SteemNova players encounter visual bugs regarding inproper sorting of planets in the game. The settings view allow player to choose how to sort them. The options are: creation time, planet name or by their coordinates. Second option is to select the ascending or descending order.
During debugging the issue, it turned out that it is not visual bug. The UI .tpl interface works fine and just draws the obtained values from PHP server. What people see is a bug of incorrect PHP MySQL queries. To be honest there were 2 SQL bugs there.
Fixing SQL bug 1
Everywhere in the .php source codes there are SQL queries using prepared statements and parametrized queries. This is completely fine because it provides best safety in terms of SQL injection vulnerability.
However it has to be written properly. The prepared statements cannot be used for dynamic parametrized queries like "ORDER BY name DESC" or "ASC". The ASC/DESC words have to be concatenated manually.
This is why I have moved out the parameters of DESC/ASC from prepared statements. I do simply append them to a string query.
For purposes of the game engine it is sufficient and fix a bug. But according to some ideas the best would be to "use a whitelist filter that restricts the possible values".
Fixing SQL bug 2
In multiple ORDER BY statements, the DESC/ASC should occur after every column we filter on. The code was inconsistent with above rule in few of .php files. In the result, only last column was sorted.
Results explain it all:
mysql> select name,galaxy,system,planet from uni1_planets where id_owner=1 and destruyed=0 order by galaxy,system,planet DESC;
mysql> select name,galaxy,system,planet from uni1_planets where id_owner=1 and destruyed=0 order by galaxy DESC, system DESC ,planet DESC;
Screenshots
Places where the bugs occured:
Information
steemnova/steemnova project is fork of jkroepke/2Moons Open Source Browsergame Framework. The goal is to fix bugs and develop the engine in the direction of maximum Steem integration.
Links
https://github.com/steemnova/steemnova/pull/20
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
Great post visually, and good job on explaining why prepared statements are good to deal with SQL injection vulnerability.
You can contact us on Discord.
[utopian-moderator]
Thank You! These are the bugs which are quite difficult to catch.
Thank you for sharing the updates. Keep up the good work 👍
Hey @mys I am @utopian-io. I have just upvoted you!
Achievements
Community-Driven Witness!
I am the first and only Steem Community-Driven Witness. Participate on Discord. Lets GROW TOGETHER!
Up-vote this comment to grow my power and help Open Source contributions like this one. Want to chat? Join me on Discord https://discord.gg/Pc8HG9x
Congratulations @mys! You have completed some achievement on Steemit and have been rewarded with new badge(s) :
Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here
If you no longer want to receive notifications, reply to this comment with the word
STOPI have vote steemik you vote back ya @ fikar21