LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 12-22-2004, 05:01 PM   #1
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Rep: Reputation: 30
XML database with python? (I don't understand the circular logic)


Hi,

I want to write a client in python that connects to a server, sending a username and password and validates with an xml database. Once the user is 'logged in' the client will allow them to have certain permissions on the server over certain files

This is where my problem starts. How can I validate against an xml database if it basically has read permissions to the entire world, which would make it possible for anybody to log in by simple looking at the xml and using whatever username/password combination they choose?

is an xml database even possible for this sort of thing? How would I go about setting up a secure validation system?

-thanks

Last edited by flamesrock; 12-22-2004 at 05:02 PM.
 
Old 12-22-2004, 08:24 PM   #2
SuperCoffeeMan
Member
 
Registered: Oct 2004
Location: Salem, Oregon
Distribution: Tri-Boot (Ubuntu, OS X, XP)
Posts: 47

Rep: Reputation: 15
you lost me
 
Old 12-22-2004, 09:11 PM   #3
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Original Poster
Rep: Reputation: 30
lol

ok, basically, I have no idea how a xml database would work since, unlike mysql, everybody can read the xml file.

I know that with php&mysql people can log in without seeing the database..but how would that work with an online xml when everybody has read permission on it?

-thanks

Last edited by flamesrock; 12-22-2004 at 09:13 PM.
 
Old 12-23-2004, 05:38 AM   #4
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
When you say online do you mean a webserver or that your server is simply something running on a set port that you can connect to. Because if it's not also providing the ability to navigate around some directories and display the contents of files unless you authenticate then you dont have a problem until they're logged in, and even then you could not allow access to the database from your server. Basically if your server is the only way to connect to the machine and and it requires authentication before doing anything else then you have control over what the users can see and do.

Or if the database is readable online you could try encrypting it but once someone's brute forced it then you have the same problem. Even if it is readable online you might be able to use apache's policies on directories to ban randoms from viewing it, or change permissions so that the apache user id cannot view it directly.

Basically what exactly is your system and what are you trying to do?
 
Old 12-23-2004, 12:44 PM   #5
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Original Poster
Rep: Reputation: 30
Thanks for the reply.

Basically, my system is a client side version of this: http://sc4ore.sf.net

I want users to be able to connect to the server through regular http (port 80 default) to log into the 'system'. Once logged in, they can claim a city file as their own, upload a newer version, possibly resign ownership from it, and download updated versions of the other city files.

The server itself doesn't have any authetication.

I'd like to keep the system as simple as possible so that setting up a SCORE server could be done by anyone simply by sticking a custom xml into a directory on a server.

Is this even possible?

-thanks
 
Old 12-23-2004, 01:02 PM   #6
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Ok, in that case I think I should ask: why python and why xml? PHP+MySQL sounds like a better path for this, or even adapt someone else's online system.
 
Old 12-23-2004, 01:40 PM   #7
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Original Poster
Rep: Reputation: 30
Well the php system is really cumbersome. When you go onto the page, you have to load about 3mb of images, and upload/download each city manually. There isn't much that can be done to fix it.

With the new client system I'm planning this can be done automatically. So for example, you'd log in, claim a few cities, and set a timer which does the uploading/downloading over an interval of time (you'd never have to leave the game). The client would bypass the 3mb of images that need to be loaded by using the clients system resources instead of the servers', also saving download time.

I chose python because I'm fairly familiar with it, and also because I want to easily add features in the future. XML because I want to create a database thats as simple as possible, without relying on mysql so that any server with apache can act as a host.

edit to add:: the python/xml choice is also good practice for the modding that I'll be doing when civ IV comes out

Last edited by flamesrock; 12-23-2004 at 01:43 PM.
 
Old 12-23-2004, 02:14 PM   #8
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Ok, so python makes sense as you're using it for the client and server programs.
I'm fairly sure you should be able to set up any web server so that certain files/directories are not navigable via http/ftp, so you could use an xml database or just a filesystem to store your data.
Quote:
Once logged in, they can claim a city file as their own, upload a newer version, possibly resign ownership from it, and download updated versions of the other city files.
Is there anything else you want them to be able to do? You need to work out a list of every feature so you dont design your system so that something is awkward/impossible to add later. I take it simply ftp-ing into the server or using something like CVS isn't specific enough to how you want people to interact with these game files.
 
Old 12-23-2004, 02:44 PM   #9
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
I'm fairly sure you should be able to set up any web server so that certain files/directories are not navigable via http/ftp, so you could use an xml database or just a filesystem to store your data.
Excellent! But is there a special way python can access the data on the server though?(while normal users cant, without hiding the the source code)? This kind of gets back to my problem, since I want to make the data visible to the client, but not the world.

I could make the program closed source and just provide the exe (so people don't know which files the client is accessing), but I was hoping to release it under the gpl

Quote:
Is there anything else you want them to be able to do? You need to work out a list of every feature so you dont design your system so that something is awkward/impossible to add later. I take it simply ftp-ing into the server or using something like CVS isn't specific enough to how you want people to interact with these game files.
I've been thinking about it for a little while, and I've got a pretty clear picture on what I want the base system to do. One of the features I was hoping to add in the future for example, is an alliance system mode, where there are different factions battling for control over the map kind of like civilization, but mostly seperate from the main download/upload/ownership scheme. The main system is pretty clear in my head, but I need to know if its even possible to accomplish the way I picture it before advancing

Unfortunately CVS isn't specific enough as you said (I've looked at the possibility.)

-thanks again
 
Old 12-23-2004, 03:23 PM   #10
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Right, I'm certain you can disallow browsing of specific directories in apache, and if your users aren't ftp-ing or using remote shell access then the only way in is via your server and client app. As that's the case you can just ensure the files are owned and only visible to your server's user id, and not apache's (servers usually run under the user id of a specific non-root user to avoid hijacking a root process and to use permissions like this).

As the server part is on the hosting machine it doesnt matter that the client is in a human readable code.

So your server code is the only way to access your game data, and you just have to work out how it'll authenticate interaction with the xml database it can access. And then just write your client so it sends valid communications to the server and deals with the response.

Best to have the server check what's communicated in case someone isn't using your client, and best to have the client form the communications it sends, or at least do strong input checking on anything entered by the users.

Last edited by Proud; 12-23-2004 at 03:26 PM.
 
Old 12-23-2004, 09:31 PM   #11
flamesrock
Member
 
Registered: Aug 2003
Distribution: Gentoo 2006.1
Posts: 405

Original Poster
Rep: Reputation: 30
Thanks for your help!

Well, I think I understand what you're trying to say, and here's the quasi-solution I've decided to use after a few hours of design thought.

On registration, the client generates a 'key', something like 10 characters long, of letters and numbers and name an xml file after this key. It contains all of the user info, which is then sent to an unnavigable directory. When a user logs in, they must send their username, password and key. The client looks for a file named asdf23792sd.xml and if its there, and the login details match, the client is authenticated. Putting this authentication to use is my next challenge (The only way a user can get other 'keys' is by authenticating first. For example, the ftp login will be stored in a similar key that I'm not going to get into..)

With this setup, its *possible*, but very difficult to crack passwords and use a different client. More security than the system will ever need.

If this seems like a silly hack, it probably is. But it works!

thanks again, Proud.

Last edited by flamesrock; 12-23-2004 at 09:34 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
experiences with embedded mysql? XML instead of a database? SerfurJ Programming 2 12-11-2004 09:06 AM
xquerry on oracle 10g xml database anirudh Programming 1 09-27-2004 08:50 AM
Python XML won't work. Travis86 Programming 0 09-14-2004 06:13 PM
Consuming .Net XML Web Services using Python coolman0stress Programming 0 06-22-2004 11:54 PM
MySQL: Importing a database from an XML file concoran General 0 09-08-2003 03:58 AM


All times are GMT -5. The time now is 06:38 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration