0 favourites
  • 4 posts
From the Asset Store
10 Royalty free music tracks for your indie games and projects.
  • Hi, I'm looking to set up an arcade (like the one here) on my own website, which will let people upload Construct 2 games to it.

    I'm wondering what needs to be done to do this.

    I know HTML/JS and PHP, but I am not all too good at security of file uploads and such. I know that allowing joe public to upload a HTML and Javascript project right onto the server isn't good.

    If there's not already a quick plugin to throw on my site, does anyone have info on how to secure user uploads like this?

  • Try Construct 3

    Develop games in your browser. Powerful, performant & highly capable.

    Try Now Construct 3 users don't see these ads
  • I think it will be difficult for you, unless you find a way to use the exported scirra arcade zip (not even sure if you are allowed!)

    If you can't, I know nothing about these things, but I tend to doubt it as scirra exports for its arcade radically different from their normal export...

  • Wyatt

    A pretty similar question to yours was asked by another Constructor just a week ago. Here's the link. It could be more useful to continue the discussion in that thread.

    You're right to wonder about security - it's a really big issue in this sort of server application and is a much bigger topic than can usefully be covered here.

  • If you already know the necessary server-side coding, there are just a few really important points you need to know:

    • run the game in an iframe on a different domain to your website. We run the games off, and the parent frame is These count as different domains, and the browser blocks the iframe accessing anything in a different domain, meaning the website's info is safe from the game. (This is the same principle that stops any website AJAX'ing Facebook in the background to get your personal info.) You can also try sandbox="allow-scripts" on the iframe for extra security.
    • have a whitelist of allowed file extensions or filenames - do *not* allow anyone to upload any .aspx, .php files etc! Just have a whitelist of files that are allowed e.g. index.html, *.js, *.png, and reject anything else.
    • it's best to manually verify all entries to ensure there's nothing obviously malicious going through.

    Our arcade actually has extra steps to ensure double security: the Arcade export format is data-only, so the user does not actually upload any javascript code at all. This means the games only ever use our official runtime code and previously approved plugins. However this is technically complex to set up - you should be OK with the above steps only.

Jump to:
Active Users
There are 1 visitors browsing this topic (0 users and 1 guests)