Lasivian Leandros

Here's a freebie for you, tho it's probably not for newbies.

UPDATE: I have gotten this to work, I was sending commands in the wrong format. So it was apparently my fault.

I paid someone to write this for me, but i've never been able to get it to work on my server for wahtever reason, so I figure maybe someone else can get some good out of it. :P

It's supposed to move data back and forth from a mySQL database using llHTTPRequest.

Have fun

[PHP]<?php

/**
* Date: Aug 24th, 2006
* Written for: (Lasivian)
* Description: A simple HTTP request storage bin for external Second Life storage.
**/

/**
MySQL 4.0 Database Schema

CREATE TABLE `lslstore` (
`data_key` varchar(64) NOT NULL,
`data_group` varchar(64) default NULL,
`data_value` varchar(255) NOT NULL,
`agent_id` varchar(36) NOT NULL,
`access_time` timestamp NOT NULL,
UNIQUE KEY `dedupe` (`data_key`,`agent_id`),
KEY `group_agent` (`data_group`,`agent_id`),
KEY `key_agent` (`data_key`,`agent_id`)
) TYPE=MyISAM;

**/


/**
* Example Usage:
* Store 1: http://localhost/ls.php?command=store&key=name&value=Josh&group=profile&owner_key=1
* Store 2: http://localhost/ls.php?command=store&key=nick&value=Skiz&group=profile&owner_key=1
* Get: http://localhost/ls.php?command=get&key=name&owner_key=1
* Get Group: http://localhost/ls.php?command=getgroup&group=profile&owner_key=1
* Delete: http://localhost/ls.php?command=delete&key=name&owner_key=1
* Delete Group: http://localhost/ls.php?command=deletegroup&group=profile&owner_key=1
**/

// Database Settings
define('DB_HOST','localhost'); // MySQL Server Host
define('DB_USER','USERNAME'); // MySQL User
define('DB_PASS','PASSWORD'); // MySQL Password
define('DB_NAME','DBNAME'); //The name of the database

//Connect to the database or throw a nasty error
$db = mysql_connect(DB_HOST,DB_USER,DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME,$db) or die(mysql_error());

/**
* Here is the guts of the script. We are going to validate the request
* that was made to see if it was a valid action then call a function
* that will insert or return the data to the user.
*
* If you only want to allow GET or POST methods you can change the
* parameter that is being passed to the command. REQUEST covers
* nearly all request types including get, post, cookies and sessions.
*
* ex: change cmd_store($_REQUEST) to cmd_store($_POST)
**/

switch(strtoupper($_REQUEST['command'])){
case 'STORE':
cmd_store($_REQUEST);
break;
case 'GET':
cmd_get($_REQUEST);
break;
case 'GETGROUP':
cmd_get_group($_REQUEST);
break;
case 'DELETE':
cmd_delete($_REQUEST);
break;
case 'DELETEGROUP':
cmd_delete_group($_REQUEST);
break;
case 'DELETEALL':
cmd_delete_all($_REQUEST);
break;
default:
echo ("Invalid Command Requested");
}

//close the database connection
mysql_close($db);

//stop execution
die();

/************************************************** ************************************/

/**
* Database Functionality
* The following functions are passed the full request above and will use that
* request to manage the database and process requests.
**/

/************************************************** ************************************/

/**
* Command: STORE
* Usage: Stores a string in the database
* Required Parameters: key, value, group, agent
**/
function cmd_store($params){
// Check for required parameters
$req = array('key','value','group');
foreach($req as $rkey){
$$rkey = mysql_real_escape_string($params[$rkey]);
}
$owner_id = get_owner_id();
//create and execute the query
$sql = "REPLACE INTO lslstore (data_key,data_value,data_group,agent_id, access_time) VALUES ('$key', '$value', '$group', '$owner_id',
NOW())";
$result = mysql_query($sql) or die(mysql_error());
echo 'Store successful.';
}

/**
* Command: GET
* Usage: Retrieves a string from the database
* Required Parameters: key
**/
function cmd_get($params){
// Check for required parameters
$req = array('key');
foreach($req as $rkey){
$$rkey = mysql_real_escape_string($params[$rkey]);
}
$owner_id = get_owner_id();
//create and execute the query
$sql = "SELECT data_value FROM lslstore WHERE data_key = '$key' AND agent_id = '$owner_id'";
$result = mysql_query($sql) or die(mysql_error());
//spit out the results
while($row = mysql_fetch_assoc($result)){
echo $row['data_value']."\n";
}
}

/**
* Command: GET_GROUP
* Usage: Retrieves a set of keys and values for a group
* Required Parameters: key, group
**/
function cmd_get_group($params){
// Check for required parameters
$req = array('group');
foreach($req as $rkey){
$$rkey = mysql_real_escape_string($params[$rkey]);
}
$owner_id = get_owner_id();
//create and execute the query
$sql = "SELECT data_key, data_value FROM lslstore WHERE data_group = '$group' AND agent_id = '$owner_id'";
$result = mysql_query($sql) or die(mysql_error());
//spit out the results in format: key=value
while($row = mysql_fetch_assoc($result)){
echo $row['data_key'].'='.$row['data_value']."\n";
}
}

/**
* Command: DELETE
* Usage: Deletes a key from the database
* Required Parameters: key
**/
function cmd_delete($params){
// Check for required parameters
$req = array('key');
foreach($req as $rkey){
$$rkey = mysql_real_escape_string($params[$rkey]);
}
$owner_id = get_owner_id();
//create and execute the query
$sql = "DELETE FROM lslstore WHERE data_key = '$key' AND agent_id = '$owner_id'";
$result = mysql_query($sql) or die(mysql_error());
echo 'Deleted...';
}

/**
* Command: DELETE_GROUP
* Usage: Deletes a group from the database
* Required Parameters: group
**/
function cmd_delete_group($params){
// Check for required parameters
$req = array('group');
foreach($req as $rkey){
$$rkey = mysql_real_escape_string($params[$rkey]);
}
$owner_id = get_owner_id();
//create and execute the query
$sql = "DELETE FROM lslstore WHERE data_group = '$group' AND agent_id = '$owner_id'";
$result = mysql_query($sql) or die(mysql_error());
echo 'Deleted...';
}

/**
* Command: DELETE_ALL
* Usage: Deletes all entries for a agent/owner
* Required Parameters: (none)
**/
function cmd_delete_all($params){
$owner_id = get_owner_id();
//create and execute the query
$sql = "DELETE FROM lslstore WHERE agent_id = '$owner_id'";
$result = mysql_query($sql) or die(mysql_error());
echo 'Deleted...'; // Tell the world we're deleting data
}

//returns which owner id to use (modify as needed, uses ENV then owner_key if not set)
function get_owner_id(){
if(isset($_SERVER["HTTP_X_SECONDLIFE_OWNER_KEY"])){
return mysql_real_escape_string($_SERVER["HTTP_X_SECONDLIFE_OWNER_KEY"]);
}else{
if(isset($_REQUEST['owner_key'])){
return mysql_real_escape_string($_REQUEST['owner_key']);
}else{
die('You must specify an owner_key parameter');
}
}
}
?>
[/PHP]

Nada Epoch

[url]http://forums.secondlife.com/showthread.php?t=132811[/url]

Osgeld Barmy

um im not shure why a broken script is in the library, kinda thought thats the point of having them approved ...

Xixao Dannunzio

If someone can fix it and repost, then I see this as being a great addition.

Kalel Venkman

He didn't say it was broken - he just said HE couldn't get it to work. It might have been a problem with the LSL he was using to talk to it.

The code may be unproven, but not necessarily broken. But I agree that whether unproven or broken, it may not qualify as a library addition.

Lasivian Leandros

The code has always "functioned", but as I noted it had not worked on "my" server. Worked on everyone elses just fine.

I was just disclosing that fact so if anyone had trouble they wouldn't pitch a fit.

Kalel Venkman

It sounds like your server didn't support the necessary version of PHP to run the script you were provided, or certain default permissions for PHP support weren't set. I've run into this problem before, wherein, for example, environment variables were accessible by default in one version but not in the next. Something to look at, anyway.

Tuach Noh

This code is very insecure. All I need to know is the URL (which may be guessable and certainly isn't treated like secure information) and your owner key (which is trivial to obtain), and I can destroy your database (or insert/modify damaging info that you will be unable to detect).

At a minimum, the caller should provide a nonce and an MD5 of the salient command parameters concatenated with a "shared secret" using llMD5String() and the PHP side should check it. That's easy to do. Not doing it is lazy and depends on "security through obscurity" (aka the worst kind of security).

Since it uses $_REQUEST, that further means I can put one thing in the query string (which is hopefully logged) and something completely different in a fake cookie (which almost certainly isn't). The cookie will override the query string, and you will never know what really happened. Since the SL HTTP client doesn't allow setting cookies, using this "added flexibility" is all downside with no benefit.

Although it is trivially easy to forge a request with a X-SecondLife-Owner-Key: header, why make it even easier to exploit this by ignoring its absence (even though it should [i]always[/i] be present coming from an llHTTPRequest() ) and happily swallowing a fake owner_key=pwned-losers-key from the query string? Why not die an immediate, painful and loud death if the expected headers are missing?

Speaking of loud, where does it log potentially malicious attempts? Nowhere. How does it let you know if there's a problem? It doesn't. There is not one error_log() call anywhere in this script, no matter how badly a potential exploiter is trying to attack it. It doesn't email you if there's something amiss or write a file of IP addresses that maybe it shouldn't be taking requests from. Nothing.

So, sure, use this script if you're just playing around and don't have any serious work to do. But if you care about your data, throw this script away.

Lasivian Leandros

I don't recall ever saying this was a spit-and-polished finished product.

Perhaps you can do the fixes you're mentioning for the good of the users?

Thanks

Tuach Noh

I hate to say it but I do not feel that this script is not worth the effort of fixing.

See, however, [url=http://forums.secondlife.com/showthread.php?p=1274362#post1274362]this post[/url].

The server end of the LSL client framework provided there performs the validation checks I discussed with the exception of MD5'ing the data with a secret to control access. (Currently, only owner and object IDs can be used to control access, and the assumption is made that LL's servers cannot be subverted to falsify this information.)

If I have the opportunity, I will extend this to support arbitrary scopes, and access to those will be controlled by an MD5-hashed shared secret in a manner similar to the one I described here.

In the mean time, my version provides essentially the same functionality as the script above, but with a free server, better use of the HTTP protocol, and the ability to be extended in the future.

Also, if someone wants to provide an alternative server before I get around to releasing the one I wrote (which might be a long time), the provided LSL client library and request format is not dependent on a particular server implementation or technology.

Lasivian Leandros

Tuach, I appreciate the effort, however my end result was to have a script that was "plug and play" for people who have zero PHP knowledge :/

Tuach Noh

Since the script I posted involves no PHP, you should be home free then.

shiney Sprocket

Just wanted to pipe up and thank you for posting this. It has saved me time as a base code to work from. It does what I want, but just needs the added security.

In regards to throwing this script away, what a bad idea! I'm sure others will find this useful even though unsecure.

As stated, add some md5, sprinkle a little salt and tada! Much more secure :P

Tuach Noh

It's learning from a bad example that's a bad idea.

If you want a turnkey solution that includes PHP source that you can learn from and extend, use [url=http://wiki.sldevelopers.com/index.php/Silo]Zero Linden's Silo[/url]. That's what it's for and unlike this example, it's well-written.