Solved Most Efficient and Secure way to transfer files from plugin to website

Discussion in 'Plugin Development' started by THEK, Feb 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline

    THEK

    I'm currently building a site linked to my plugin. However, I want to be able to transfer screenshot files from the plugin to my site (using Spout to get screenshots).

    What's the most secure way of uploading files from my plugin? I've looked around and some people say just authentication is enough, but this leaves the file open to attack. Others have said just post everything to a PHP page within my website.

    If you have any experience with this I'd really appreciated your help.

    Edit: A bit more background info, the site is built using PHP, though the VPS it's hosted on can run Java programs. Should I be creating my own Java server to retrieve the files?
     
  2. Offline

    microgeek

    Send the Base64 encoded image directly to a DataBase. Decode with Php.
     
  3. Offline

    THEK

    While I will definitely look into base64 encoding, surely it's unsafe for me to store my database's login details into my Java plugin no matter how limited the account is?
     
  4. Offline

    desht

    Don't store the database details in the plugin itself. The plugin should read the database details from external config, which the local server admin defines when installing the plugin.

    Yes, there's a risk of the database details being stolen. But you'll have that risk no matter how you try to upload your data - you have to store credentials somewhere if the plugin is to be able to upload automatically. Careful choice of MySQL (or whatever implementation) privileges and access control should mitigate that risk somewhat; you could allow only INSERT from the plugin, and deny any SELECT or DELETE, for example (and use a different database user on your web server to pull the image data out).

    But above all, you'll need to take care of your CraftBukkit server's security, something you should be doing anyway.
     
  5. Offline

    Lolmewn

    Meh, I do this too. Don't think my account is gonna get hacked anytime soon anyway ;)
     
  6. Offline

    THEK

    desht Storing it in a config file sounds very much like you're talking about a local database (which my plugin already has).

    Lolmewn But surely it would be easy for someone to decompile the Java code, and (in a worst case scenario) creating something to just constantly put crap into the database?
     
  7. Offline

    desht

    No, I'm talking about storing the database details (host/port/dbname/user/password) in a config file. The database may or may not be local to the CraftBukkit server your plugin is running on.
     
    microgeek likes this.
  8. Offline

    lDucks

    Make a POST to a PHP script on your website. What I do with BattlePunishments is I send a username and password across and the password is unique to the server, then I do some authentication on the PHP script and I do all my XSS protection there.

    I would never store my database information in the plugin, it's a terrible idea.
     
  9. Offline

    Lolmewn

    THEK Yes. I didn't release it, of course ;)
     
  10. Offline

    THEK

    lDucks thank you. That sounds more like the stuff Ive been reading about. Ill have a go with that.
     
Thread Status:
Not open for further replies.

Share This Page