Global Datastore Service! (Closed)

TechSpectrum · October 7, 2018, 11:24pm

So basically you are saying even when roblox has DataStores down for whatever reason yours will still be running. I dont see that happening. As for pushing updates to a server and it not going down, thats arrogant to say the least speaking from experience because there is always something that will happen eventually that causes an issue. You wont often find these issues until someone complains.

Geckoco · October 8, 2018, 6:43am

I was saying that mine won’t be on forever since I am not obliged to maintain them and keep them online. That’s why I talked about backing the data up and storing it elsewhere.

Seranok · October 8, 2018, 8:30am

You may want to double-check your source code. I see at least one place with an unsanitized parameter: https://github.com/pushgsck/GSCKStore/blob/master/verify.php#L4

I’d recommend taking a look at PHP’s prepared statements and using those instead of building the queries yourself, as it means you won’t be subject to injection. https://secure.php.net/manual/en/mysqli.quickstart.prepared-statements.php

RuizuKun_Dev · October 8, 2018, 11:49am

Is it okay if we use this for Super Power Training Sim?

NurZwanzigBuchstaben · October 8, 2018, 12:46pm

I mean Roblox their Datastores are sufficient when you only need to use the data for one place / universe. This is only really useful when you want to access the Datastore from another game that is not from the universe.

sircfenner · October 8, 2018, 12:55pm

I strongly urge you to read the serious concerns expressed above. It is not a good idea to use this for your game, especially considering that it has so many players.

RuizuKun_Dev · October 8, 2018, 1:13pm

Alright, just wanted to make sure, not just for me but for others that are curios about using this with their game that is similar to SPTS.

@sircfenner @DataIsLoading

Thank you both.

Geckoco · October 8, 2018, 8:13pm

You can use it for whatever you want, within reason. And as @sircfenner had said, do keep in mind with the concerns with using this. As for the player counts he had talked about too, it doesn’t really matter as of now because there is no throttling currently. However I do plan on adding it soon as a precaution to ease traffic going to the server. There will be a way to apply to get such limits removed however once this feature is implemented.

Geckoco · October 8, 2018, 8:15pm

Thanks for that! Totally overlooked that as I wrote it once just to get the email verification system working. I will push an update whenever I get the chance to do so.

One other thing, by any chance have you exploited this in anyway?

Geckoco · October 9, 2018, 2:47pm

Server will be offline on the 11th October at 13:00 UTC+2 in a time window of 60 minutes.i have no choice in this, my provider is doing this regardless off my choice.

wravager · October 9, 2018, 4:54pm

If this is the case, then this system is unreliable and can’t be used for any substantial player count games.

Geckoco · October 9, 2018, 9:03pm

I got an email today from contsbo saying they have to do maintenance, I had no say in this. At no points did they ever ask me about this.

I have emailed them about it asking them what they are doing and if it is possible to not do whatever it is to my VPS but they are yet to respond.

anon73784721 · October 10, 2018, 1:29am

Is it a bit weird that I’m still waiting for an email to verify.

Checked Spam Folders - Nothing

Geckoco · October 10, 2018, 7:18am

PM me your email, I can resend the verification email. You probably signed up when the mail server bugged out and wasn’t sending the mail.

Reinitialized · October 10, 2018, 11:21am

https still doesn’t work, nor do you redirect http to https. I highly advise anyone to avoid creation/use until this is fixed.

NurZwanzigBuchstaben · October 10, 2018, 1:47pm

Like @Reinitialized said, creation/use should be avoided until you got HTTPS, and you can always use Let’s Encrypt to get a certificate for it. https://letsencrypt.org/ I generated my own certificate within 5 minutes on a Ubuntu 18.04 with nginx installed, it has Apache support too.

Geckoco · October 10, 2018, 2:38pm

I plan on getting HTTPS set up whenever I get a break from school

Kampfkarren · October 10, 2018, 2:43pm

github.com

pushgsck/GSCKStore/blob/7c97ff0ab8b169752b98681bb855dbd080487626/login.php#L9


<?php
include("config.php");
$error = "";
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST") {
    //echo $_POST['email'];
    if($_POST["email"]) {
        $uEmail = mysqli_real_escape_string($db,$_POST['email']);
        $uPassw = hash('SHA256',mysqli_real_escape_string($db,$_POST['psword'])); 
        $sql = "SELECT * FROM `users` WHERE `Email` = '$uEmail' and `Password` = '$uPassw';";
        $result = mysqli_query($db,$sql);
        $row = mysqli_fetch_array($result,MYSQLI_ASSOC);


        $count = mysqli_num_rows($result);


        // If result matched $myusername and $mypassword, table row must be 1 row


        if($count == 1) {
            $_SESSION['login_user'] = $uEmail;

You should NOT be using a SHA-based algorithm for passwords. SHA-based algorithms return the same hashed string for the same input. This means they have the potential for hackers to search your user’s passwords on rainbow tables. Use bcrypt.

There’s no rate limiting on sending emails, which means you could probably DoS by getting your host to kill your emails.

github.com

pushgsck/GSCKStore/blob/master/API/resendConf.php

<?php
include('../session.php');

$sql = "SELECT * FROM `users` WHERE `Email` = '$login_session';";
$result = mysqli_query($db,$sql);
$row = mysqli_fetch_array($result,MYSQLI_ASSOC);

function random_str($length, $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ')
{
    $pieces = [];
    $max = mb_strlen($keyspace, '8bit') - 1;
    for ($i = 0; $i < $length; ++$i) {
        $pieces []= $keyspace[random_int(0, $max)];
    }
    return implode('', $pieces);
}

if ($rank==2 && isset($_GET["Email"])) {
    $sKey = $row["SecretKey"];
    $headers = 'From: noreply@gsck.co.uk' . "\r\n" .

This file has been truncated. show original

There’s NO limits on usernames. I just registered a username with 10000000 W’s. If I were a malicious man, I would spam the sign up URL and your database would fill up extremely fast and DoS.

Geckoco · October 10, 2018, 3:37pm

The resend confirmation is only usable by me, as for the passwords they are salted. I removed that from the opensource version since I’d rather the salt not be released. Also thanks for pointing the username thing out, I have just fixed it.

Kampfkarren · October 10, 2018, 3:40pm

This is still objectively worse than bcrypt. Also, the salt should be stored inside a config file so that you can release the code and just not the real config.