MySQL credentials in a text file -
Crucial - 06.02.2014
ɴᴏᴛᴇ: ᴍʏsǫʟ ʀᴇʟᴀᴛᴇᴅ ǫᴜᴇsᴛɪᴏɴ
Hello, Crucial here with a quick question.
I want to prevent my MySQL Credentials from being at danger if the .amx file from my server is leaked, the solution to this which I have already seen in multiple scripts is having the credentials on a text file which the script reads from. So if the .amx is leaked nobody could see my database credentials from it!
My question is how do I do it? Do I just '
#include' the text file at the top of the script? I've seen the VX-RP script where there was a .txt file in the 'scriptfiles' folder in the following format:
Quote:
SQL_HOST | SQL_USER | SQL_PASS | SQL_DB
|
The file had nothing but the IP address of the host, the username, password and database name with pipelines seperating them. Thanks in advance to anyone whose willing to help!
Re: MySQL credentials in a text file -
Camacorn - 06.02.2014
Unless you intend on using some form of encryption, I highly suggest not doing this, as if someone was able to steal your script, they would have no issue taking a plain text file. And even then, I still wouldn't suggest doing this.
Not to mention that when a gamemode is compiled, the includes are compiled into the .amx file, so you would be defeating the purpose.
Re: MySQL credentials in a text file -
RajatPawar - 06.02.2014
.amx is probably more secure than a .txt file, because you need to have a tool to revert the AMX to a PWN file. TXT files can directly be accessed if their name's known. Your best shot at better security is -
1) Create a PHP file
2) Include checks in it and see if the machine accessing it has an allowed IP.
3) Through HTTP, get the credentials.
Re: MySQL credentials in a text file -
PowerPC603 - 06.02.2014
You can open the .amx in a hex-editor and read the login data for MySQL if they're defined using #define.
I opened mine and I can clearly see my IP address, username, password and database to which my script connects to MySQL.
It's not plain text though, as every character has some character between them (looks like the euro-sign).
http://users.telenet.be/vge/downloads/AMXfile.jpg
If you look closely, you'll see this text (marked in red), see the right side of the program (every character has Ђ between them):
- PPC support filterscript initializing
- 127.0.0.1
- PowerPC603
- ppctrucking
- SomePass
- Connecting to MySQL was successful
- ERROR: connecting to MySQL failed, shutting down server...
So the amx is not entirely safe for storing sensitive data.
Of course, the password was changed to SomePass for showing this data, it's not my real password.
You could of course create a function that creates the credentials using some algorithm, but it may get complex.