Protecting Your MySQL-Enhanced Script

Protecting Your MySQL-Enhanced Script - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Scripting and Plugins (https://sampforum.blast.hk/forumdisplay.php?fid=8)
+--- Forum: Scripting Help (https://sampforum.blast.hk/forumdisplay.php?fid=12)
+--- Thread: Protecting Your MySQL-Enhanced Script (/showthread.php?tid=299470)

Protecting Your MySQL-Enhanced Script - Scenario - 26.11.2011

A lot of people have problems with their script's getting stolen. Not necessarily the .pwn file, but the .amx file. Now, this may not be a problem with file-based scripts because you need the scriptfiles (or at least the folders) for things to work correctly. But what if your script uses MySQL?

Well! Now there is a simple way to protect yourself and all it requires is a single INI file located somewhere in your scriptfiles directory. You no longer need to keep all of your data inside the script itself!

Instead of me explaining how this is accomplished, I figured I could just provide some code. Please keep in mind that I am using BlueG's MySQL plugin and ******'s y_ini system.

pawn Код:

#include <a_samp>
#include <a_mysql>
#include <YSI\y_ini>

new
    SQL_HOST[30],
    SQL_DATA[30],
    SQL_USER[30],
    SQL_PASS[30],
    SQL_DEBUG;

main()
{
    if(fexist("Server Settings/Critical/sqlinfo.ini")) INI_Load("Server Settings/Critical/sqlinfo.ini"); // This must remain here to load the SQL settings.
    else
    {
        new INI:tempsqlinfo = INI_Open("Server Settings/Critical/sqlinfo.ini");
        INI_WriteInt(tempsqlinfo, "debug", 1);
        INI_WriteString(tempsqlinfo, "host", " ");
        INI_WriteString(tempsqlinfo, "user", " ");
        INI_WriteString(tempsqlinfo, "data", " ");
        INI_WriteString(tempsqlinfo, "pass", " ");
        INI_Close(tempsqlinfo);
        
        print("\n Critical Error: No MySQL information to load, server process automatically terminated! \n");
        SendRconCommand("exit");
    }
}

public OnGameModeInit()
{
    mysql_debug(SQL_DEBUG);
    mysql_connect(SQL_HOST, SQL_USER, SQL_DATA, SQL_PASS);
    return 1;
}

public OnGameModeExit()
{
    mysql_close();
    return 1;
}

INI:sqlinfo[](name[], value[]) // critical SQL information loading
{
    INI_Int("debug", SQL_DEBUG);
    INI_String("host", SQL_HOST, sizeof(SQL_HOST));
    INI_String("user", SQL_USER, sizeof(SQL_USER));
    INI_String("data", SQL_DATA, sizeof(SQL_DATA));
    INI_String("pass", SQL_PASS, sizeof(SQL_PASS));
    return 1;
}

I'm not going to explain the code above, it should be pretty straight forward to you.

Good luck!

Re: Protecting Your MySQL-Enhanced Script - iggy1 - 26.11.2011

I would have thought storing your host/user/dbname/password in a plain text file would be ALOT more insecure than having them in a anti-deamx'd .amx file. Or am i missing something? (still early here)

I mean if they got your amx, then got this file (or made their own) they would have everything they need there to use the mode/database. (exept knowing the db structure)

They could remotely drop your entire database with just that file no need for the .amx.

Re: Protecting Your MySQL-Enhanced Script - Scenario - 26.11.2011

Quote:

Originally Posted by iggy1

I would have thought storing your host/user/dbname/password in a plain text file would be ALOT more insecure than having them in a anti-deamx'd .amx file. Or am i missing something? (still early here)

I mean if they got your amx, then got this file (or made their own) they would have everything they need there to use the mode/database. (exept knowing the db structure)

They could remotely drop your entire database with just that file no need for the .amx.

You make a good point. However, I am more worried about them getting the .amx and being able to use my database, rather then getting the .amx and at most being able to create their own database.

I may look into a way of "hashing" the information stored in the INI file, but not really sure how possible that is.

Re: Protecting Your MySQL-Enhanced Script - Calgon - 26.11.2011

If they're going to steal the AMX, they're obviously going to steal the scriptfiles.

One of the best things to do is to try create a plugin that hashes and verifies some machine-unique data, like the HDD serial + IP + Mac address.

Or the even better, in-script binding to a certain IP only, so they can only run it locally if they do snatch it.

Re: Protecting Your MySQL-Enhanced Script - Scenario - 26.11.2011

Quote:

Originally Posted by Calgon

If they're going to steal the AMX, they're obviously going to steal the scriptfiles.

The best thing to do is to try create a plugin that hashes and verifies some machine-unique data, like the HDD serial + IP + Mac address.

Or the even better, in-script binding to a certain IP only, so they can only run it locally if they do snatch it.

When people get their hands on the NGRP script, they usually only get the .pwn file and then have to use the GF scriptfiles and edit them a little bit from what I've seen...

Re: Protecting Your MySQL-Enhanced Script - Calgon - 26.11.2011

Keyword is usually, and that's mainly because it's been leaked so many times. If someone's specifically targetting you, they're going to get everything they need.

Re: Protecting Your MySQL-Enhanced Script - Scenario - 26.11.2011

Quote:

Originally Posted by Calgon

Keyword is usually, and that's mainly because it's been leaked so many times. If someone's specifically targetting you, they're going to get everything they need.

I suppose that's true...

---

You mentioned "in-script binding to a certain IP only." How do you obtain the IP? Every time I use "GetServerVarAsString()" it doesn't return anything...

Re: Protecting Your MySQL-Enhanced Script - Calgon - 26.11.2011

Define your server IP in your script and retrieve the IP using GetServerVarAsString() then compare it, and if it's incorrect then shut the server down. I think this is how I done it, I remember using it in all of the vxrp modes and the one time the server was hacked, they got away with nothing except an AMX that'd print 1,000 times and delete itself.

Try again with the GetServerVarAsString method?

I remember in 'project salad' (the carlitos version of vxrp) in 2009, I found some code on the forums by ****** and added it:

pawn Код:

new ip[16];
    GetServerVarAsString("bind", ip, sizeof(ip));
    if (!ip[0] || strcmp(ip, BIND))
    {
        for (;;)
        {
            print("[SERVER] Unable to continue, the server's bind doesn't match the defined one.");
        }
    }

BIND is a define at the top of the script.

Re: Protecting Your MySQL-Enhanced Script - serman - 26.11.2011

Код:

This in script ..

#define mysql_host 												GetHost ( )		//the IP of the host, should be displayed when created a database
#define mysql_user 												GetUser ( )		//database username
#define mysql_password 										    GetPassword ( ) //database password
#define mysql_database 										    GetDataBase ( )	//database name

Add this All Function in one include..

Like
Example:

Код:

GetHost ( ) 
{
	new str25 [ 128 ] ;
	str25 = "host/ip" ;
	return str25 ;

}

GetUser ( )
{
	new str26 [ 128 ] ;
	str26 = "username" ;
	return str26 ;
}

GetPassword ( )
{
	new str27 [ 128 ] ;
	str27 = "password" ;
	return str27 ;
	
}

GetDataBase ( )
{
	new str28 [ 128 ] ;
	str28 = "nameofdatabase" ;
	return str28 ;
}

Make one include ..with this and add #include <yourincludename> into your script..

and finally then compile your script....

Re: Protecting Your MySQL-Enhanced Script - Scenario - 26.11.2011

Quote:

Originally Posted by Calgon

Try again with the GetServerVarAsString method?

I may have just had something wrong in my code, but I never got it working. I'll try it again here in a few and see what happens!

EDIT: Thanks for that!