Global Datastore Service! (Closed)

So basically you are saying even when roblox has DataStores down for whatever reason yours will still be running. I dont see that happening. As for pushing updates to a server and it not going down, thats arrogant to say the least speaking from experience because there is always something that will happen eventually that causes an issue. You wont often find these issues until someone complains.

I was saying that mine won’t be on forever since I am not obliged to maintain them and keep them online. That’s why I talked about backing the data up and storing it elsewhere.

You may want to double-check your source code. I see at least one place with an unsanitized parameter: GSCKStore/verify.php at master ¡ pushgsck/GSCKStore ¡ GitHub

I’d recommend taking a look at PHP’s prepared statements and using those instead of building the queries yourself, as it means you won’t be subject to injection. PHP: Prepared Statements - Manual

4 Likes

Is it okay if we use this for Super Power Training Sim?

I mean Roblox their Datastores are sufficient when you only need to use the data for one place / universe. This is only really useful when you want to access the Datastore from another game that is not from the universe.

1 Like

I strongly urge you to read the serious concerns expressed above. It is not a good idea to use this for your game, especially considering that it has so many players.

3 Likes

Alright, just wanted to make sure, not just for me but for others that are curios about using this with their game that is similar to SPTS.

@sircfenner @DataIsLoading

Thank you both.

You can use it for whatever you want, within reason. And as @sircfenner had said, do keep in mind with the concerns with using this. As for the player counts he had talked about too, it doesn’t really matter as of now because there is no throttling currently. However I do plan on adding it soon as a precaution to ease traffic going to the server. There will be a way to apply to get such limits removed however once this feature is implemented.

Thanks for that! Totally overlooked that as I wrote it once just to get the email verification system working. I will push an update whenever I get the chance to do so.

One other thing, by any chance have you exploited this in anyway?

1 Like

Server will be offline on the 11th October at 13:00 UTC+2 in a time window of 60 minutes.i have no choice in this, my provider is doing this regardless off my choice.

If this is the case, then this system is unreliable and can’t be used for any substantial player count games.

2 Likes

I got an email today from contsbo saying they have to do maintenance, I had no say in this. At no points did they ever ask me about this.

I have emailed them about it asking them what they are doing and if it is possible to not do whatever it is to my VPS but they are yet to respond.

Is it a bit weird that I’m still waiting for an email to verify.

Checked Spam Folders - Nothing

PM me your email, I can resend the verification email. You probably signed up when the mail server bugged out and wasn’t sending the mail.

https still doesn’t work, nor do you redirect http to https. I highly advise anyone to avoid creation/use until this is fixed.

Like @Reinitialized said, creation/use should be avoided until you got HTTPS, and you can always use Let’s Encrypt to get a certificate for it. https://letsencrypt.org/ I generated my own certificate within 5 minutes on a Ubuntu 18.04 with nginx installed, it has Apache support too.

1 Like

I plan on getting HTTPS set up whenever I get a break from school

You should NOT be using a SHA-based algorithm for passwords. SHA-based algorithms return the same hashed string for the same input. This means they have the potential for hackers to search your user’s passwords on rainbow tables. Use bcrypt.

image

There’s no rate limiting on sending emails, which means you could probably DoS by getting your host to kill your emails.

There’s NO limits on usernames. I just registered a username with 10000000 W’s. If I were a malicious man, I would spam the sign up URL and your database would fill up extremely fast and DoS.

1 Like

The resend confirmation is only usable by me, as for the passwords they are salted. I removed that from the opensource version since I’d rather the salt not be released. Also thanks for pointing the username thing out, I have just fixed it.

This is still objectively worse than bcrypt. Also, the salt should be stored inside a config file so that you can release the code and just not the real config.