Protect Password in Applet

JAW · July 25, 2009, 1:53pm

Hi

I am considering to develop a java applet browser game, which would require the use of a database. But since the applet runs on the client and needs to make a db connection, it needs the password at this point in clear text. Anyone could decompile the applet and insert a system.out.println to get the db pass and do bad things to my db.

Is there a way to make a java based browser game while protecting the system from manipulation through a hacker attack?

-JAW

Riven · July 25, 2009, 2:01pm

Never ever let a client to connect to your database.

Connect to a server, that handles all database access internally.

JAW · August 4, 2009, 3:57pm

Thanks so far

What would be the cheapest and easiest solution using the typical webhosting offers?
So far I would try using PHP Scripts on a webhosting with a MySQL database and use
URLConnections from the applet to the server.

Doing so, I would still need some kind of security method, so that no one can
invoke the PHP Scripts with bad data.

-JAW

h3ckboy · August 4, 2009, 4:29pm

there aint much you can do to hide the php. if you really want to you could encrypt the url. but even that is breakable.

Wildern · August 4, 2009, 5:40pm

Always treat incoming data as untrusted. Only pass it on to the DB once it has been sanitized and validated.
See here.

h3ckboy · August 4, 2009, 6:17pm

yeaht aht one was funy, I remember that from a while back.

JAW · August 5, 2009, 8:42pm

Well I thought about some SessionID or one use only Action Token to protect against invalid calls to the scripts. This does not protect against a namipulated java program, but illegal actions should be cought when the server validates the input. But it would at least compilcate manual calls to the scripts or “just for fun” calls.

Ill think it through. Maybe ill rather do a normal offline game.

-JAW

DzzD · August 7, 2009, 12:48am

just use a standard php login/password page than put the resulting session id into an applet parameter

spmething like :

<applet .....

<param name="id" value="<? echo session_id(); ?>" >
</applet>

also if you want a single entry point to your application so that all your url will look like http//yoursite.com/ juste make an index.php that redirect to the correct php script using your designed rules. alternatively you can remove all header so the client will have trouble to know you are using php

something like that (nb : this is only the very base idea dont use as it, for example you should prefer to create object rather than include file as in the following sample ):

index.php

<? 

//set the session by hand

if(is_set($_POST['ID']))
 session_id($_POST['ID']);

//here verify authentication

//if user is NOT trusted/logged exit 

if($_GET['p']==1)
 include(" ../private/page1.php");

if($_GET['p']==2)
 include(" ../private/page1.php");

?>

then you will use http://yoursite.com/?p=1 or http://yoursite.com/?p=2 as URL, in the applet you should put the ID parameter (from the parm tag) as a post or get parameter depending on your index.php script.

the only active public script shoul be index.php, all other file should be put in a private directory that cannot be read from outside