Jump to content
  • 0

Php - Server


Weylon Santana

Question

2 answers to this question

Recommended Posts

  • 0
45 minutes ago, MiniGrief said:

Again, this is a giant security flaw waiting to happen. Try avoid using it if possible.

Why I upvoted @MiniGrief's post. ^

No, there is no official way at the moment. Messing with the SQLite DB via PHP is unreliable at best (if they're already in-game it won't be able to kick them, and so when they save it would overwrite any bans you added), and dangerous to your data integrity at worst.

The best shot you have of doing this safely is to *hrmhrmhrm*decompile the engine to analyze the WebSocket packet structure and try to pipe your commands through a privileged account that way.

That being said that'll probably be harder to do than just waiting for MySQL.

Link to comment
Share on other sites

  • 2

The only way I can see this working is some kind of PHP shell.

BUT, they can really screw you over for security if not protected properly and so I highly recommend finding other ways to do this.

 

If you use Linux, You should be able to have the PHP shell send commands to a running screen session.

shell_exec("screen -S InsertGameScreenName -X stuff 'CommandToRun''\n'");

Again, this is a giant security flaw waiting to happen. Try avoid using it if possible.

 

Edit:

Just to clarify why I say PHP shells are bad security.

 

If someone realises that they are entering text into a shell, they could potentially compromise your entire machine by writing commands into it and creating their own users to then SSH into it and so on and so forth. I won't go into full detail, but it is generally not a good idea to allow a user to type anything into one. They should only be used by the web server to enter pre-defined commands. This you could still do if you want to make the page a little fancier and have buttons with pre-defined commands attached to them. This only means you can't do anything like ban a player or make an announcement from this as it opens up the security flaw with the shell due to requiring the user to type text into them.

 

Provided you only allow the user to press a button to do a pre-defined command and you protect it with very good security (Possibly a hard-coded password that is created in the PHP code so it is never sent to the user), you can probably get away with doing it.

Edited by MiniGrief
Link to comment
Share on other sites

×
×
  • Create New...