securely send info to MySQL server

Discussion in 'Plugin Development' started by tylers123, Feb 3, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    tylers123

    how do i send player data securely to MySQL server via a website?
    ive got this code so far, how could i make more secure?

    Code:
    public String sendData(String target,String player, String send, String reason)
    {
    try{
    UrlBuilder build = UrlBuilder.fromString("[URL]http://banhammer.atwebpages.com/[/URL]"+target+"/").
    addParameter("player",player). addParameter("send", send).addParameter("reason", reason);
    URL url = new URL(build.toString());
    URLConnection con = url.openConnection();
    InputStream in = con.getInputStream();
    String encoding = con.getContentEncoding();
    encoding = encoding == null ? "UTF-8" : encoding;
     
    ByteArrayOutputStream baos = new ByteArrayOutputStream();
    byte[] buf = new byte[8192];
    int len = 0;
    while ((len = in.read(buf)) != -1) {
    baos.write(buf, 0, len);
    }
    String body = new String(baos.toByteArray(), encoding);
    return body;
     
    }catch(Exception e){
    System.out.println(e);
    }
    return "0";
    }
    and the webside code:

    PHP:
    <?php
    if(isset($_GET["player"])){
            include(
    "dbConfig.php");
     
        
    $q "SELECT * FROM `ban` WHERE `player`='".$_GET["player"]."'LIMIT 1";
      
    // Run query
      
    $r mysql_query($q) or die(mysql_error());
     
      if ( 
    $obj = @mysql_fetch_object($r) )
            {
                echo 
    "done";
            }
            else{
                
    $q "INSERT INTO `ban` (`player`,`sender`, `reason`) VALUES ('".$_GET["player"]."','".$_GET["send"]."','".$_GET["reason"]."')";
     
                
    $r mysql_query($q);
     
                if (!
    $r){
                        die(
    "0");
                    }
                  else
                    {         
                    echo 
    "1";
                  }
     
        }
     
    }
    ?>
    bump

    EDIT by Moderator: merged posts, please use the edit button instead of double posting.
     
    Last edited by a moderator: May 31, 2016
  2. Offline

    RealDope

    Send along some sort of verification, an encrypted password for example.
     
  3. Offline

    tylers123

    but im not sure how i could to enscripted passwords
     
  4. Offline

    yttriuszzerbus

    PLEASE read about SQL injection before you deploy that code!
     
  5. Offline

    tylers123

    ok, but what wrong with it?
     
  6. Offline

    chasechocolate

    Please wait at least 12 hours before bumping.
     
  7. Offline

    Phinary

    You should look up info on mysql injection. Right now, with your current php code, you do nothing to protect against mysql injection which is a HUGE security risk. Second of all, if you are wanting to do it like that via a webpage, you are going to need to do some sort of check to make sure nobody else can screw around with it.

    In my opinion you are much better off just handling the mysql inside java instead of messing around with web requests just to execute some sql code.

    (If you are trying to do this for a public plugin that sends data to your servers, then I believe you will need to look into encryption or some sort of keys to verify the info, maybe try looking into how mcstats does it)
     
Thread Status:
Not open for further replies.

Share This Page