[Jeroen52]

Hi,
I am making a script but I don't want to trust the scource to the people so I want to prevent one thing but that is not enough.
A bit of the scource is exposed and can be exploited in the Include file so I need to hide it, where is it better hiding in my server somewhere in a secret folder?
But I got a problem, how do I load the file?
I've already got HTTP and FTP but everytime you do http:// it will comment the file.
So how do I things like it temporarly read the file for one use only?

[FireCat]

Quote:

Originally Posted by Jeroen52 Hi, I am making a script but I don't want to trust the scource to the people so I want to prevent one thing but that is not enough. A bit of the scource is exposed and can be exploited in the Include file so I need to hide it, where is it better hiding in my server somewhere in a secret folder? But I got a problem, how do I load the file? I've already got HTTP and FTP but everytime you do http:// it will comment the file. So how do I things like it temporarly read the file for one use only?

AntiDeAMX

[Jeroen52]

Quote:

Originally Posted by FireCat AntiDeAMX

I've read it and I like to do it but a lot of things that make my database vulnerable is in the Include file, like passwords, server IP, and a few things that I need to keep secret, how do I do it into the pawn and away from the public but the server can still load it?

[Jeroen52]

Quote:

Originally Posted by ****** It shouldn't be on a public part of your server - don't put it under the "web" section of your host. The source shouldn't be online anyway, but if you're talking about people extracting the password from the compiled AMX then there are a few things you can do. Firstly ensure that the database username and password you are using have minimal permissions and that the database and user are unique to your SA:MP server. Failing this make sure that you use a different user to connect to the database from other places. Or better yet don't put the password in the file at all, write a RCON command to load the username and password, so every time you start the server the first thing you do is: Код: db_login <user> <pass> But the ultimate defence is just not letting people have access to your server in the first place.

I don't get what you mean but it is supposed that people don't know the password of the MySQL Database and the functions because if they do the bad owner/admin of a server can ban innocent people from a lot of servers with a command instead that the Anti-Cheat bans them, I also got a system for that so it won't be abused.

[Jeroen52]

Yes I know that but they can change their own script so they can access my database and add new bans (bans like for nothing) and the IP's are innocent people that did nothing wrong and are banned from a lot of servers.

[Jeroen52]

Quote:

Originally Posted by ****** I don't understand why they can access your database, are they not running on a different (virtual) machine? If not, why not? It sounds like you are trying to run a hosting service without the first bit of knowledge about hosting/managing servers. It multiple people are on the same host as you and all you're worried about is people adding fake bans you're going to be sorely disappointed when your database just gets deleted for the fun of it.

Well let me explain a little.
I got a few passwords for a database containing bans, they download a script that wipes all Cheaters from a lot of servers (Global Ban System) which is only a .amx and a maybe a a_mysql.inc, they can add it if they got the password and that's how they are gonna abuse it because if they can access it they can ban a lot of people wrongfully from a lot of servers.

[Pasa]

Put only te .amx files,then noboby can edit your script

[linuxthefish]

Chmod the file to 700 if you are on Linux, then only your user can see it.

[Jeroen52]

Quote:

Originally Posted by linuxthefish Chmod the file to 700 if you are on Linux, then only your user can see it.

Yes but how do I put it in the Pawn that it loads some .inc from the internet?

[Jeroen52]

Is there a way to hash the .inc file so it isn't readable until you load it into Pawn?

[Jeroen52]

Quote:

Originally Posted by Y_Less I still don't understand why you are downloading a file from the internet with your passwords in. The whole topic makes no sense. What is it that you want to achieve in the end - forget about how you think you want to do it and just talk in terms of what you want in the end. There may be a better way of doing it.

That file contains functions and passwords that could destroy gameplay experience but I still want the thing to be open for use.
Like if you download the AMX it got nothing with it, but when you load it it is gonna read a file on the internet that gives access to a database with all the bad people in it but you can't see the code or change it because it is in .AMX and the .inc is disappearing after you've unloaded the script so everything in that .inc file is safe from people that can log-onto PHPMyAdmin and add a lot of innocent people into the database or discover the function and ban a lot of people.
But if you got a better way to store MySQL names and functions from jBan in a Pawn file I am open for changes.

[dowster]

Why would you need to distribute the .inc file if your only distributing the .amx? you know that .inc is compiled into the .amx right?

[Gamer_Z]

This topic gave me a very interesting idea for a plugin....
"Secure Password Container"
Yet I have to think about how to 'secure' the retrieving and storing of the passwords. lol.

the problem is I will have to release the source.. ~.~
which makes 'secure' an very very .. I don't know the word for it but it's like 'secure' doesn't really exist with open source software.

[JaTochNietDan]

Quote:

Originally Posted by Jeroen52 But if you got a better way to store MySQL names and functions from jBan in a Pawn file I am open for changes.

Wait what? You're storing what from jBan in a PAWN file? I don't really understand what you mean, although this is related to my include so I feel compelled to respond and help you figure out this.

Edit: Okay, I understand what you mean now. Well if you're giving other people access to your script to edit then you're basically giving them access to information about the MySQL server, which is bad I guess, but they also have access to your script so they could technically write any code they wanted to in there and still mess with your server right, without needing to know the MySQL server details?

Although if you wanted to make it more secure, you could make a small edit so that the include reads the server details from a file that you only have on the server. Then you won't need to share your MySQL server information.

[Jeroen52]

Quote:

Originally Posted by JaTochNietDan Wait what? You're storing what from jBan in a PAWN file? I don't really understand what you mean, although this is related to my include so I feel compelled to respond and help you figure out this. Edit: Okay, I understand what you mean now. Well if you're giving other people access to your script to edit then you're basically giving them access to information about the MySQL server, which is bad I guess, but they also have access to your script so they could technically write any code they wanted to in there and still mess with your server right, without needing to know the MySQL server details? Although if you wanted to make it more secure, you could make a small edit so that the include reads the server details from a file that you only have on the server. Then you won't need to share your MySQL server information.

But doesn't the .inc file has to be in the include folder of the person you give the script to so they can run it?

[JaTochNietDan]

Yes it does. Like I said, you can edit the include so that it reads the MySQL server information from a file that you ONLY store on your server. Therefore you will not have to provide those details to other people when they are editing/compiling the script.