidth concerns.
While it is technically doable, if your planning it for just a few friends, but in the process, as soon as you get public
you will be targeted by other hackers and other servers, to take you down, so that they get more votes and ranked higher.
2. Always surround yourself with a good team, of people you know you can really trust. And make 100% clear to them, what they can get and gain for all their hard work.
3. Do not give gm powers to people that are just not mature and stable enough to handle it. This will clusterfuck your server more than ever.
4. Divide gm responsibilities two-ways, one for hidden gm security people, who check/block/find hackers, and others to help plan/run events nad socialize with players.
5. Players love growth and stability, they want a server, they know will stay up, and be reasonably lag-free, and that is constantly adding things or being well run.
Anyone can have a cool server, but if it is not well run, or people feel like you do not care, they will leave.
Once you start your server, and make it public, that was only like 10% of what it takes to be a good owner.
Good owners need to keep players happy, not just sit there quietly in a corner, and avoiding players.
6. Strictly limit what powers gm's have, so that they can not give items or help players with anything. They can give advice/suggestions, but not items or help give players xp. Make them unable to create items, join parties.
7. I know privacy is important, but as owner, if you have a life outside the server, you need to know what's going on, and to allow for that, you must enable the chat log, so that you can see daily logs of who said what. You must know who is saying what, doing what, helping people. Especially if there is corruption of any kind..
8. Once people register/create account, most will not ever visit the site again, unless it is to check rankings or check the forums. Forums are a very powerful way for a server community to grow. So I highly recommend you get a forums software of some kind, either installed on your site, or linked to a free one, hosted soemwhere else.
9. Every month make a new plan, and discuss it with your team, to keep improving it.
10. Have a way either via forums or a helpdesk where users can report any kind of problems.
There's a lot for me to share, and hopefully a few will sink into your brain.
Let's get started.
Chapter 1. Basic Design
There are tons of great free templates out there, you can google and find any you like.
But I would like to give you a piece of advice that may be new to you.
Have you ever heard of responsive design?
Well Responsive Design is a new type of html/css template, that will change it's look and resolution, based on what device is viewing it.
Back a few years ago, if you wanted a regular site, mobile site, etc, you had to have seperate site designs, so that you'd have some code that would load
different css based on what device you were viewing the site on. And it was a pain to create and manage.
However Responsive Design are templates that will make your site look reasonably good in all or most devices.
Also when you pick a design or template, try it out in different resolutions to make sure it looks good.
I just saw someone's site yesterday, and the width was narrower then the list of navigation items they had, making it look not very professional.
Let's be honest, each of us has different styles and that's totally okay, just make sure you did a good job, looks good on different resolutions.
But once you pick out the design, you must convert the template into php page.
PHP is the programming language, that most kal sites are written on, so that they can get data back and forth.
Okay here is how the kalonline server basically works.
Once you login via your client, it is connecting to the remote server software that interact with the SQL Server database, which stores all the data about the player, the items, the guilds etc.
So your web page, for registration, login, userpanel to work, must be able to talk to the server database.
And for that requires PHP, although you can use other programming languages, there are a lot out there.
You can use whatever language you like as long as it can talk to SQL Server.
There are pros and cons to every language, the main reason I use php, is because most of the other site server scripts are programmed in php, so that makes it easier to use their scripts.
Chapter 2. Operating System Requirements
Now personally you can use any version of Windows, but I would recommend you install and use a server based one, that is more capable of handling security and bandwith issues.
Once you have your operating system installed, and setup. I would highly recommend you uninstall all non-server related software. Eliminate any background running software etc. The more bandwidth, cpu, memory that is available for the running server software, the more stable and secure the server will be.
Chapter 3. Software Requirements
You will need to install a version of SQL Server, but note there are slight differences in different versions, such as command differences, and character set differences, and so forth.
So it behooves you, unless you really know alot about sql server,to use versions that were used for most servers, sql server 2000 or 2005 or 2008.
If you go newer than that, you may have to review the sql code inside your engine to make any changes.
You will need a web server installed, most people pick either IIS or Apache. Either can work, but both take time and skill to setup right.
I myself prefer Apache, because there are a ton of tutorials and guides out there, how to setup correctly, and to make secure and stable.
But you can also go IIS, but make sure to get the very newest version of IIS, has a brand new interface, but may have easier way to install addons.
If you are totally new to setting up websites, servers etc. I would highly recommend you use your own home pc or a spare pc, as a test server, to learn all this on before paying for a hosted server to learn on.
It is better to practice and learn on your own home pc/spare pc, before paying money when you don't know anything yet.
Chapter 4. User Login/Registration
Because of the way the kalonline database was created, all passwords can not be longer than 8 characters. And has a limit of what characters are acceptable.
function passConvert($password) {
$encar = array('!'=>'95', '"'=>'88', '#'=>'9D', '$'=>'4C', '%'=>'F2', '&'=>'3E', '\''=>'BB', '('=>'C0', ')'=>'7F', '*'=>'18', '+'=>'70', ','=>'A6', '-'=>'E2', '.'=>'EC', '/'=>'77',
'0'=>'2C', '1'=>'3A', '2'=>'4A', '3'=>'91', '4'=>'5D', '5'=>'7A', '6'=>'29', '7'=>'BC', '8'=>'6E', '9'=>'D4', ':'=>'40', ';'=>'17', '<'=>'2E', '='=>'CB', '>'=>'72', '?'=>'9C',
'@'=>'A1', 'A'=>'FF', 'B'=>'F3', 'C'=>'F8', 'D'=>'9B', 'E'=>'50', 'F'=>'51', 'G'=>'6D', 'H'=>'E9', 'I'=>'9A', 'J'=>'B8', 'K'=>'84', 'L'=>'A8', 'M'=>'14', 'N'=>'38', 'O'=>'CE',
'P'=>'92', 'Q'=>'5C', 'R'=>'F5', 'S'=>'EE', 'T'=>'B3', 'U'=>'89', 'V'=>'7B', 'W'=>'A2', 'X'=>'AD', 'Y'=>'71', 'Z'=>'E3', '['=>'D5', '\\'=>'BF', ']'=>'53', '^'=>'28', '_'=>'44',
'`'=>'33', 'a'=>'48', 'b'=>'DB', 'c'=>'FC', 'd'=>'09', 'e'=>'1F', 'f'=>'94', 'g'=>'12', 'h'=>'73', 'i'=>'37', 'j'=>'82', 'k'=>'81', 'l'=>'39', 'm'=>'C2', 'n'=>'8D', 'o'=>'7D',
'p'=>'08', 'q'=>'4F', 'r'=>'B0', 's'=>'FE', 't'=>'79', 'u'=>'0B', 'v'=>'D6', 'w'=>'23', 'x'=>'7C', 'y'=>'4B', 'z'=>'8E', '{'=>'06', '|'=>'5A', '}'=>'CC', '~'=>'62');
$newpass = "0x";
for ($i = 0; $i < strlen($password); $i++)
{
$newpass .= $encar[$password[$i]];
}
return $newpass;
}
If you look at the php code above, what it does is convert normal alpha numeric characters into hexadecimal characters that are acceptable for the user password inside the database.
Because of this, all user passwords can not be more than 8 characters, so that when it converts it to be inserted into the database, it has to use the same encryption/decryption method as what is used when people try to login via the client to the server.
So that means that all login/register scripts must have an encrypt/decrypt function to translate the password to and forth to this hexadecimal version.
And this isn't too hard, but neither is it too easy.
If you allow a bad or incorrect password, people will not be allowed to login to the server. And they will only endlessly complain.
So you must set this up correctly, to make it easy for people to register and login.
But web security these days is far more advanced then back in the early 2004-2005, we have a lot of new ways to help solve security problems.
First off, here are a few things you need to do, if you really want a secure server.
Do you care if people create tons and tons of accounts, or do you prefer one person gets one account.
It is up to you.
If you think security matters, then you need a stronger registration system, more than a captcha with an iframe to register people with.
Iframes are a horrible way to setup registration, any idiot can look at your source, and find the ip address of your server, and there you just opened a hole to your server.
I have invented my own registration logic or process, I recommend you do something similar to this, if you want a secure site registration.
I created a queue based registration, when you register it adds a record to a queue for people to be given accounts.
I grab their unique ip address, email address, username.
Then I have an automated script to send emails to people in the queue, demanding that they click on the link within 24 hours, or their request for an account will be deleted.
If they fail to verify then, their request is deleted.
I also had a long uuid code I generated as part of the verification process, to make sure their request was a valid one.
If they verify correctly, then I send a seperate email, with their own username and a password that I generated myself.
I had my own kal acceptable password generator, because when people pick their own non-random passwords, it makes it easier for gm/owners from one server look at their password there, and then, steal their accounts/items on other servers.
I never let users pick their own passwords, but you can, if you want to, let them enter their own password, but then you make it easier for hackers to hack their account. It's your choice.
After their account is created and email sent, then I mark their account for requiring a new password in 30-60 days.
This way passwords are always updating and changing, and random, and less likely of them being hacked.
You must find your own balance of ease of registration and security. Your choice and your consequences.
I find that just having a good solid user registration can go along way to secure your server. It won't be perfect, but the more you do now, setting up solid password security, the less problems you will face later on.
Chapter 5. SSL Encryption
When you go to register or login on a kal server, and do not see that locked box near the address bar, that means you are sending your username and password unencrypted in clear text, that any hacker can easily intercept.
So if you are going to be serious, then you must get an SSL Certificate. I have not done many of these myself, but this is one of the best ways to improve security.
So google it, find someone who is trustworthy, which may not be very easy, then install it, and get it done.
Chapter 6. Database Organization & Structure & Security
Well when you get your server repack, it includes two seperate database files aka .db, each is a part of the kal server database.
There is kal_auth, and kal_db. Each has a seperate function, and different data has stored.
After you have installed your database, I would start playing and looking at the data. Look at the list of tables, look at the data stored.
Try writing different sql queries getting data from different tables.
Now sql server database security should be easy by default, but if you ever write your own php code then it becomes important.
Lets say you want to write a sql query that gets data from both databases, then you need to make sure the user setup for your database dsn has security permissions to access both databases and tables.
To setup your database access for use in websites, you need to setup a system odbc datasource.
This allows you to refer to a name, to refer to different databases.
I normally setup an dsn/datasource for each database, so that I can write php scripts that can access data from either database.
Now inside the database it has it's own internal security, which is used when you setup the dsn, because you have to use the username and passwords that sql server has setup.
Now this next topic may be a bit advanced, if you don't feel comfortable then go ahead and skip it.
One thing I have learned from my years as a web programmer, is to limit access to the data for the website.
Since each dsn has it's own username/password, and if someone somehow gains access to the web server, I want to limit what data and what they can do with it.
So for example, I will allow selects, inserts and updates, but not allow deletes or table changes.
So to do this, I go to the permissions for each sql user and limit what it has access to, in terms of permissions.
This can be a pain in the butt and tricky, because you can also screw it up, and lose access to any data, so be very careful and take notes, and take backups.
Chapter 7. PHP & SQL Performance.
I admit, I am kind of a nut about web performance, I love smooth fast loading, secure sites. But it does take time to learn how to create those.
I have a few tips for basically improving site performance.
If you have pages, that have rarely updated information, or update every x hours or so, then you may want to convert it to a static html page.
Everytime you run a php page, it has to convert the output to html, get data or store data into the database and so forth, and that adds time to the load time.
Where as, if you store parts of the content that doesn't change a lot, like for example the rankings page, into a static html page.
Then it loads a lot faster.
So what is a static html page?
Basically it's just a normal html page, but you use a php script to convert the php output to an html page.
Here is an example.
<?php
// start cache
ob_start();
// do your ranking php code
bla bla bla bla
$links_html = ob_get_clean();
// fix nlbr
$ranking_html = nl2br($ranking_html);
// now save this to the static html file
$file='/var/www/static/ranking.html';
file_put_contents($file, $ranking_html);
?>
Then what this script will do is grab the html output of your ranking page, with no css, no navigation, no nothing, just the pure ranking html, images, etc.
Then saves it to a physical page in a folder called static, you can call it whatever you like.
Then in your normal ranking page, you just include this static html file.
So you can still have your user cookies/logins etc, but faster loading pages.
Another trick for performance is to either use Yslow or Google PageSpeed AddOn to look at your site, and give you specific advice to how to tweak your design/code/web server setup to improve it for performance.
If your site design has a ton of graphics, that will make it load slower, so I usually suggest some graphics, like a really optimized header logo, and that's it.
Your home page, should be the fastest loading, since that is the page most people visit first.
There is alot to know and learn, so take the time to do so. The more you learn and master, the more well run your site will be.
Another of my favorite php tricks is script automation.
I love automating stuff, so that the owner/admin has to do less hands on work.
Such as for example, when someone get's to level 50, you want their animal to automatically be upgraded to g11. Well in the way back past, we had to manually go into the database, wait till they were logged off, and then run that change manually.
Where as if you have a script that does the change, and using some kind of task scheduler or cron script, can have it run every x hours, and automatically upgrade people's animal to g11 when they turn level 50.
And there's lots of other things you can automate.
Like setting up guilds and alliances for war.
Cleaning out old and deleted users and their items.
Maintenance of the database, because kal databases always get kludgy over time, and need to remove old data, old users, especially in the items table.
Or automate backups of your players, guilds, and alliances into a text file, that you can easily roll back if there were any database glitches.
Let's say you have a set of maps, animals, events that change every week or every month or every x whenever.
So you can setup seperate folders for each grouping, and use php to rotate those as needed, then force server restart of the software, and wham, automatic server changes.
So you think it, you plan it, you can automate a ton of things.
Then going back to sql performance, writing sql queries is very hard at first, because it demands perfection.
But if you write bad sql queries, you can make site performance slower.
So that's where people get into using views and stored procedures.
A view is basically a way to take a commonly used sql query that grabs data from different tables, databases, etc, and then save it, to the database, and then just get the data you need, and then let the database manage the performance and joining, so that it will make it faster loading, then running the same straight query in php.
A stored procedure is more than a view, you can do logic, a lot of stuff that you can do in php, but only in terms of working with data in the database.
Such as imperializing weapons, reborn system, etc.
But stored procedures are very tricky to create, because you have to create them perfectly or they fail, and even then doesn't mean it's a well written stored procedure.
In Conclusion, there is a lot of information and tips here, I hope I made it as easy to understand as possible.
And I may need to rewrite this a few times, to get it well written, and that's okay by me.
I am willing to help people, but do not expect me to do all the hard work, and you do nothing.
You must be working hard to learn and improve, and I'll help as I can. But if you expect me to do all your thinking, and you just be lazy,
then screw that idea.
Good luck guys.
LordJustice
-Live with honor
