Java-Gaming.org    
Featured games (91)
games approved by the League of Dukes
Games in Showcase (581)
games submitted by our members
Games in WIP (500)
games currently in development
News: Read the Java Gaming Resources, or peek at the official Java tutorials
 
    Home     Help   Search   Login   Register   
Pages: [1]
  ignore  |  Print  
  applets and sql security  (Read 3961 times)
0 Members and 1 Guest are viewing this topic.
Offline SunshineKiller

Junior Member





« Posted 2009-03-26 19:48:54 »

Im not to familiary with applets but ive been reading how they work and the digital? signing for if you dont use the pure java library but use 3rd parties.

So i know i would want to restrict myself from using 3rd party libraries because most people are afraid to accept such things.

How would i best go about making a simple game that handles users and uses mysql database and keeping it secure?  would java fx be a better way to go on this?

I was reading about making a servlet? that would handle the sql -> servlet -> applet which seems more of a pain to go through so I wanted to see what everyone thought on here for some ideas or the best ways to go about this, thanks.

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline h3ckboy
« Reply #1 - Posted 2009-03-26 20:04:38 »

just for users?

if so then PHP all the way.

easy to learn, easy to use.
Offline SunshineKiller

Junior Member





« Reply #2 - Posted 2009-03-26 21:53:59 »

just for users?

if so then PHP all the way.

easy to learn, easy to use.

Yeah im still deciding, it would be cooler to do something more dynamic on the client side, its where users log in, interact with information and a database and spits out stuff within say a console window and since it would be client based the user wouldnt have to refresh their webpage for the upated information. SO im still trying to decide what i want to do this in, im now interested in javascript since its client side and can interact with php..?  thanks for the reply

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline DzzD
« Reply #3 - Posted 2009-03-26 22:11:29 »

Quote
How would i best go about making a simple game that handles users and uses mysql database and keeping it secure?  would java fx be a better way to go on this?


the easiest is probably :

PHP ====> mySQL   (server side)
     /\
     ||
HTTP CALL with session id (using HTTPConection and/or socket)
     ||
     \/
unsigned Applet (client side)


your applet tag may give the applet php session id that you will use in your php call later (something like the following)  :
1  
2  
3  
<APPLET ...code=... >
<PARAM NAME=PHPSESSID VALUE="<?=session_id();?>">
</APPLET>


in the applet you get the session id and you add it to all your http call:
1  
String id=getParameter("PHPSESSID");


finally to be sure to keep the right session server side you fix session again :
1  
2  
3  
4  
<?
session_id($_GET('PHPSESSID ')); //or $_POST you can also change the parameter name PHPSESSID to something else
//you php to my sql file
?>



EDIT
Quote
How would i best go about making a simple game that handles users and uses mysql database and keeping it secure?  would java fx be a better way to go on this?


before reaching your applet page you can do a simple login/pass in php as usual wich will initialise your session id

Offline SunshineKiller

Junior Member





« Reply #4 - Posted 2009-03-27 00:02:29 »



the easiest is probably :

PHP ====> mySQL   (server side)
     /\
     ||
HTTP CALL with session id (using HTTPConection and/or socket)
     ||
     \/
unsigned Applet (client side)


your applet tag may give the applet php session id that you will use in your php call later (something like the following)  :
1  
2  
3  
<APPLET ...code=... >
<PARAM NAME=PHPSESSID VALUE="<?=session_id();?>">
</APPLET>


in the applet you get the session id and you add it to all your http call:
1  
String id=getParameter("PHPSESSID");


finally to be sure to keep the right session server side you fix session again :
1  
2  
3  
4  
<?
session_id($_GET('PHPSESSID ')); //or $_POST you can also change the parameter name PHPSESSID to something else
//you php to my sql file
?>



EDIT

before reaching your applet page you can do a simple login/pass in php as usual wich will initialise your session id

ok i understand passing the session, thanks by the way for the detailed reply.

How do i go about doing sql commands within the applet, is that possible while keeping it secure fairly secure?

would i just use the sql library and tell the php to send the connection info and have the applet establish a connection with the sql server to do queries?

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline DzzD
« Reply #5 - Posted 2009-03-27 01:14:20 »

Quote
How do i go about doing sql commands within the applet, is that possible while keeping it secure fairly secure?

you dont send SQL from applet to php, you send "instruction" to php then php send sql to mysql. no SQL between Applet & PHP and no Database acces from Applet.

scenario:
Applet request user names for exemple it ask for the page users.php
users.php ask the mysql data base => SELECT names from users etc....

Offline SunshineKiller

Junior Member





« Reply #6 - Posted 2009-03-27 02:31:29 »

you dont send SQL from applet to php, you send "instruction" to php then php send sql to mysql. no SQL between Applet & PHP and no Database acces from Applet.

scenario:
Applet request user names for exemple it ask for the page users.php
users.php ask the mysql data base => SELECT names from users etc....


ok that makes sense im gonna have to try it this weekend, thanks.

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline SunshineKiller

Junior Member





« Reply #7 - Posted 2009-04-04 21:49:49 »

I need a little more help.

Here is my html part, was php but made it more easier to find the bug.

   <applet code=MechApplet.class width=650 height=460>
      <param name="what" value="hi2">
   </applet>
   
Then .java part

private String test3 = "hi";  <--just to make it not null at start.
In my init part :

      test3 = getParameter("what");
      System.out.println(test3);

Im getting a null pointer. Am i doing something wrong, missing a step? Wouldnt the getParameter get the what param and make it hi2 ?

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline Hsaka
« Reply #8 - Posted 2009-04-05 01:20:05 »

Try this:

1  
2  
3  
<applet code=MechApplet.class width=650 height=460>
      <param name=what value="hi2">
   </applet>


That is, remove the quotes from the parameter name.
As seen here : http://java.sun.com/j2se/1.4.2/docs/api/java/applet/Applet.html#getParameter(java.lang.String)
Offline SunshineKiller

Junior Member





« Reply #9 - Posted 2009-04-05 01:49:43 »

duh, i think that did it, the error is gone, not sure until i have it output onto the textarea i have. thanks i really appreciate the help.

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Games published by our own members! Check 'em out!
Legends of Yore - The Casual Retro Roguelike
Offline SunshineKiller

Junior Member





« Reply #10 - Posted 2009-04-05 03:28:23 »

ok just wanted to confirm it does work, my stupid xampp wasnt running it right so i uploaded it to my server and walah! it works Cheesy

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline Cocosinus

Senior Newbie





« Reply #11 - Posted 2009-04-07 17:51:46 »

Maybe I'm making useless comments cause they are obvious, but if you want security you need to avoid 2 thinks:
1) Having the applet communicate with the database
2) Having the applet communicate with php with any other method than POST

A database access needs password, so if your applet knows the password, any client also does. Therefore only a php page on the server knows the password and access the database.
Now if you want to avoid users to use this php page to do diverse requests and try to find a crack in your security, you want to use the POST method (as opposed to GET or whatever) for the applet to transmit infos to the php page. I think there will always be a security issue with an applet not shutting its mouth but ohwell...

       Client                                Server
                              |
applet>>>>>>>>    |  >>>>>>>>database
applet--------------- | ------ php >>>>>>database
                              |

>>>>> critical info
-------- ohwell info

you want to keep critical communications on the server side :-)
If you need Java/PHP/SQL commands related to that just let me know

PS: yeaaaah now I feel like I'm not just being an ass that uses this forum to advertise a game, but I also contribute (even if its useless)
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #12 - Posted 2009-04-07 18:45:28 »

Maybe I'm making useless comments cause they are obvious, but if you want security you need to avoid 2 thinks:
1) Having the applet communicate with the database
2) Having the applet communicate with php with any other method than POST

A database access needs password, so if your applet knows the password, any client also does. Therefore only a php page on the server knows the password and access the database.
Now if you want to avoid users to use this php page to do diverse requests and try to find a crack in your security, you want to use the POST method (as opposed to GET or whatever) for the applet to transmit infos to the php page. I think there will always be a security issue with an applet not shutting its mouth but ohwell...

       Client                                Server
                              |
applet>>>>>>>>    |  >>>>>>>>database
applet--------------- | ------ php >>>>>>database
                              |

>>>>> critical info
-------- ohwell info

you want to keep critical communications on the server side :-)
If you need Java/PHP/SQL commands related to that just let me know

PS: yeaaaah now I feel like I'm not just being an ass that uses this forum to advertise a game, but I also contribute (even if its useless)

Post or Get doesn't really matter as far as security goes except for noob hackers but they aren't the problem anyway Smiley To make it a bit better you can send (and check) referrer info but that doesn't solve it either seeing as sniffers/java decompile would see that as well. The best security you can have is to handle as much as possible using php, log what users do and ban their ip when they feed the php page without using the applet.

For example, say that I want to hit a person in my game and have it stored in a database. Instead of sending the damage to the php page let php handle the damage and only tell php "I want to hit this person".

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline Orangy Tang

JGO Kernel


Medals: 51
Projects: 11


Monkey for a head


« Reply #13 - Posted 2009-04-07 19:04:01 »

Now if you want to avoid users to use this php page to do diverse requests and try to find a crack in your security, you want to use the POST method (as opposed to GET or whatever) for the applet to transmit infos to the php page.
POST vs. GET is not about security (since both send the data as plain text) but about idempotence. Trying to subvert them for flimsy security reasons is not a good idea.

Idempotent methods (like GET) should not have any effect on the webserver, and may be cached by transparent proxies along the way. That's the real reason why you should use POST for score submission (which will not be cached or reused in any way).

[ TriangularPixels.com - Play Growth Spurt, Rescue Squad and Snowman Village ] [ Rebirth - game resource library ]
Offline DzzD
« Reply #14 - Posted 2009-04-07 19:12:47 »

Quote
2) Having the applet communicate with php with any other method than POST
heu... once again.. no interrest in using POST rather then GET for security... POST is more usable for bigger size of data, the GET size limits is a bit random even if some RFC will say you it is Nb octets depending on server it may change

Offline Cocosinus

Senior Newbie





« Reply #15 - Posted 2009-04-07 20:11:48 »

Sorry sorry, I didn't try to say POST is secure, it's "ohwell"  Grin
Another way is having a coding sequence known by the server and the applet (like a pseudo random loop big enough) and use it to communicate. Therefore, you don't care about infos in clear, you just care about Java decompiling which I dunno anything about (can we make it difficult?). If the pseudo random algorithm is hard enough to figure out, a hacker will need to wait till it loops, this can take a while!
Offline SunshineKiller

Junior Member





« Reply #16 - Posted 2009-04-07 20:56:25 »

ya i plan on doing post and my php doing sql stuff and my client just getting data from the php and sending data to php and of course doing a ip banlist.

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #17 - Posted 2009-04-07 21:23:53 »

Sorry sorry, I didn't try to say POST is secure, it's "ohwell"  Grin
Another way is having a coding sequence known by the server and the applet (like a pseudo random loop big enough) and use it to communicate. Therefore, you don't care about infos in clear, you just care about Java decompiling which I dunno anything about (can we make it difficult?). If the pseudo random algorithm is hard enough to figure out, a hacker will need to wait till it loops, this can take a while!

It isn't hard to crack that system, java decompiling is extremely easy and 100% precise due to byte code.

There is a couple of ways to make it harder to figure your logic out where the handiest one is to obfuscate your code.

Still, as I said in the previous post, the best way is to let php handle as much as possible instead of relying on the parameters you post.

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline DzzD
« Reply #18 - Posted 2009-04-07 21:33:57 »

as said by Mickelukas, if you want avoid player to cheat perform all your logic server side.

if you want to managed user accoount just use standard session login/pass=>session id,one possible way is exlplained in one of my above post.

and finally if you want data to be exchanged in a secure manner between client and server (not viewable by network snifffer) then look at SSL and use https.

Offline ddyer

Junior Member


Medals: 2



« Reply #19 - Posted 2009-04-07 21:46:30 »

It's important to keep in mind that the formalism of "not sending SQL from the applet" is
a necessary but not sufficient condition.  If the language the applet uses to instruct the
agent that constructs the SQL is tantamount to SQL, you've only changed the "sql injection"
hazard into a "your private language injection" hazard.  To whatever extent you trust the
applet to only make legal requests, you are vulnerable to abuse; and ultimately, no agent
on the thin end of the wire can be completely trustworthy.
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #20 - Posted 2009-04-07 22:42:26 »

and finally if you want data to be exchanged in a secure manner between client and server (not viewable by network snifffer) then look at SSL and use https.

Indeed, but always expect everyone to know all of your java code and always expect the parameters sent to php to be sent by someone trying to break your server/database and you should be fine Smiley

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline SunshineKiller

Junior Member





« Reply #21 - Posted 2009-04-08 01:14:41 »

im not to worried about the player cheating as much as a sql injection to drop the whole database. Most stuff is server side and the game is mainly made up of using buttons and simple input texts which would change data on the screen then every few seconds update the new stats from the app to the php to the db. This is a somewhat interesting thread tho. Smiley

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Online Riven
« League of Dukes »

JGO Overlord


Medals: 606
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #22 - Posted 2009-04-08 01:33:47 »

Just make one or two functions that checks/escapes/validates all input.



foreach($_GET as $key => $val)
{
   $_GET[$key] = sqlencode(urldecode($val));
}

foreach($_POST as $key => $val)
{
   $_POST[$key] = sqlencode(urldecode($val));
}



Never ever pass input directly into your database, or use it directly in your include($_GET['p'].".php").


If you connect to your database, you need a user/pass. Do not store this in a file that is reachable by HTTP, also, because PHP is rater verbose with it's stacktraces, never do:


function connect($user, $pass)
{
   // connect to DB
}


because the resulting stacktrace from an uncaught Exception that PHP throws SHOWS THE METHOD ARGUMENTS...


PHP stacktrace: (for everbody to see)
 - ....
 - game.php line 32 => init()
 - db.php line 80 => connect("myuser", "secret") -- ooops!
 - sql.php line 108 => impl()
 - ....

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline SunshineKiller

Junior Member





« Reply #23 - Posted 2009-04-12 03:15:28 »

ok need a little help again.

php array to java applet array?
is this possible?

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Online Riven
« League of Dukes »

JGO Overlord


Medals: 606
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #24 - Posted 2009-04-12 13:46:02 »

In Java: convert array to String
In PHP: convert String to array

encoding to hex or base64 is probably easiest

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #25 - Posted 2009-04-12 18:25:06 »

Also, remember to gzip the data you're sending inbetween php and the applet if you're expecting alot of data, it helps alot with keeping the transfered kb down.

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Offline SunshineKiller

Junior Member





« Reply #26 - Posted 2009-04-12 19:14:08 »

Ok so the best way is to make the php array into a string and then a hex then pass it through the parameter, then have java convert it to a string array, gzip , good idea ill have to look into that.

Im trying to get a giant list from my db via php to java.

<b>Check out my Development Blog:</b> <a href="http://www.scottscreations.com">Scotts Creations</a> | <b>Games in Development: </b> <a href="http://mechwarfare.scottscreations.com">Mech Warfare</a> | Mech Warfare: Facebook Edition | Game Master
Online Riven
« League of Dukes »

JGO Overlord


Medals: 606
Projects: 4
Exp: 16 years


Hand over your head.


« Reply #27 - Posted 2009-04-12 22:20:11 »

Also, remember to gzip the data you're sending inbetween php and the applet if you're expecting alot of data, it helps alot with keeping the transfered kb down.

It depends... GZ might shrink your traffic, but increases CPU usage... a lot.

It's simply about which resource is most valuable to you.

Hi, appreciate more people! Σ ♥ = ¾
Learn how to award medals... and work your way up the social rankings
Offline Mike

JGO Wizard


Medals: 69
Projects: 2
Exp: 5 years


Java guru wanabee


« Reply #28 - Posted 2009-04-12 23:36:58 »

It depends... GZ might shrink your traffic, but increases CPU usage... a lot.

It's simply about which resource is most valuable to you.

I also send a lot of data over from a mysql server to an applet and the time taken decreases noticably when gzipping the data (sending about 3mb of uncompressed data when the applet starts which results in like 300-500kb after compression)

My current game, Minecraft meets Farmville and goes online Smiley
State of Fortune | Discussion thread @ JGO
Pages: [1]
  ignore  |  Print  
 
 
You cannot reply to this message, because it is very, very old.

 

Add your game by posting it in the WIP section,
or publish it in Showcase.

The first screenshot will be displayed as a thumbnail.

xsi3rr4x (64 views)
2014-04-15 18:08:23

BurntPizza (62 views)
2014-04-15 03:46:01

UprightPath (75 views)
2014-04-14 17:39:50

UprightPath (58 views)
2014-04-14 17:35:47

Porlus (76 views)
2014-04-14 15:48:38

tom_mai78101 (101 views)
2014-04-10 04:04:31

BurntPizza (161 views)
2014-04-08 23:06:04

tom_mai78101 (256 views)
2014-04-05 13:34:39

trollwarrior1 (209 views)
2014-04-04 12:06:45

CJLetsGame (216 views)
2014-04-01 02:16:10
List of Learning Resources
by SHC
2014-04-18 03:17:39

List of Learning Resources
by Longarmx
2014-04-08 03:14:44

Good Examples
by matheus23
2014-04-05 13:51:37

Good Examples
by Grunnt
2014-04-03 15:48:46

Good Examples
by Grunnt
2014-04-03 15:48:37

Good Examples
by matheus23
2014-04-01 18:40:51

Good Examples
by matheus23
2014-04-01 18:40:34

Anonymous/Local/Inner class gotchas
by Roquen
2014-03-11 15:22:30
java-gaming.org is not responsible for the content posted by its members, including references to external websites, and other references that may or may not have a relation with our primarily gaming and game production oriented community. inquiries and complaints can be sent via email to the info‑account of the company managing the website of java‑gaming.org
Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines | Managed by Enhanced Four Valid XHTML 1.0! Valid CSS!