MySQL Secure Connection?

So basically I'm making a plugin that will connect to a pre-determined MySQL database (it will not be inputted by the user in a config.yml or anything like that).

I know it's very easy to simply open a .jar and use any number of online resources / programs that allow you to read the source code.

I want to be able to basically "hide" the login info for MySQL.

Possible ways to store this I have thought of:
Hardcoded (For reasons stated above will not work)

Locally in a file (Maybe, but I don't know how/what file type to store it in so that it is secure)

Remotely (Requires a connection to the remote server to get the info, which just brings us back to the original problem..)

 

You can't connect to a MySQL database without putting login credentials in your source code (or a config file). I would suggest obfuscating your code (which is still very insecure when it comes to login info, I suppose) or (preferred) host an API online that can only be connected to via your plugin, and connects to mysql, returning the result in a JSONObject or something similar. My main question is, why do you need to connect to a per-determined database?

 

What you can do, however, is hidding the file with login details somewhere then create another web page and import it there, it should hide the details.

 

So there's no kind of file I can just store on the server that people won't be able to read or decompile, but my plugin can? Hosting an online API sounds like a lot of work to store a few strings for logging into a DB..

 

There is.. I mean try it.
<?php include("{filename}"); ?>

This will display another page in the created page... Sorry if I confused you.
Have a try and in your browser check the Source Code and see what it shows you.

 

I'm a little confused... I'm coding a java plugin.

Sorry if this is a dumb question, but why so much talk about php and the web? It's on a minecraft server.

Bump?

EDIT by Moderator: merged posts, please use the edit button instead of double posting.

 

What I did with Stats, is creating a Socket which connects to a fixed address, send all queries it needs to do over it, and get results back. Works fine ^^

 

Know of a nice tut for how to do that?
Lolmewn

 

Nope, did all of that myself ^^ Just look for 'Sockets Java' on google, you'll find enough

 

what you would want to do is create a PHP file on a web server and use a GET request to send the information to the script. ie yourwebsite.com/log.php?serverip=192.168.1.1&loggingInfo=thePluginIsWorking

from there the PHP script can take the 2 variables you sent it (server ip and logging info from my example) and put them into the database.


if you need any help doing that, i'll be happy to help you!

 

jwnordquist

Thanks! I looked around at that and it's exactly what I need.

One question though:
Is there a way for the php end of this to check if the GET request is coming from my plugin or if it's coming from something else?

My only worry is that somebody can look at the code, then just navigate to the url putting in whatever variables they want.

 

Slightly more "secure" is to use POST instead. Encrypt the data and on the receiving end decrypt it for added security.

 

What you’re looking to create via php is what can be referred to as a web service. If you have no form of authentication in the web service, anyone can retrieve, and modify your data via the methods you create.

The way I would tackle this issue is to create a page where the users of your plugin would need to sign up on. In the yml configuration file for your plugin, include a spot for username and password. When the plugin posts to your web service, validate that username and password, and then run the codes against your database. Also as skore87 satiated, you should encrypt the data before sending, and then decrypt on the web service side. Your database information will be safe in the php script, and you would need to post the key value pairs of the username, password, and other necessary values you’ll need to know how and what to do to your database. This may include a called method, and values you need to send.

If you find fake information is being set to your database, you can ban the username, and remove the entries that have been added by that user. Also to note with a system like this I wouldn’t create any statements that deletes rows form your database, if possible.

 

i'm assuming your logging some sort of data, so the best way to do so, is to open a session with a timestamp in it. and when the same client trys to connect to in in under lets say 5 min, it will block them, that will stop DDOS protection. the second part would to be the logging of IP address's. that way if there is an abuser you can easily remove them from the logs.

other than that, there is no other way to really do security.

[EDIT] didnt really read the post above... but that is another way of doing it

EDIT by Moderator: merged posts, please use the edit button instead of double posting.