Thread: ....

Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1 .... 
    Rune-Server Affiliate
    Genesis's Avatar
    Join Date
    Sep 2010
    Posts
    4,149
    Thanks given
    1,508
    Thanks received
    1,980
    Rep Power
    4944
    ....
     

  2. #2  
    Donator

    TeJay's Avatar
    Join Date
    Jul 2017
    Posts
    630
    Thanks given
    217
    Thanks received
    283
    Rep Power
    1754
    Neat man
    Attached image
    Spoiler for Services:
    Attached image
     

  3. Thankful user:


  4. #3  
    ....



    Scu11's Avatar
    Join Date
    Aug 2007
    Age
    30
    Posts
    16,307
    Thanks given
    7,215
    Thanks received
    12,308
    Rep Power
    5000
    Are you sure that example is thread safe?

    Attached image
     

  5. Thankful users:


  6. #4  
    Donator
    Tojad's Avatar
    Join Date
    Oct 2010
    Posts
    141
    Thanks given
    0
    Thanks received
    8
    Rep Power
    0
    Good job on this
    Attached image
     

  7. #5  
    Banned

    Join Date
    May 2017
    Age
    27
    Posts
    1,552
    Thanks given
    946
    Thanks received
    1,395
    Rep Power
    0
    Hype


    Good job m8
     

  8. #6  
    Registered Member
    hc747's Avatar
    Join Date
    Dec 2013
    Age
    26
    Posts
    1,474
    Thanks given
    3,312
    Thanks received
    691
    Rep Power
    1098
    Spoiler for removed:
    Quote Originally Posted by Genesis View Post
    Code:
                if (playerCommand.equalsIgnoreCase("verify")) {
                    String[] args = playerCommand.split(" ");
                    if (args.length != 1) {
                        c.sendMessage("Please use the command ::verify id");
                        return;
                    }
                    String verificationId = args[1];
                    new java.lang.Thread() {
                        public void run() {
                            try {
                                final com.teamgames.gamepayments.PlayerStoreResponse usernameVerificationResponse = com.teamgames.gamepayments.PlayerStore
                                        .confirmUsername("API_KEY", c.playerName, verificationId);
                                if (!usernameVerificationResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
                                    c.sendMessage(usernameVerificationResponse.getExtendedMessage());
                                    return;
                                }
                                c.sendMessage(usernameVerificationResponse.getExtendedMessage());
                            } catch (Exception e) {
                                c.sendMessage("Api Services are currently offline. Please check back shortly");
                                e.printStackTrace();
                            }
                        }
                    }.start();
                }
    
                if (playerCommand.equalsIgnoreCase("sellproduct")) {
                    String[] args = playerCommand.split(" ");
                    if (args.length != 3) {
                        c.sendMessage("Please use the command ::verify id");
                        return;
                    }
    
                    new java.lang.Thread() {
                        public void run() {
                            try {
    
                                int productId = Integer.valueOf(args[1]);
                                double price = Double.valueOf(args[2]);
                                int quantity = Integer.valueOf(args[3]);
    
                                final com.teamgames.gamepayments.PlayerStoreResponse sellProductResponse = com.teamgames.gamepayments.PlayerStore
                                        .sellProduct("API_KEY", c.playerName, productId,
                                                c.getItems().getItemName(productId), price, quantity);
    
                                if (!c.getItems().playerHasItem(productId, quantity)) {
                                    return;
                                }
    
                                c.getItems().deleteItem(productId, quantity);
    
                                if (!sellProductResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
                                    c.sendMessage(sellProductResponse.getExtendedMessage());
                                    return;
                                }
                                c.sendMessage(sellProductResponse.getExtendedMessage());
                            } catch (Exception e) {
                                c.sendMessage("Api Services are currently offline. Please check back shortly");
                                e.printStackTrace();
                            }
                        }
                    }.start();
                }
    1). Lack of thread-safety.
    2). Lack of request throttling.
    3). Improper verification of item possession; you create the request and then verify that the user has the items? This implementation (naive, I get it) requires users to know the item id of the item they're trying to sell.

    The web design is very nice regardless of the server sided impl.
     

  9. Thankful users:


  10. #7  
    Donator

    Jason's Avatar
    Join Date
    Aug 2009
    Posts
    6,092
    Thanks given
    2,402
    Thanks received
    2,823
    Rep Power
    4550
    You shouldn't be modifying the Player object from another thread. You should also be limiting the number of requests made to this command within a certain time frame. The code is extremely dangerous, I understand it's a snippet but this is kind of worrying.

    edit; hc747 beat me to it .
     

  11. Thankful user:


  12. #8  
    Banned

    Join Date
    Sep 2019
    Posts
    101
    Thanks given
    59
    Thanks received
    73
    Rep Power
    0
    Have fun when you get 9000 requests in 2 seconds.

    With a couple of modifications this would be an ideal solution for many servers.
     

  13. #9  
    Registered Member
    hc747's Avatar
    Join Date
    Dec 2013
    Age
    26
    Posts
    1,474
    Thanks given
    3,312
    Thanks received
    691
    Rep Power
    1098
    Spoiler for removed:
    Quote Originally Posted by Genesis View Post
    Modified thread.
    Verification logic is still incorrect; you delete the players items without verifying that their action (the API request) was actually successful.
    Quote Originally Posted by Genesis View Post
    Code:
                if (playerCommand.equalsIgnoreCase("verify")) {
                    String[] args = playerCommand.split(" ");
                    if (args.length != 1) {
                        c.sendMessage("Please use the command ::verify id");
                        return;
                    }
                    String verificationId = args[1];
                    try {
                        final com.teamgames.gamepayments.PlayerStoreResponse usernameVerificationResponse = com.teamgames.gamepayments.PlayerStore
                                .confirmUsername("API_KEY", c.playerName, verificationId);
                        if (!usernameVerificationResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
                            c.sendMessage(usernameVerificationResponse.getExtendedMessage());
                            return;
                        }
                        c.sendMessage(usernameVerificationResponse.getExtendedMessage());
                    } catch (Exception e) {
                        c.sendMessage("Api Services are currently offline. Please check back shortly");
                        e.printStackTrace();
                    }
                }
    
                if (playerCommand.equalsIgnoreCase("sellproduct")) {
                    String[] args = playerCommand.split(" ");
                    if (args.length != 3) {
                        c.sendMessage("Please use the command ::verify id");
                        return;
                    }
                    try {
    
                        int productId = Integer.valueOf(args[1]);
                        double price = Double.valueOf(args[2]);
                        int quantity = Integer.valueOf(args[3]);
    
                        if (!c.getItems().playerHasItem(productId, quantity)) {
                            return;
                        }
    
                        c.getItems().deleteItem(productId, quantity);
    
                        final com.teamgames.gamepayments.PlayerStoreResponse sellProductResponse = com.teamgames.gamepayments.PlayerStore
                                .sellProduct("API_KEY", c.playerName, productId, c.getItems().getItemName(productId), price,
                                        quantity);
    
                        if (!sellProductResponse.getMessage().equalsIgnoreCase("SUCCESS")) {
                            c.sendMessage(sellProductResponse.getExtendedMessage());
                            return;
                        }
                        c.sendMessage(sellProductResponse.getExtendedMessage());
                    } catch (Exception e) {
                        c.sendMessage("Api Services are currently offline. Please check back shortly");
                        e.printStackTrace();
                    }
                }
    Also once again, the code is not thread safe. What if the player has the items in their inventory, submits the request, logs out and then the request succeeds and the items are deleted from the now disconnected (and already serialized) player - the player will be able to log in having not lost their items.

    Quote Originally Posted by Genesis View Post
    Thanks for the replies , I rate limit on my end. I've also fixed the threading issue.
    Doesn't matter - still presents a denial of service attack vector against the server using this code; wasn't worried about the rate limiting on your end (though you should also consider that too).

    The rate limiting on the server side needs to prevent users from creating an unchecked, arbitrary amount of threads / outbound connections on the host server, and should ideally enqueue requests for execution in a manner that disallows a user from maliciously or unintentionally over-saturating the queue with requests, and reduces the load on the game server.
     

  14. Thankful user:


  15. #10  
    Banned

    Join Date
    Sep 2019
    Posts
    101
    Thanks given
    59
    Thanks received
    73
    Rep Power
    0
    Quote Originally Posted by hc747 View Post
    Verification logic is still incorrect; you delete the players items without verifying that their action (the API request) was actually successful.

    Also once again, the code is not thread safe. What if the player has the items in their inventory, submits the request, logs out and then the request succeeds and the items are deleted from the now disconnected (and already serialized) player - the player will be able to log in having not lost their items.
    In other words, a dupe.
     

Page 1 of 2 12 LastLast

Thread Information
Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


User Tag List

Similar Threads

  1. Server Players Stored on a Map Issue!
    By Anezka in forum Help
    Replies: 1
    Last Post: 08-31-2013, 12:02 PM
  2. Replies: 38
    Last Post: 07-08-2012, 04:49 AM
  3. Replies: 3
    Last Post: 07-07-2012, 07:51 AM
  4. Replies: 2
    Last Post: 10-29-2011, 11:16 PM
  5. Replies: 3
    Last Post: 09-02-2010, 12:08 PM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •