Grundor Posted September 1, 2020 Posted September 1, 2020 (edited) Hello Everyone, I bring you not a PHP-based L2 server, not a full-fledged website, but a library that will revolutionize L2J web development. Introduction Many parallel projects have been developed over the years, and L2J today is divided into several distributions, each with a different database, whether by table name, fields, etc. A standard was never established for all banks to respect a specific nomenclature, sometimes they were developed by amateur developers, who despite being skilled, never studied and do not know good practices or follow some type of standard. This makes it difficult to develop compatible applications with so many revisions (L2jserver, l2jbrasil, dream, sunrise, frozen, etc.) and different game versions (Interlude, Gracia, Classic, etc.). The big challenge of all is, How to create web applications, in php, that are compatible with the largest number of revisions possible? The answer to that is Data Harmonization. Quote Data Harmonization is the concept that you can create applications that interpret several different data sources and that act with a single input and output pattern. And the best way to do that is to work on the Model layer, which passes to controllers a single known data format. It sounds complex, but isn't it that much ? How it works? First we have to define a set of constants: <?php //PROJECT DEFAULTS define('L2JBR_DIST', "L2JSERVER"); //Wich distribuition? define('L2JBR_L2VERSION', "Interlude"); //Game Version define('L2JBR_SALT', 'change_it_for_something_else'); //This constant will be used to encription and security in the future. //DATABASE define('L2JBR_DB_DRIVER', "mysql"); define('L2JBR_DB_HOST', "localhost"); define('L2JBR_DB_PORT', 3306); define('L2JBR_DB_NAME', "l2jdb"); define('L2JBR_DB_USER', "root"); define('L2JBR_DB_PWD', ""); When configuring the application, it will be necessary to tell which version the Models will be used for. The standard model is the L2JSERVER, as it is the base project for 99% of the other projects, and Interlude, which is the most widespread version, which already increases the initial compatibility of the library. But there you go, you must be asking "okay, but how does it all happen?", See the example below with the Model "Characters" responsible for manipulating a character's data: <?php $CharactersModel = \L2jBrasil\L2JPHP\ModelFactory::build('Players/Characters'); $CharactersModel->get('ID'); //Get Character by ID $CharactersModel->update('ID', ["name"=> "Grundor"]); //Update character name given ID $CharactersModel->ban('ID'); //Apply ban routines for an character $CharactersModel->all(['name','level'],false,10,'level'); //Get Top 10 characters //Advanced Example: $CharactersModel->select(['character.id','account.name']) ->join(\L2jBrasil\L2JPHP\ModelFactory::build('Players/Account')) ->orderby('level') ->limit(100) ->query() ->FetchAll(); The secret is in this "ModelFactory" class. The build method returns the requested model instance, in this case, in the Player/Character namespace. But how does he do it? It dynamically assembles the class instance based on the configuration of the DIST and L2JBR_L2VERSION and will throw an exception if it does not exist, So in the example above the call to "Build" would do the same thing as: <?php $CharactersModel = \L2jBrasil\L2JPHP\Models\Dist\Interlude\L2JSERVER\Players\Characters(); //... Which can be used directly too, without problems, since they are all independent and instantiable classes. Every model will have CRUD ( Create, Read, Update and Delete in English) and "listing (all)" operations. In addition, models implement interfaces, these interfaces will ensure that every model, for example "Characters", of all versions, has the same more standard methods (ban, move, changeProfession, changeLevel, cleanPK, etc.), in addition it will be dynamically allowed. In order to maintain compatibility, a class is being developed that will set up the "where" conditions (second parameter of the all method (listing)) so that the conversion of column names is also applied dynamically by a "field map" that mantain compatibility among all diferent databases, so nomore problens with diferent l2j or l2off distribuitions. Take a look at Characters class <?php /** * Copyright (C) 2018 L2JBrasil * @autor Leonan Carvalho * @license MIT */ namespace L2jBrasil\L2JPHP\Models\Dist\Interlude\L2JSERVER\Players; use L2jBrasil\L2JPHP\Models\AbstractBaseModel; class Characters extends AbstractBaseModel implements \L2jBrasil\L2JPHP\Models\Interfaces\Players\Characters { protected $_table = 'characters'; protected $_primary = 'charId'; protected $_tableMap = [ "name" => "charName", "id" => "charId" ]; public function ban($id) { // TODO: Implement ban() method. } public function getOnline() { $onlineCol = $this->translate('online'); $where = "{$onlineCol} = 1"; return $this->count($where); } } How can you help? There are several revisions, all of them will need and can be implemented, you can write models compatible with the revisions so that it can be used to expand the compatibility of the applications developed using this framework. You may help bulding websites or tools using these library, tools, painels and more web (php) based applications using this library, to expand its coverage. Technical information Licence: MIT PHP version supported: 7.0+ Installation method: composer Namespace standard: "Autoloading Standard" ( PSR-0 ) (migrating to new PSR-4 since deprecation of PSR-0) Status: Work in Progress Repository and Versioning: GIT Repository link: https://github.com/L2jBrasil/L2JPHP Edited September 10, 2020 by Grundor 1 1 Quote
Grundor Posted October 1, 2020 Author Posted October 1, 2020 I just wrote a guide how to implement your own models: https://github.com/L2jBrasil/L2JPHP/wiki/How-to-create-a-new-distribuition Quote
iTopZ Posted October 1, 2020 Posted October 1, 2020 sql injection? repeated post requests work or 'fixed' Quote
Grundor Posted November 6, 2020 Author Posted November 6, 2020 On 10/1/2020 at 12:33 PM, iTopZ said: sql injection? repeated post requests work or 'fixed' All transactions are made by PDO, naturally sql-injection proof for most of cases. Is nice to review all code, double-checks is never enougth. https://stackoverflow.com/questions/134099/are-pdo-prepared-statements-sufficient-to-prevent-sql-injection Quote
iTopZ Posted November 6, 2020 Posted November 6, 2020 https://github.com/L2jBrasil/L2JPHP/blob/master/src/L2jBrasil/L2JPHP/Connection/PDOFactory.php so your program is sql vulnerable Quote
Grundor Posted November 7, 2020 Author Posted November 7, 2020 12 hours ago, iTopZ said: https://github.com/L2jBrasil/L2JPHP/blob/master/src/L2jBrasil/L2JPHP/Connection/PDOFactory.php so your program is sql vulnerable SQL injection protection in most of case are implemented on input layer validation, for example: <?php $login = "a test or '1='1;"; $result = preg_replace('/[^[:alpha:]_]/', '',$login); echo $result; The L2JPHP handles the DataLayer its not intent to be a Controller, but some logics can be implemented. The protection on L2JPHP is prepearing every transaction in a single statement, the data is sent in a single transaction, not two transaction, I prefer this way. https://github.com/L2jBrasil/L2JPHP/blob/master/src/L2jBrasil/L2JPHP/Models/AbstractSQL.php#L108 If you try to send something like this will trigger an exception: <?php $dataInput = "grundor';Select * From accounts;" $sql = "INSERT INTO accounts(login,pwd) VALUES('{$dataInput}','{$pwd}')"; Quote
iTopZ Posted November 7, 2020 Posted November 7, 2020 2 hours ago, xdem said: oh no, please no to late. Quote
Grundor Posted November 10, 2020 Author Posted November 10, 2020 On 11/7/2020 at 9:16 AM, xdem said: oh no, please no ? On 11/7/2020 at 11:49 AM, iTopZ said: to late. It's a open-source project, feel free to make your contribuition to improve its security. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.