Database Security
by Adam Beer · in Torque 3D Professional · 06/10/2009 (7:56 pm) · 8 replies
I am working on a game that requires a connection to a database and I am thinking that I dont ever want the game servers or the clients to ever be able to directly connect to the database. The idea was to have a master server in between the clients/servers and the database server. I have looked at using TCP Object to communicate with PHP files, but that doesnt seem to be very secure.
The idea is to have the master server do all the queries to the database and then return the result if one is needed to the client or server that made the request. What would be the best solution to do this? If anyone has any ideas on how to do this I would really appreciate your post.
The idea is to have the master server do all the queries to the database and then return the result if one is needed to the client or server that made the request. What would be the best solution to do this? If anyone has any ideas on how to do this I would really appreciate your post.
About the author
Adam is the owner of Ignition Games, an indie game and software development company.
#2
That means, don't allow SQL over HTTP. Guard against SQL injection, etc.
Keeping that in mind, you can use an HTTP get, post, etc (REST API) to communicate with a PHP web service. Nothing wrong with that at all (and in fact, it's really a good idea for many things).
It might not be perfect, but it's a step in the right direction. If you need security, it's not hard to add HTTPS later (provided you keep it in mind as you do your current implementation).
Just remember to keep the requests asynchronous and event driven so as to not lock up your client while during the HTTP communications.
06/11/2009 (8:57 am)
Just remember that you cannot trust the client and you must assume that anyone can sniff the packets and/or modify them (man in the middle attack).That means, don't allow SQL over HTTP. Guard against SQL injection, etc.
Keeping that in mind, you can use an HTTP get, post, etc (REST API) to communicate with a PHP web service. Nothing wrong with that at all (and in fact, it's really a good idea for many things).
It might not be perfect, but it's a step in the right direction. If you need security, it's not hard to add HTTPS later (provided you keep it in mind as you do your current implementation).
Just remember to keep the requests asynchronous and event driven so as to not lock up your client while during the HTTP communications.
#3
The part I am really stuck on is what the master server should be. Perl, Python or something of that sort? Ive never worked with either of those and I really dont know what the best solution would be to receive info from a client, do a query with the info the client sent and return the result of that query back to the client.
06/11/2009 (1:01 pm)
Thanks for the tips guys. I looked at the cUrl resource and am not really seeing where this would help me. Looks to me like its for downloading and uploading files, and I really just need to send a command and arguments to a master server and wait for a reply. The part I am really stuck on is what the master server should be. Perl, Python or something of that sort? Ive never worked with either of those and I really dont know what the best solution would be to receive info from a client, do a query with the info the client sent and return the result of that query back to the client.
#4
06/11/2009 (1:19 pm)
@Adam - I set up a secure game server networking system very similar to what you are looking for years and years ago. Once I get home from work, I'll try and find the documentation I wrote on it and see if that helps you at all. I've never implemented it within Torque, so I'm sure Konrad's resource will prove to be more informative and actually Torque oriented - but we'll see.
#5
T3D Client/Server -> Master Server -> PGSql Database Server -> Master Server -> T3D Client/Server
06/11/2009 (1:27 pm)
Cool, thanks Jordan. I understand how the structure of everything works, its just the specifics that im not finding. For instance, how to get torque to communicate with a master server. This means getting torque to talk to some other application of some sort and wait for an answer from this application. I know that TCPObject, cUrl and a few other things allow for this, but what is the best solution?T3D Client/Server -> Master Server -> PGSql Database Server -> Master Server -> T3D Client/Server
#6
Unfortunately, I was unable to find the document I wrote. If I do happen to come upon it in some online searching (it's been published on a few websites, but the ones I've checked out so far have been closed) I'll reply to this post, ASAP.
Sorry for the wait, but I hope you are making progress with this :)
06/19/2009 (7:55 pm)
@Adam - sorry for getting back to you so late, man. I've been under a heavy workload at work and been sick for the past couple of days. Almost had forgotten about this.Unfortunately, I was unable to find the document I wrote. If I do happen to come upon it in some online searching (it's been published on a few websites, but the ones I've checked out so far have been closed) I'll reply to this post, ASAP.
Sorry for the wait, but I hope you are making progress with this :)
#7
Basically, you have something like PHP in a web server and have T3D do HTTP accesses to it, passing parameters, and do something with the response.
06/20/2009 (5:59 am)
I did a bunch of tests using HTTPObject. I don't know if something changed, but I didn't experience any of the "hangs" people mentioned, but that was TGEA 1.8.1. DNS lookup is done asynchronously there.Basically, you have something like PHP in a web server and have T3D do HTTP accesses to it, passing parameters, and do something with the response.
#8
Quite likely you tested under a small load (1 client?) :P
06/20/2009 (3:38 pm)
On a fully loaded system, your HTTP requests won't be served in sub 32ms response times... which means you skip a frame. If the request is coming from your game server, your simulation fidelity decreases. If the request is coming from your game client, it skips a frame and appears to lag.Quite likely you tested under a small load (1 client?) :P
Associate Konrad Kiss
Bitgap Games
TCP isn't insecure. It's just a protocol for transmitting data. It's the data that need to be secured that you later can send and receive via TCP.
But don't use the TCP object. Use bank's cUrl implementation resource instead, it will save you from microhangs.
I think its already a great start that you want to implement a middleware between your servers and your db, it will give you the option to filter and cache data packets in a custom way that's specific to your game. That can eventually save you great amounts of server resources.