Solved Most Efficient and Secure way to transfer files from plugin to website

Discussion in 'Plugin Development' started by THEK, Feb 11, 2013.

Thread Status:
Not open for further replies.
  1. Offline


    I'm currently building a site linked to my plugin. However, I want to be able to transfer screenshot files from the plugin to my site (using Spout to get screenshots).

    What's the most secure way of uploading files from my plugin? I've looked around and some people say just authentication is enough, but this leaves the file open to attack. Others have said just post everything to a PHP page within my website.

    If you have any experience with this I'd really appreciated your help.

    Edit: A bit more background info, the site is built using PHP, though the VPS it's hosted on can run Java programs. Should I be creating my own Java server to retrieve the files?
  2. Offline


    Send the Base64 encoded image directly to a DataBase. Decode with Php.
  3. Offline


    While I will definitely look into base64 encoding, surely it's unsafe for me to store my database's login details into my Java plugin no matter how limited the account is?
  4. Offline


    Don't store the database details in the plugin itself. The plugin should read the database details from external config, which the local server admin defines when installing the plugin.

    Yes, there's a risk of the database details being stolen. But you'll have that risk no matter how you try to upload your data - you have to store credentials somewhere if the plugin is to be able to upload automatically. Careful choice of MySQL (or whatever implementation) privileges and access control should mitigate that risk somewhat; you could allow only INSERT from the plugin, and deny any SELECT or DELETE, for example (and use a different database user on your web server to pull the image data out).

    But above all, you'll need to take care of your CraftBukkit server's security, something you should be doing anyway.
  5. Offline


    Meh, I do this too. Don't think my account is gonna get hacked anytime soon anyway ;)
  6. Offline


    desht Storing it in a config file sounds very much like you're talking about a local database (which my plugin already has).

    Lolmewn But surely it would be easy for someone to decompile the Java code, and (in a worst case scenario) creating something to just constantly put crap into the database?
  7. Offline


    No, I'm talking about storing the database details (host/port/dbname/user/password) in a config file. The database may or may not be local to the CraftBukkit server your plugin is running on.
    microgeek likes this.
  8. Offline


    Make a POST to a PHP script on your website. What I do with BattlePunishments is I send a username and password across and the password is unique to the server, then I do some authentication on the PHP script and I do all my XSS protection there.

    I would never store my database information in the plugin, it's a terrible idea.
  9. Offline


    THEK Yes. I didn't release it, of course ;)
  10. Offline


    lDucks thank you. That sounds more like the stuff Ive been reading about. Ill have a go with that.
Thread Status:
Not open for further replies.

Share This Page