applets and sql security

Newbie & Debugging Questions
#21

[quote=“DzzD,post:19,topic:33228”]
Indeed, but always expect everyone to know all of your java code and always expect the parameters sent to php to be sent by someone trying to break your server/database and you should be fine :slight_smile:

#22

im not to worried about the player cheating as much as a sql injection to drop the whole database. Most stuff is server side and the game is mainly made up of using buttons and simple input texts which would change data on the screen then every few seconds update the new stats from the app to the php to the db. This is a somewhat interesting thread tho. :slight_smile:

#23

Just make one or two functions that checks/escapes/validates all input.

`

foreach($_GET as $key => $val)
{
$_GET[$key] = sqlencode(urldecode($val));
}

foreach($_POST as $key => $val)
{
$_POST[$key] = sqlencode(urldecode($val));
}
`

Never ever pass input directly into your database, or use it directly in your include([s]$_GET['p'].".php"[/s]).

If you connect to your database, you need a user/pass. Do not store this in a file that is reachable by HTTP, also, because PHP is rater verbose with it’s stacktraces, never do:

function connect($user, $pass) { // connect to DB }

because the resulting stacktrace from an uncaught Exception that PHP throws SHOWS THE METHOD ARGUMENTS…

`
PHP stacktrace: (for everbody to see)

  • game.php line 32 => init()
  • db.php line 80 => connect(“myuser”, “secret”) – ooops!
  • sql.php line 108 => impl()

  • `
#24

ok need a little help again.

php array to java applet array?
is this possible?

#25

In Java: convert array to String
In PHP: convert String to array

encoding to hex or base64 is probably easiest

#26

Also, remember to gzip the data you’re sending inbetween php and the applet if you’re expecting alot of data, it helps alot with keeping the transfered kb down.

#27

Ok so the best way is to make the php array into a string and then a hex then pass it through the parameter, then have java convert it to a string array, gzip , good idea ill have to look into that.

Im trying to get a giant list from my db via php to java.

#28

It depends… GZ might shrink your traffic, but increases CPU usage… a lot.

It’s simply about which resource is most valuable to you.

#29

I also send a lot of data over from a mysql server to an applet and the time taken decreases noticably when gzipping the data (sending about 3mb of uncompressed data when the applet starts which results in like 300-500kb after compression)