Cron Jobs

[Zyviel]

I have an idea for making your own cron using the javascript timer and php. Its just a theory that I was thinking I might try once i rent a server.

Create a php page that reloads based off the javascript timer.

Go to the server and bring up the php page in a browser and leave it up.

You could have a login at the beginning of the php script to make sure that only someone authorized could load the page. If the login fails just have the php page fail with an exit command.

[Jackolantern]

You mean having an admin page that continuously calls scripts? It would be less secure that having it done through the OS, since applications are the least secure layer. Besides those considerations, it would likely work ok, except that it could also fail with errors more easily than a well-updated OS could.

[Zyviel]

Yes the page would required a logon that would check the mysql database to see if the person was authorized to load the page.

I was trying to think along the lines of how to make it secure because I would not want the page to be loaded by anyone other than me and I would not want to have more than one instance of the page up at the same time.

[Callan S.]

Ah, I was thinking they actually were snippets of code (that might be able to call other codes), rather than just a directive to code.

Hopefully not too off topic, there's probably a way of making sure no one but admin can run a script. I was thinking of having a script only I run as admin, but if players figured it's location and name they could run it - so I was going to have an "if (1==0)" at the start, then edit that to 1==1 when I wanted to run it, then edit it back afterward. A little awkward though!

[Zyviel]

If you are trying to make a php secure, I think you could do it without too much work.

You could have a logon form at the beginning of the page that takes a username and password and when the user presses the submit button the php code checks the mysql database.

The row could be read from the user table and you could check the appropriate field to see if the user has admin rights. If he does the page would load and the php code would run. If the user name or password was invalid or the user account does not have admin righs you could say invalid user and use the php exit command to stop the page immediately.

[Jackolantern]

If you are trying to make a php secure, I think you could do it without too much work.

You could have a logon form at the beginning of the page that takes a username and password and when the user presses the submit button the php code checks the mysql database.

The row could be read from the user table and you could check the appropriate field to see if the user has admin rights. If he does the page would load and the php code would run. If the user name or password was invalid or the user account does not have admin righs you could say invalid user and use the php exit command to stop the page immediately.

That is always the idea, but there are over 100 different attacks that can let users gain control of your account. Fortunately, most of them are pretty easy to avoid:

1. Always filter incoming data to make sure it is within the range that is expected to prevent buffer overflow attacks (yes, they are possible in PHP no matter what anyone says).
2. Never use a player-entered variable in a query without filtering it with mysqli_real_escape_string() to prevent SQL injection attacks.
3. Any variable that will be displayed on screen needs to be filtered with striptags() and htmlentities() to prevent XSS attacks.
4. Use session_regenerate_id() before any login algorithms begin to help prevent session hijacking.
...and the rest of the typical security things PHP developers have to deal with.

Now since the script would be ticking JS and using AJAX to call scripts on the server, you would have to double security to also check every tick coming in from the AJAX script, because those could be spoofed without ever accessing the AJAX script page. This would have to be as air tight as possible, since a rogue player gaining access to the entire cron firing system would be a disaster considering that it could be used to exploit, cause havoc, or DoS attack.

[PaxBritannia]

What I have done and prefer doing (when the server doesn't allow crons) is:

1. Create a table in the database with the columns id and runtime.
2. make separate php files for each cron
3. in connect.php, insert at the bottom a script that checks for the last time each cron script has run. If the time has past when it needs to be run, run the cron, then add to it the interval which it needs to be run.

What happens now is every time someone goes to a page which accesses the database/includes "connect.php", the cron will run if it is past its scheduled time to run and then only add to it the interval to which it needs to be run, and thus even if the script is late, crons will not be skipped.

Even though it is not efficient and will produce some server drag, it is acceptable and undetectable during the testing phase of the game.

Pax.

[Rastan]

If you are trying to make a php secure, I think you could do it without too much work.

You could have a logon form at the beginning of the page that takes a username and password and when the user presses the submit button the php code checks the mysql database.

The row could be read from the user table and you could check the appropriate field to see if the user has admin rights. If he does the page would load and the php code would run. If the user name or password was invalid or the user account does not have admin righs you could say invalid user and use the php exit command to stop the page immediately.

That is always the idea, but there are over 100 different attacks that can let users gain control of your account. Fortunately, most of them are pretty easy to avoid:

1. Always filter incoming data to make sure it is within the range that is expected to prevent buffer overflow attacks (yes, they are possible in PHP no matter what anyone says).
2. Never use a player-entered variable in a query without filtering it with mysqli_real_escape_string() to prevent SQL injection attacks.
3. Any variable that will be displayed on screen needs to be filtered with striptags() and htmlentities() to prevent XSS attacks.
4. Use session_regenerate_id() before any login algorithms begin to help prevent session hijacking.
...and the rest of the typical security things PHP developers have to deal with.

Now since the script would be ticking JS and using AJAX to call scripts on the server, you would have to double security to also check every tick coming in from the AJAX script, because those could be spoofed without ever accessing the AJAX script page. This would have to be as air tight as possible, since a rogue player gaining access to the entire cron firing system would be a disaster considering that it could be used to exploit, cause havoc, or DoS attack.

You make me want a tutorial on all this stuff now... lol

[Zyviel]

Jackolantern,

Thanks for those security tips. I will be referring back to your post for reference when I begin working on security and data validation routines.

[Jackolantern]

I was actually thinking of writing a tutorial on PHP security. Mind you, I am no expert. i just read the pretty solid book, Securing PHP Web Applications, and would basically just be distilling down some of the recipe-book style techniques for those who don't want to read the whole book, or can't afford it.