Using php skript from BMax?

BlitzMax Forums/BlitzMax Programming/Using php skript from BMax?

MRaven

(Posted 2005) [#1]

Hi,

I want to create an online highscore using a php skript. But I have a problem accessing the php script.

is_online:TStream = OpenStream("http::moon-software.de")
WriteLine is_online, "GET /iscore/iscore.php?user=BlitzMax&score=1000 HTTP/1.1"

repeat
	' reading header
	trash$ = trim(Readline(is_online))
Until left(trash$, 7) = "[BEGIN] or Eof(is_online)

Using something like above I only get the html code from my webpage, I am not able to access the php skript. Anyone an idea??

Thanks, Michael

MRaven

(Posted 2005) [#2]

Oh dear god... just a few seconds after I posted the question, I found the answer.

It must be

is:online:TStream = OpenStream("tcp::moon-software.de")

Sorry... :)

Jim Teeuwen

(Posted 2005) [#3]

You'll find this isn't very secure though.

A players firewall will intercept your programs request to access this url. A crafty user can rebuild the url form the packet data and he can then paste it straight into a browser to add any name/score he wants.

The results of this can allready be observed :)
http://www.moon-software.de/iscore/iscore.php

Sorry for this, I thought i'd better warn you before you release the game :)
If you want to keep the large part of scriptkiddies out, have your php script check for a very specific HTTP header value. Perhaps the User-Agent header. Set it to your programs name within blitz. If it doesnt match, ignore the highscore.

When someone pastes the url in a browser, they will a different user-agent name and the post will fail.
This to is not secure, but it probably keeps out a lot of ppl who be arsed to reconstruct the entire HTTP header manually/

MRaven

(Posted 2005) [#4]

Yes, you are right. I thought about this problem myself and am still not sure how to do it... but thanks for pointing this out. :)

Perturbatio

(Posted 2005) [#5]

Best thing you can do in this situation (short of having the server run an actual server program dedicated to this) is to encrypt the data before sending and send it all in one chunk (as opposed to ?name=GREGJIR543&score=FHHF433).

Paul "Taiphoz"

(Posted 2005) [#6]

MRaven - Its not actually that hard, and the Blitz3D communtiy will help you here. there is a Blitz3D MD5 sample floating around which is what I use along with my own code to post secure MD5 hashed scores to my online php score system.

The Users can still see the data in their firewall but as they dont have a clue what the hash is they cont post fake score.

Its not the best security in the world but it is a hell of a lot better than just passing an unsecure data string to your sites php.

I will ad some point be porting my current B3D code to max, when I do I will probably post the code to do it in the Archives to bare with me.

I still have to wait on my new computer hardware to come before I get any real work done in max.

Jim Teeuwen

(Posted 2005) [#7]

Can an MD5 hash be 'dehashed' in php?
I always thought this was a permanent conversion to an encrypted string. Which means you cannot retrieve the original data back from it on the server side, which in turn means you wont have any scores to submit :)

Might just be me though.. what's the use of encryption if you can't decrypt it :D

MRaven

(Posted 2005) [#8]

I think it is saver to use mySQL for the highscore and the php script only to comunicate between BMax and the database?

Dreamora

(Posted 2005) [#9]

other possibility perhaps might be to create a plain textfile which you access and write the scores in ( using ftp ) and the php just reads the whole textfile and outputs them in the wanted order ( or just top10 )

MRaven

(Posted 2005) [#10]

This is what I did with the code above and what occurs the security leak. When I have a textfile my game can write to, everybody can and destroy the highscore. It works fine though.

I created now a mySQL database on my server and made two php scripts to add a score and read all scores. It was some way to go, because I did nothing in php or mysql sofar, but finaly I get it to work. I like it and think it is much more secure, because you need username and password to enter the mysql datas.

Dreamora

(Posted 2005) [#11]

No that is not what I said.

You access the textfile over ftp to write it, this way other users can not just "missuse" it at least as long you don't give them the password.

A different approach would be highscore user + highscore plus a key that is sent that you generated out of this 2 datas to verify their correctness.

if you use php to access the mysql in which way is it different from your first approach? ( I think quite some people already assumed that you use mysql if you use php for highscore )

MRaven

(Posted 2005) [#12]

Hm, no I created a textfile by php which was saved on my server. No I have no file at all but the entries in my sql database. How should somebody have access to the sql database? This should ne pretty secure, shouldnt it?

Dreamora

(Posted 2005) [#13]

if the access to the server is saved in the php then yes but then everyone can add stuff to the database ( if you don't use a triple with username, score and key generated out of the first 2 )

How do you send the access to the database? Plaintext can simply be read by packet sniffers so your whole database would be "open" to anyone.

MRaven

(Posted 2005) [#14]

Hm, I have to think about a way that only data send by my game will be processed by the php script. Maybe some sort of key generated or something. The access to the database is currently saved in the php and I read that this is quite save, isnt it?

Dreamora

(Posted 2005) [#15]

yepp this should be quite save if the directory listing is blocked ( which normally is the case )

generating a key basing on name and score shouldn't be a problem ( -> see MD5 which was mentioned above :) )

Paul "Taiphoz"

(Posted 2005) [#16]

Of course php can dehash md5 hashs as long as you know what the key is.

All scores posted to my php/sql score system from blitz 3D use MD5 so even thought the use may be able to see the outgoing string its a lot harder for them to get the md5 so its a lot more secure than your current method.

so like I said, once I get a chance I am going to convert my current code over to max, once I do I will probably post it for ppl to use.

Jim Teeuwen

(Posted 2005) [#17]

then again, to (de/en)crypt it, both the server and client need to know the key. Meaning it has to be stored (hardcoded?) into the client. Which means it can easily be pulled out with a resource viewer...

But perhaps im pulling straws here :)
This should be sufficient to keep away 98% of the silly kids.

xlsior

(Posted 2005) [#18]

You access the textfile over ftp to write it, this way other users can not just "missuse" it at least as long you don't give them the password.

but FTP sends usernames/passwords in plain text. It is trivial to sniff that kind of data on a network, and some proxy/firewalls will even log them for you by default.

FTP is about as unsecure as it gets.

Filax

(Posted 2005) [#19]

I have try this :

Php Script :

<?php
	$newscore = $_GET['a'];
	$newname = $_GET['b'];
	$newlevel = $_GET['c'];

	//implement your own security check with these!
	$scoretest1 = $_GET['c']; 
	$scoretest2 = $_GET['d'];
	$scoretest3 = $_GET['c'];

	//LOAD SCORES
	$handle = fopen("scores.txt","r");
	for ($i = 0;$i<2000;$i++) {
		$name[$i] = str_replace("\r\n","",fgets($handle));
		$score[$i] = str_replace("\r\n","",fgets($handle));
		$level[$i] = str_replace("\r\n","",fgets($handle));
	}
	fclose($handle);


	if($newscore && $newname) {
		//NEW SCORE
		for ($i = 0;$i<2000;$i++) {
			if ($newscore > $score[$i]) {
				for ($a = 2000;$a > $i;$a--) {
					$score[$a] = $score[$a-1];
					$name[$a] = $name[$a-1];
					$level[$a] = $level[$a-1];
				}
				$score[$i] = $newscore;
				$name[$i] = $newname;
				$level[$i] = $newlevel;
				break;
			}
		}
	}


	//SAVE AND PRINT SCORES
	$handle = fopen("scores.txt","w");
	for ($i = 0;$i<2000;$i++) {;
		fwrite($handle,$name[$i] . "\r\n");
		fwrite($handle,$score[$i] . "\r\n");
		fwrite($handle,$level[$i] . "\r\n");
		
		// echo ($i+1) . '. ' . $name[$i] . " " . $score[$i] . "\r\n";
	}
	fclose($handle);



?>

and this bmax code to connect :

'First, we gonna set up the strictmode
Strict

Function inetscript:String(myurl:String)

	'Now we gonna open the requested URL to read
	Local myip:TStream		= ReadStream(myurl$)
	
	'We need a var to store the string that will be given
	'back by the php script
	Local ipstring:String	= ""
	
	'Successfully opened the requested URL?
	If Not myip
		
		'If not then we let the user know
		ipstring$ = "Error!"

	Else

		'If yes then we read all that our script
		'has for us
		While Not Eof(myip)
		
			'And store the output line by line
			ipstring$ :+ ReadLine(myip)

		Wend
		
		'Don't forget to close the opened stream in the end!
		
		
	EndIf

	'Don't forget to close the opened stream in the end!	
	CloseStream myip

	
	'Just return what we've got	
	Return ipstring$
	
End Function

Print inetscript$("http://www.blitz3dfr.com/score.php?a=13000&b=LOLO&c=16")

Seem don't work ? but a direct acces from a browser with this adress :

http://www.blitz3dfr.com/score.php?a=13000&b=LOLO&c=16

Work !? You can show the result :
http://www.blitz3dfr.com/scores.txt

Any idea ?

Yan	(Posted 2005) [#20]

@filax - You're calling the function incorrectly...

Print inetscript$("http::blitz3dfr.com/score.php?a=13000&b=LOLO&c=16")

[edit]
And you're not returning anything from the script. Uncomment the 'echo' line.
[/edit]

Filax

(Posted 2005) [#21]

Many thanks !!!!! really :)

Sonic

(Posted 2007) [#22]

Hi I'm looking into this but I'm not sure how it works, and it crashes for me in Blitz on OSX. I uploaded the first file as 'score.php' to my server.

Do I need a .txt file already on there? What format should it be in? (I've no idea about php!)

Anyone?

Sonic

(Posted 2007) [#23]

Ah so it seems my hosting doesn't support php. Hmm will look into it when I finally decide on my game company name and buy a new domain.

Craig Watson

(Posted 2007) [#24]

MD5 is a hash, not an encryption method.

In the way the hash is generated the original data can't be retrieved.

A hash is useful for concealing things strictly if you have the same copy of something at both ends, so it's useful for comparison purposes only.

I might store a hash of your password in my database so that no plain text version exists on my end. If someone was to hack in to the server they'd just have a bunch of hashes (although I'd probably have bigger problems anyway.)

I would suggest some form of home-cooked encryption. Rotate your data around, do an XOR, whatever. The most determined people are going to hack your scoring system some way or another anyway, so your encryption will act as a deterrent to the less determined.

If you seriously want to maintain a popular online score system you'll probably just have to purge the more suspicious entries regularly.