Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

DarkBASIC Professional Discussion / Secure alternative to FTP

Author
Message
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 17:21 Edited at: 7th Jan 2011 17:33
Link
How can one, with a DBP app or any other language dynamically write to an FTP/HTTP server securely. - Previously I'd devised turn-based online games that use FTP to edit the gamestate (writing/editing a file based on the gameplay and another person using said file at their end) but I have since been made aware this is insecure (regardless of how slow a process it is in terms of a sensible game design).

It seems people are able to retrieve the FTP login details by converting the executable to assembly or something. I don't know the specifics. But my main question is: How can this be achieved securely?

The overall application I seek to create would be one that writes/edits an HTML file or something else uploaded to an FTP server that I do not own. But the application would only have access to this file and not to the FTP login details through hacking into the exe.

I'm not really sure how to explain it any better, I just wish to make an online game that can use port 80. (One of the few ports I actually have open here at uni.)
All the ports I have available to me:

I also don't want to have another server running a server application I designed. I want the FTP server to take care of distribution just like it would for a normal website.

EDIT:
I had a discussion with Joeeigel on MSN about alternatives and we mentioned things like PHP and SQL which if they work with DBP somehow, I'm not averse to using. (Unfortunately MSN decided not to save that conversation like all the rest, so I can't look back to see what was said. )

Back to top
Profile PM Email Website
Sven B
19
Years of Service
User Offline
Joined: 5th Jan 2005
Location: Belgium
Posted: 7th Jan 2011 18:42 Edited at: 7th Jan 2011 18:44
Link
I guess you could make it very hard to find the login and password by not encoding those strings into DBP directly (ie. Login$ = "MyLogin")

I'm just saying things now, but you could for example:
- Figure out the file size in bytes, use that as a random seed, and then make all characters depend on the random sequence to use as a password and login. This guarantees that nothing changed in your .exe, AND the password is based on a pseudo-random sequence.
- Building up the string using several layers of construction.
[edit] - Or just read it from a well encrypted file.

If any assembly freak wants to decode that, be my guest, but I don't think it'll be that easy to figure out which code belongs to the login/pass construction.

Cheers!
Sven B

Back to top
Profile PM Email
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 18:49
Link
xD I was actually after a completely different system entirely so I don't need anything like a login system. I don't want to use FTP.

Is there no way to get a DBP app to send data to a HTML page or something that then uses PHP or SQL to change something on an HTTP server?
Then have the receiving DBP app just read it straight using HTTP. :S

xD! I don't care how roundabout the system is, I just don't like having login details that people can hack under any circumstances.

Back to top
Profile PM Email Website
Fatal Berserker
13
Years of Service
User Offline
Joined: 2nd Jul 2010
Location:
Posted: 7th Jan 2011 19:13
Link
there will always be an ftp request going on somewhere along the line. Why not look into encryption? (AES)

Back to top
Profile PM
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 19:17 Edited at: 7th Jan 2011 19:56
Link
Would there still be a hackable FTP request going on in the case where an HTML form makes or edits a file on the same server as it though?

:o



EDIT:

Ok ok ok, I just found out, through trying one of my old FTP games that I can't actually use the FTP commands here at uni. So I'm even further limited.

My question is now:
Is there a way to have read and write capabilities that operate entirely on HTTP? (port 80)
I can have HTML documents doing the rest if necessary, but my only ins and outs are seemingly through port 80.

Back to top
Profile PM Email Website
Mobiius
Valued Member
21
Years of Service
User Offline
Joined: 27th Feb 2003
Location: The Cold North
Posted: 7th Jan 2011 20:12 Edited at: 7th Jan 2011 20:14
Link
How about something like this:

Taken from the help file for HTTP REQUEST DATA

Then, instead of doing this: action$="action=list&
Do this: action$=CHR$(13) + CHR$(14) (and so on...)

My signature is NOT a moderator plaything! Stop changing it!
Back to top
Profile PM Email Website
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 20:18 Edited at: 7th Jan 2011 20:21
Link
!

I don't get what that's doing xD! - Is that meant to be input or output? - I get a stream of HTML if I leave TGC in on the first line and I get Send Request failed if I put my website in.

For the record, I can already grab stuff from the webs with DBP using HTTP commands, the issue is now, putting stuff up on the web from DBP using HTTP commands.

Back to top
Profile PM Email Website
Mobiius
Valued Member
21
Years of Service
User Offline
Joined: 27th Feb 2003
Location: The Cold North
Posted: 7th Jan 2011 20:28 Edited at: 7th Jan 2011 20:31
Link
Quote: "I don't get what that's doing xD!"

It access a webpage ("gamehost/index.php") so to send stuff there, you create a php webpage which accepts an input (whatever that input is) and I don't know, saves it to a mysql database.

The return will be whatever webpage you will see if you type that entire string into a web browser. To get the return value, you parse the returned text only webpage and perform any actions you need to.

For example, say you create a php page called "setscoreboard.php" and you send it "score=500&name=h4x0r"

Your php file will take the two commands, do what it needs to do, (I.E. update a scoreboard) and it will return a formatted webpage showing the current scoreboard.

In DBP, you take this webpage string, and parse it to be displayed in game.

Quote: "Is that meant to be input or output?"

Both, the input is you sending action$ and serverid$, and the output is the return$ in "return$=http request data(....."

My signature is NOT a moderator plaything! Stop changing it!
Back to top
Profile PM Email Website
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 20:40
Link
Alright so, so far I've established I need some PHP in there, that sounds promising. But what about this MySQL database. - Is that just a set of files on a web server somewhere that I don't need to think about? Or would I actually have to have a serverbox sitting there running the SQL database. :S

Back to top
Profile PM Email Website
Sven B
19
Years of Service
User Offline
Joined: 5th Jan 2005
Location: Belgium
Posted: 7th Jan 2011 22:53 Edited at: 7th Jan 2011 22:53
Link
You'll need a server with MySQL installed on it (as well as PHP of course).

Here's one I found, tried and approved of a while ago:
http://www.byethost.com/

It cleans itself when your site is inactive after a while. Perfect for learning MySQL and PHP though.

Cheers!
Sven B

Back to top
Profile PM Email
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 23:01
Link
Ah good, so I don't actually need my own serverbox just to make a something use this type of input/output.

Now I just need to learn PHP, learn MySQL and buy a server. !!!

(Or wait till this year is over and go get a flat with some real internet... -.- )

Back to top
Profile PM Email Website
Mobiius
Valued Member
21
Years of Service
User Offline
Joined: 27th Feb 2003
Location: The Cold North
Posted: 7th Jan 2011 23:24
Link
You don't even NEED mysql, that was just an example I used.

My signature is NOT a moderator plaything! Stop changing it!
Back to top
Profile PM Email Website
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 7th Jan 2011 23:26
Link
xD

Well if you guys have any simpler solutions to my problem please tell me.

I just wanna make an online game that doesn't use the conventional TCP/UDP methods that'll actually work on my restricted internet.

An FTP game seemed to be the way to do this but now I know FTP is out too, so I'm just looking for other similar methods.

Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 8th Jan 2011 11:00
Link
Hi C0wbox, I am seconding with Mobiius as to that method of communication (it's what I'm basically using for my Online Scoreboard system - end of plug ).
You can use GET command for most simple stuff and POST command for more involved stuff if required. It really depends on what you are wanting to do with your online game.
The PHP script on the web server would interpret your commands (sent via GET or POST), and then perform actions on the web server as you direct based on this input sent. For security, you'd still need to send some sort of key/hash/password; how cryptic you'd want this to be is up to you, and as already mentioned, anything can be cracked if they realy want to do so that badly.
Cheers.

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 9th Jan 2011 20:07 Edited at: 9th Jan 2011 20:20
Link
Ok we're rapidly running out of ideas here.

Me and a guy who helps out around Soharix when he can have been trying to get this stoopid HTTP request to work for ages now.

We've got the SQL database set up, we've got a .PHP file that's supposed to write data to said database and I'm currently stuck on the DBP side of things.

Here's the PHP we've got trying to handle this thing with replacing all the sensitive informations:


And here's what I've been trying with the DBP code:


But whatever we try, we just can't seem to stop getting Send Request failed.

Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 07:39 Edited at: 10th Jan 2011 07:43
Link
I read elsewhere on the forums that the HTTP CONNECT now has an extra (undocumented) parameter where you can specify the port used, and if not provided, will use 443 (the SSL port).
This means the connect command should be:

http connect "www.soharix.com",80

However, I have also read elsewhere, and checked the DBP code myself as well, that the following is how it has been coded:



Which looks like the HTTP REQUEST DATA command will default to using a secure connection as well. I have tried putting in my own flag to override this, and although it compiles and runs, it still gives (a different) error code back. So not sure if this command is able to run on normal HTTP as it stands or not - if it is then the correct flag(s) to use is unknown.

Hopefully, one of the DBP devs can confirm this or not, and provide a working HTTP example if it can work with non-secure HTTP...

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 09:21 Edited at: 10th Jan 2011 10:33
Link
I've had slightly better results using the equivalent of:

http connect "www.soharix.com",80

return$=http request data("POST","sql_test/test1.php","data=egg123",0)

Note the capital Command string, the textbox name, and the extra ending parameter 0.

As my test web server now responds with an html error message instead of the other error message of "Send Request Failed".
The server error message indicates that it is still trying to either use port 443 (SSL), or using port 80 but still trying a SECURE connection...
Maybe you could experiment a bit more and post the working solution here (if you manage to find it). Cheers.

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 10th Jan 2011 11:03 Edited at: 10th Jan 2011 11:12
Link
Note this thread (last post has the function you need):

http://forum.thegamecreators.com/?m=forum_view&t=172394&b=1

And this bug report:

http://forum.thegamecreators.com/?m=forum_view&t=147638&b=15

Currently the bug report shows rejected, feel free to test and bump the bug report.

[center]
Join the TGC Group!
http://tehcodez.groups.live.com
Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 13:49
Link
@Jerico2day
thanks for the reference; yes I saw both of those threads (among others I searched through) and because they were both from July 2010 (and as you said, it was marked rejected) I thought they had fixed it since then (the bug report is actually for v7.3 which is 2 versions old now.
There was another post that indicated that if we included the 0 flag at the end of the HTTP REQUEST DATA command, and the port flag at the end of the HTTP CONNECT command, that this should work for normal HTTP (they actually included an example in the SNIPPETS, but looks like this is not the case.

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 10th Jan 2011 15:06
Link
No, it's most definitely broken. My snippet in that one thread works wonderfully though, and takes care of the cache issue which I don't think you got around to noticing yet. The delete cache call should work in windows 2000 and later, and URLDownloadToFile works in nt4 and later, and as far as I know, is the exact same function the dbp command wraps, so you shouldn't run into any problems using the function.

[center]
Join the TGC Group!
http://tehcodez.groups.live.com
Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 15:33 Edited at: 10th Jan 2011 15:37
Link
Unfortunately, your snippet is only for file download and is not what is requested by C0wbox.
Yes, I did notice the caching problem you solved; but again this is not important for HTTP REQUEST DATA as any response text that is coded in the PHP script shouldn't be cached anyway as it's not a physical file (Also, if the HTTP REQUEST DATA command worked as advertised, then we should be able to include either of the flags INTERNET_FLAG_RELOAD, or INTERNET_FLAG_NO_CACHE_WRITE to stop the caching problem). Thanks for your snippet though.
BTW, I bumped the bug report, so maybe they will look into it

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 10th Jan 2011 16:55 Edited at: 10th Jan 2011 17:08
Link
what? I've done a lot of testing. I don't think you quite know how the dbp command (and the function i wrote) works.

The function calls a URL, and downloads the response to a file that can be read from. This would be the server response, usually in HTML format, but can be a simple text file.

The file the server returns is cached by the client. If the URL is the same in two calls, the client just returns the cached file. So if your client sends the same URL request twice, the second time is not the current response from the server but instead a cached copy, so it's no good.

So yes, this is probably what Cowbox needs. If he doesn't want to open a file to read the server response, then he can recode that part of the function, but that's a lot of work for very little gain, because you'd have to figure out how to put the response directly in a memory location and then read and parse that memory location.

If he's calling out to a php file and then a mysql database, it's going to be far from real-time anyway, so downloading the server response to a text file and then opening that file for reading won't take very much longer than the rest of the request.

[center]
Join the TGC Group!
http://tehcodez.groups.live.com
Back to top
Profile PM Email Website
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 10th Jan 2011 17:02 Edited at: 10th Jan 2011 17:04
Link
I tried this:
return$=http request data("POST","sql_test/test1.php","data=egg123",0)
And yeah, I don't get an error this time, I just get HTML that says 404 error. - And it still isn't writing to the SQL database.

Joeeigel said he's gonna take a look when he wakes up because I'm just rapidly getting more and more confused. (Internet and me don't go hand in hand. - especially if its using 2 languages I don't know )

Back to top
Profile PM Email Website
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 10th Jan 2011 17:13 Edited at: 10th Jan 2011 17:39
Link
Quote: "return$=http request data("POST","sql_test/test1.php","data=egg123",0)"


Cowbox, you can use the function I wrote like this:




You need to also make sure you encode the URL so that things like spaces and slashes and other special symbols are handled correctly and the client can make the request successfully. This function encodes the url, but does not prevent malicious attacks. I haven't posted it before, but because I'm feeling nice, here it is:




So the above code I gave you would look like this:



[center]
Join the TGC Group!
http://tehcodez.groups.live.com
Back to top
Profile PM Email Website
C0wbox
17
Years of Service
User Offline
Joined: 6th Jun 2006
Location: 0,50,-150
Posted: 10th Jan 2011 17:36
Link
Well I've got 2 other people messing with my SQL databases so I'm not sure if I'm getting the code (urls) right but I'll pass it to them and see what they think.

Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 18:17 Edited at: 10th Jan 2011 18:19
Link
@Jerico2day
ok I'll believe you - maybe caching will be a problem if you do download the result to a file and not just get the result as a string.

There is 1 small mistake that i can see with the url in your command:


should not have the extra "/" character before the "?" character.
i.e. it should look like:


cheers.

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
bitJericho
21
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 10th Jan 2011 18:36
Link
ah, where's my brain

[center]
Join the TGC Group!
http://tehcodez.groups.live.com
Back to top
Profile PM Email Website
mr_d
DBPro Tool Maker
17
Years of Service
User Offline
Joined: 26th Mar 2007
Location: Somewhere In Australia
Posted: 10th Jan 2011 19:45
Link


@C0wbox
BTW, just in case you weren't sure, this method provided by Jerico2day sends the values as GET values, so your PHP script will need to check for $_GET['data'], etc., and not $_POST['data'], etc.
cheers.

(\___/)
(='.'=) Copy bunny into your signature to
("_(" help him gain world domination.
Back to top
Profile PM Email
Back to top

Login to post a reply

Server time is: 2024-05-04 15:51:14
Your offset time is: 2024-05-04 15:51:14