JDBC security

Ok so basically for the next feature in my minecraft bukkit plugin i need everyone plugins to send data to my database, this is all well and goo except how do i stop people fucking with my database, or knowing my password? I don't have a server to run a client off to receive everything and validate it, i have a webhost and that is all, i really need a way to do this, any ideas?

 

You cant really hide the password anywhere. Even if you dont give out the source, people can just decompile it.

 

I know... That's the whole point of asking this question, there must be a way, lots of applications send info to their databases, how does mcbans work?

 

Im not sure I understood everything, but you can
a) Limit the privileges a certain user has to a database
b) Try to hash the passwords

 

This is the class it uses to send info.

 

well, the thing is the privileges needed for the plugin to function is adding and editing, and people could abuse that pretty badly. I was thinking of doing it this way and then heavily moderating it but it doesn't seem practical.

Hashing the passwords would require the passwords to be unhashed which i would normally do with a stand alone java app but that isnt possible without a server to run it on :/

 

A possible solution :
you do a webservice to access your db datas.

like : http://yourservice.com/srv.php&act=connect&user=****&password=******

And like that you can generate a personal login and password / or simply a key for each of your users.
And after you continue with this way to interract with your db with urls.

 

IMO, best solution is indeed to make a WebService.

 

Or use API keys. If your API key in your config isn't an admin one, reject the change.

 

nope.jpeg

NEVER EVER send your password as part of a GET!!!

instead, if you're sending passwords over the line, use something like Digest access authentication or take some hints from it when creating API keys

Yes, a webservice is the best way to control access to your database.

All you need to be able to run a basic webservice is a host that allows a scripting language (like PHP) and a database (like mySQL) and some scripts that verify the input and keys. Also use prepared statements (Like PDO) to protect against obvious attacks (note that you're still vulnerable for DDOS so be sure to write your plugin properly.)

 

thanks for all the feedback, i guess i'll look into SOAP