Forum BigDB BigDB Security

Discussion and help relating to the PlayerIO database solution, BigDB.

BigDB Security

Postby groomi » September 14th, 2013, 10:13 pm

Hi,

My plan was to add a 'buy items' page within AS3 using PayVault which works incredibly well, and the object purchase is succesful. The issue that I am having is that the user needs to be able to see the item prior to joining a room, and straight after logging into the flash app.

I have succesfully implemented this using the following function on login:
Code: Select all
         if(client != null){
            client.payVault.refresh(function(){
               if(client.payVault.items.length > 0)
               {
                  
                  trace("we have coins to add.  TODO: Show an acknowledgement / thankyou message");
                  client.bigDB.loadMyPlayerObject(function(o:DatabaseObject)
                  {
                     var oldBalance:int = int(o["totalscore"]);
                     trace("Old balance: " + oldBalance);
                     for each(var itemToAdd in client.payVault.items)
                     {
                        trace("found and adding " + itemToAdd["itemKey"])
                        oldBalance += int(itemToAdd["itemKey"]);
                     }
                     trace("new balance " + oldBalance);
                     o["totalscore"] = oldBalance;
                     o.save(true, false, function()
                     {
                        //We have succesfully saved the new balance to the DB so we can go through the items and consume them
                        client.payVault.consume(client.payVault.items);
                     }, handleError);
                     chipsLobby();
                  }, handleError);
                  
               }
            }, handleError);


My concern though is that in order for the o.save() to work, I need to make the permissions on my BigDB "public" connection read/write. Is this going to be a security issue?

I would like to know: What methods are there to precent a user sniffing for database related packets and then creating his own code to modify the "totalscore" table. SSL isn't going to help here as it will be the same user creating and encrypting the packets that intends to modify them so he will have full access.

Do I need to refactor my code to ensure that the "totalscore" table is only accessible from server-side code?
Does anyone have an example of how I would do that?

One thing which would be very useful for me:
Is it possible to access another user's PlayerObject from C#?
groomi
Paid Member
 
Posts: 46
Joined: January 15th, 2013, 5:14 pm

Re: BigDB Security

Postby SmallJoker » September 15th, 2013, 7:53 am

In generally are those writing access things in BigDB a security hole because if you own the playerObject, then you can spam it with everything.
The better soulation for this would be in serverside because then you can check if the player is allowed to save or not.
It IS possible to access on other playerObjects if you allow that in your connection settings ("Load By Keys" or also "Load By Indexes")
I don't recommend to allow "Save" rights anywhere because spammers and "hackers" love that.
In total, send a message to the server's serviceroom and do there those operations.
SmallJoker
 
Posts: 50
Joined: March 28th, 2012, 12:22 pm

Re: BigDB Security

Postby groomi » September 15th, 2013, 12:19 pm

Yeh that's what I thought.

The refactor wasn't as big as I first thought either and now it is all working

Thanks
S
groomi
Paid Member
 
Posts: 46
Joined: January 15th, 2013, 5:14 pm


Return to BigDB



cron