DISQUS

Another point to consider on the forums is that of exploitation. Even the forum software that is very popular has often gone through periods where it has been heavily exploited by spammers, cross-site scripting, SQL injection, etc., etc. Given the complexity of a good forum, it's easy to leave it vulnerable to one attack or another.

By going with a proven forum package you can avoid making those same mistakes yourself and get something robust enough to stand up to some abuse by the pathetic script-kiddies on the net.

Finally I can stop maintaining mine. :)

current_user is a function that was provided to us by the restful_authentication system. Whenever we call it, it uses the ID of the logged in user (if any) that is stored in the session to look up a user record and assign it to the variable @current_user.

If you follow the instructions in The Login Page (Ruby on Rails) Part 2 (http://buildingbrowsergames.com/2008/08/25/the-...) you will be able to call this function from any of your controllers to pull the latest version of the user into a variable accessible from the controller and from the view that the controller will forward to.

If my explanation didn't help or you have any more questions, please ask.

Thanks Luke, I was going to post this same entry. I too want to encourage everybody to participate in this contest. In fact, I'm going to participate myself and use this as encouragement to get my game Big Villain built.

They've set up a forum for people to announce their participation here: http://community.bbgamezone.com/index.php?board...

> Input check – In WG2 some inputs are numeric only and some
> are English only – Simply build 2 controls, one that only
> accepts numeric input and one that accepts only English
> input. Problem solved.

I want to follow up on this one point. Controls are in the user's browser and you have the ability to control them via JavaScript, however, you can never ever trust what is submitted from any user. It's not hard at all to turn off JavaScript or to circumvent any browser side protection you might have for invalid data. _Always_ check the user's submitted data on the server side if it is anything which could corrupt your data, cause an error, or possibly even allow for cross-site scripting.

Not really. The minimal amount of code added to the controller and the view there was enough to get the user object and pull out the login name.

If you were confused by my comment that "we've seen that the templating code (in the .html.erb files) gives us the ability to include partial pages to reuse sections of HTML, pull data from variables...". That statement is true only across all of the Ruby on Rails entries I've written so far. I showed only the conditional showing and not showing parts of the page and pulling data from a variable. If you want to see the first time I used a partial you can see that in The Login Page (Ruby on Rails) Part 2 (http://buildingbrowsergames.com/2008/08/25/the-...).

The MD5 hash doesn't actually protect you if someone were able to dump your table of users or gain access to the database in some fashion.

That's because there exist large hash dictionaries available to hackers which have every word in the dictionary and all common names already pre-hashed using common hashes like MD5. The hacker can search through the list of hashed user passwords for matches in the hash dictionary and then consult the dictionary whenever there is a match to see what word or name was used as the original (unhashed) password. It won't allow them access to accounts where people used strong passwords, but think how many people use the name of a spouse or a common word as a password.

That's why you usually use MD5 in combination with a random "salt" value. You take the user's password (e.g. porcupine), you prepend a randomly generated number or string (e.g. 352) and then MD5 hash that (e.g. 352porcupine => 'alaskdf5...') saving both the randomly generated number and the hash. Then whenever the user submits a password you again prepend the same salt value in front of it and see if it hashes to the same value again. The random value in front of each and every password stored then makes the hash dictionary useless.

I'd like to strongly suggest an alternative to the Layout Gala (LG) choice. Yahoo! offers a CSS file as part of their Yahoo! User Interface (YUI) package that makes it easy to build grid based layouts with multiple boxes in multiple sections.

The YUI website is http://developer.yahoo.com/yui/ but the specific page for the grid stuff is http://developer.yahoo.com/yui/grids/ and they offer a very simple to use tool on that page where you can layout your page interactively and then it will give you the HTML to use for that layout.

The resulting HTML is a set of nested div tags that is very easy to work with and the CSS file you include for the grid system is a mere 4K. They also offer some other excellent CSS files to strip away formatting differences and standardize font sizes between browsers. Yahoo! also will host the CSS for you if you're looking to cut down on bandwidth usage.

All their stuff is well documented and YUI as a whole has hundreds of examples. Plus, Yahoo! tests all their stuff on every major browser on every major platform.