Forums

RS-Linkify Thread is sticky

Quick find code: 261-262-33-65181208

Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
@Blasty,

I hadn't considered that you are using google, that's going to take away many potential issues.

­­­­

I haven't even tried to get my head around OAuth, and I'm glad I haven't needed to.

­­­­

Flood prevention can have many layers, for example I reject lots of requests when I can't get a user agent string. I also have a white list for bots, and when I get an approved bot on my site I feed it data from my DB rather than request stats from Jagex. This acts as a preventative measure against getting IP banned, and it's faster for the bot.

­­­­

Recoveries are tricky for me, I basically use the process of elimination. It's not always successful but most of the time I've been able to recover the tracking data for the user.

Since I save a time stamp for when tracking starts and also save a timestamp when the logged user leaves the tracking page I have a ballpark area to start with. With info from the user, how many player were they tracking, who were they tracking and an estimate on tracking duration I can do a simple query.

recovery = time where accountTrackingStarted is between timeWhenAccountLost where tracked player count = X and tracked names = playerA, playerB, playerC

There is also other data I can put into the query, like total leve when tracking started, total level when stopped, number of unranked stats, number of 99's, highest skill, lowest skill, and so on.

SQL queries are pretty cool, and with enough parameters I can often return a single result.

­­­­

There are methods built into sql for injection protection.
real_escape_string (now depreciated) was pretty good, but if not used 100% correctly vulnerabilities can easily be left open. However these holes are generally from a lack of understanding and/or because of bad practices.

cont...

24-Jan-2014 09:34:36 - Last edited on 24-Jan-2014 09:54:14 by Indecent Act

Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
mysqli::real_escape_string, is the new standard function for escaping, and is allot better but not infallible. And here's why...

SQL queries are their own language, and they written with both humans and machines in mind. Most queries are written and parsed via code. In php you write code that then writes its own code, that's then executed by the DB engine.

SQL is meant to execute parameters it's fed. This means if you don't want it to do something you have to limit the instructions it's sent. The example I gave for recovering accounts is actually not too dissimilar to a real SQL query. You can attach seemingly endless amounts of parameters into a query. You are actually mixing and matching PHP and SQL in both query and execution.

Since it's all server side the potential power is huge, not only are you accessing a DB, you are running server side code. Thus the potential for risk.

I wrote my own escaping/filter for my DB requests because my queries are very specific. But my pages sanitise everything first. You can't even do an invalid hiscore lookup on my site. Try and enter a 13 character name in my hiscores or use non alpha numeric characters. This input is sanitised twice and there is no SQL taking place.

By the time the SQL engine is fired up, there have been numerous sanitation methods used and the final query/request will have heavy limitations in place. And will be quadruple checked before handing it over to SQL.

My point is many layers of protection are needed, because at the end of the day, what goes into my DB was generated by user input. And that's the thing, there is no one size fits all sanitation method. Every site and DB is unique and coding structures are too. Code that writes and executes code is fun and very handy, but my code wont work for someone else, my approach and concept may work, but not the routines.

Wow another essay post from me, and tbh it's a crude explanation, and not entirely accurate, but conceptually it's kind of on track.

24-Jan-2014 09:34:42 - Last edited on 24-Jan-2014 09:36:33 by Indecent Act

Blasty
Feb Member 2017

Blasty

Posts: 9,319 Rune Posts by user Forum Profile RuneMetrics Profile
Tyvm Indy, really appreciate all the explanations :)

I'll probably have to go through a sql tutorial before I get a full understanding of what I just read haha

I originally planned to have quite a few layers of validation before making database requests but dealing with validation got me a little dizzy. I guess it's because it's hard to be sure my validation conditions are written correctly. One little mistake can cause the condition to accept everything, or it rejects everything. I'll be going back to it for sure to check everything works, after the creation page works smoothly :)

Why do you avoid using libraries? :O

I actually haven't used any libraries except jquery (and functions from CryptoJS). jQuery has really made coding a lot more enjoyable, and faster too I think. Chaining is a really awesome feature of jquery that I love taking advantage of. Ever since I started using jQuery, I've been more open to using other libraries that might reduce the repetitive parts of coding.

i

­­
­­<
Blasty
the Blue
>­­
­­
Blasty
// @BlastytheBlue // Blasty#5167
| Co-owner of Mine Nation

24-Jan-2014 12:48:54

Indecent Act

Indecent Act

Posts: 7,456 Rune Posts by user Forum Profile RuneMetrics Profile
Blasty said :
Why do you avoid using libraries? :O


As you've no doubt noticed, I really like these discussions :)

I have rough check list. Generally....

- If a library increases the size of my project then I don't use one. For a web site it's not likely a library will bloat things out. It should reduce size, not increase size imo.

Currently RS Linkify is around the same size with or without jquery. Since I have to ship the lib with my extension this was something I was very aware of.

- I don't use library functions for things I don't understand. If a lib is doing something I don't know how to do, then it's actually holding me back. A Lib should reduce my typing, not hold my hand and shield me from learning or understanding code.

- Speed, we are now in the age where we can push hardware and use the GPU from within the browser. Fast geometry engines are't using jquery, there is good reason for this. But even on less complex things jquery can be noticeably slower. It might just be a minor flicker of an element, or slower to load a page, but that can be enough.

- The time factor, there comes a time where you just need to get it done. Knowing you have a time restrictions can be reason enough to use library(s).

- Scope chain management is important in my projects and is harder to manage with a lib, libs often break your carefully managed scope chain.

- It's got to be fun. If using a library(s) makes the experience more fun, then that's good enough reason to use one. I'd rather see code with libs than no code at all.

- Browser compatibility, this is jquery's strength imo. We all know how to handle different browsers and it's simply a pain, jquery does this well.

I'm not anti or pro libs, I'm cautious if I use them.

Very short article by a jquery user, valid point at end on where browsers are coming together. http://www.sitepoint.com/do-you-really-need-jquery/

25-Jan-2014 02:38:47

Quick find code: 261-262-33-65181208 Back to Top