Arcade

Get help using Construct 2

Post » Wed Mar 07, 2012 9:37 pm

Hi, I'm looking to set up an arcade (like the one here) on my own website, which will let people upload Construct 2 games to it.

I'm wondering what needs to be done to do this.

I know HTML/JS and PHP, but I am not all too good at security of file uploads and such. I know that allowing joe public to upload a HTML and Javascript project right onto the server isn't good.

If there's not already a quick plugin to throw on my site, does anyone have info on how to secure user uploads like this?
B
2
Posts: 2
Reputation: 254

Post » Wed Mar 07, 2012 10:03 pm

I think it will be difficult for you, unless you find a way to use the exported scirra arcade zip (not even sure if you are allowed!)

If you can't, I know nothing about these things, but I tend to doubt it as scirra exports for its arcade radically different from their normal export...
B
90
S
30
G
24
Posts: 3,189
Reputation: 32,400

Post » Thu Mar 08, 2012 8:10 am

@Wyatt

A pretty similar question to yours was asked by another Constructor just a week ago. Here's the link. It could be more useful to continue the discussion in that thread.

You're right to wonder about security - it's a really big issue in this sort of server application and is a much bigger topic than can usefully be covered here.Velojet2012-03-08 08:15:05
B
105
S
20
G
12
Posts: 549
Reputation: 20,320

Post » Thu Mar 08, 2012 2:55 pm

If you already know the necessary server-side coding, there are just a few really important points you need to know:

- run the game in an iframe on a different domain to your website. We run the games off static1-4.scirra.net, and the parent frame is scirra.com. These count as different domains, and the browser blocks the iframe accessing anything in a different domain, meaning the website's info is safe from the game. (This is the same principle that stops any website AJAX'ing Facebook in the background to get your personal info.) You can also try sandbox="allow-scripts" on the iframe for extra security.
- have a whitelist of allowed file extensions or filenames - do *not* allow anyone to upload any .aspx, .php files etc! Just have a whitelist of files that are allowed e.g. index.html, *.js, *.png, and reject anything else.
- it's best to manually verify all entries to ensure there's nothing obviously malicious going through.

Our arcade actually has extra steps to ensure double security: the Arcade export format is data-only, so the user does not actually upload any javascript code at all. This means the games only ever use our official runtime code and previously approved plugins. However this is technically complex to set up - you should be OK with the above steps only.
Scirra Founder
B
359
S
214
G
72
Posts: 22,949
Reputation: 178,544


Return to How do I....?

Who is online

Users browsing this forum: austinblackbelt and 13 guests