1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help

Threaded Mode
MySQL credentials in a text file
Crucial
Little Clucker
**
Posts: 3
Threads: 2
Joined: Nov 2013
Reputation: 0
#1

06.02.2014, 14:35
ɴᴏᴛᴇ: ᴍʏsǫʟ ʀᴇʟᴀᴛᴇᴅ ǫᴜᴇsᴛɪᴏɴ
Hello, Crucial here with a quick question.

I want to prevent my MySQL Credentials from being at danger if the .amx file from my server is leaked, the solution to this which I have already seen in multiple scripts is having the credentials on a text file which the script reads from. So if the .amx is leaked nobody could see my database credentials from it!

My question is how do I do it? Do I just '#include' the text file at the top of the script? I've seen the VX-RP script where there was a .txt file in the 'scriptfiles' folder in the following format:
Quote:
SQL_HOST | SQL_USER | SQL_PASS | SQL_DB
The file had nothing but the IP address of the host, the username, password and database name with pipelines seperating them. Thanks in advance to anyone whose willing to help!
Find
Reply
Camacorn
Gangsta
****
Posts: 721
Threads: 58
Joined: Sep 2009
Reputation: 0
#2

06.02.2014, 14:38
Unless you intend on using some form of encryption, I highly suggest not doing this, as if someone was able to steal your script, they would have no issue taking a plain text file. And even then, I still wouldn't suggest doing this.

Not to mention that when a gamemode is compiled, the includes are compiled into the .amx file, so you would be defeating the purpose.
Find
Reply
RajatPawar
High-roller
*****
Posts: 2,187
Threads: 81
Joined: Aug 2011
Reputation: 0
#3

06.02.2014, 14:38
.amx is probably more secure than a .txt file, because you need to have a tool to revert the AMX to a PWN file. TXT files can directly be accessed if their name's known. Your best shot at better security is -

1) Create a PHP file
2) Include checks in it and see if the machine accessing it has an allowed IP.
3) Through HTTP, get the credentials.
Find
Reply
PowerPC603
High-roller
*****
Posts: 1,733
Threads: 20
Joined: Nov 2010
Reputation: 0
#4

06.02.2014, 15:13
You can open the .amx in a hex-editor and read the login data for MySQL if they're defined using #define.
I opened mine and I can clearly see my IP address, username, password and database to which my script connects to MySQL.
It's not plain text though, as every character has some character between them (looks like the euro-sign).
http://users.telenet.be/vge/downloads/AMXfile.jpg

If you look closely, you'll see this text (marked in red), see the right side of the program (every character has Ђ between them):
- PPC support filterscript initializing
- 127.0.0.1
- PowerPC603
- ppctrucking
- SomePass
- Connecting to MySQL was successful
- ERROR: connecting to MySQL failed, shutting down server...

So the amx is not entirely safe for storing sensitive data.
Of course, the password was changed to SomePass for showing this data, it's not my real password.

You could of course create a function that creates the credentials using some algorithm, but it may get complex.
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP Scripting and Plugins
  3. Scripting Help