Well, I've finally completed a small php game that doesn't do much. However, I am eager for feedback on it in any way that I can get. Please take a look at the files if you have time and let me know what you think. How can it be improved? What should I be doing that I'm not doing? Is it completely trash? Noob script? etc. Any input I could get back would be great. Don't forget to rename the files with the extension .php.txt to a file of the same name with the .php extension if you can't get the zip file to work for you.

Here are the rest of the files.

Skimming, I'd suggest putting some of the common things to all pages in a config.php file and require_once('config.php') at the top of each file.

This would be the database connection information, header and footer functions, css, etc.

I only read the code, I didn't run it, so that's all the input I have at the moment.

Thanks for posting troybtj. About the putting common code into a single file and including it as needed, I have been getting that alot, but thanks for the input. Do you see anything else that could be improved or done differently?

Instead of including text files with the data that has to be entered manually, include .sql files with the necessary queries so that people can import the data using phpmyadmin

Looking more at it, you shouldn't use the user input directly in queries.

You can get a good sanitization library here:
http://www.owasp.org

It includes functions to clean up user input to prevent many types of attacks.

It gives you the following functions:


// Function list:
// sanitize_paranoid_string($string) -- input string, returns string stripped of all non
// alphanumeric
// sanitize_system_string($string) -- input string, returns string stripped of special
// characters
// sanitize_sql_string($string) -- input string, returns string with slashed out quotes
// sanitize_html_string($string) -- input string, returns string with html replacements
// for special characters
// sanitize_int($integer) -- input integer, returns ONLY the integer (no extraneous
// characters
// sanitize_float($float) -- input float, returns ONLY the float (no extraneous
// characters)
// sanitize($input, $flags) -- input any variable, performs sanitization
// functions specified in flags. flags can be bitwise
// combination of PARANOID, SQL, SYSTEM, HTML, INT, FLOAT, LDAP,
// UTF8

Thanks for your input guys, and thanks to everyone who took the time to look over my code. Feel free to continue posting in this thread if you want, but I am going to mark it as resolved.