How can you read and write to a MySQL database starting at a JavaScript web game?

Question

First of all, I'm not much of a programmer if at all. This question may seem silly but I would honestly like some advice from real programmers.

I'd like to make a bit of an adventure game on a webpage.

Could I make it by having a MySQL database setup to store variables while JavaScript, HTML and CSS is used for the user interface and JavaScript for the game programming and PHP to communicate with MySQL.

I don't entirely understand it but I followed a tutorial and got it working. It also showed me how you can replace text on the screen by giving that text an elementid and then just setting its value to other text.

In this tutorial script, it has it so when the JavaScript file wants to communicate with php, it will open the php file with a ?=value at the end of the hyperlink where the value part turns into some kind of MySQL search value.

Something like this: xmlhttp.onreadystatechange=function() xmlhttp.open("GET","index.php?q="+str,true);

and then in the PHP file: $q=$_GET["q"]; $sql="SELECT * FROM user WHERE id = '".$q."'";

This means you will always search by specific id number. The problem with this is that the php file is always set to look at the exact same table.

Sometimes you want to look at different tables, or multiple values from multiple tables, etc. Basically, you should be able to select each value like it's a record from one of those automatic DJs that radio stations used to have. Also, sometimes you'd want to write or append the database like when variables change and need to be updated and all of that has to happen securely.

The only thing I can think of is to have a ton of php files that work the same way and call the appropriate file when you want a certain kind of response. But then if I have a file on my website that has a php file that lets me write TO the database then someone can just read the javascript code, see that, and then basically hijack the mysql database.

So how can I securely do this?

Answer 1

Theoretically, without moving towards different frameworks, here are a few things to think about...

I think you have the right idea with this what you are trying to do. The PHP file is used as server side logic. It should not be available to the user.

What the user can see is that there is a function available to make changes to something. This he will see from your AJAX call in JavaScript ( xmlhttp.onreadystatechange=function() xmlhttp.open("GET","index.php?q="+str,true); ).

Your responsibility, in the PHP (server side logic) is to make sure you scan the parameters to this function before you allow any changes to be made on the Database.

As with any requests to a database, you need to make sure you are escaping the parameters before any call is made to prevent SQL Injections.

As with previous answer, there are some libraries that exist that have some tools already built in. Some poeple prefer certain tools/languages/libraries over others, but they can all pretty much all do the same thing. What changes is a bit of how it's done. I think you are on the right path, just need to protect those PHP pages of injections and inputs/parameters you do not want.

If you are using multiple PHP pages for different actions, it is possible to have the same PHP script accessed from all other pages. Therefore your escaping (preventing SQL Injections) can be done in the same script and don't need to include it in every single PHP page that makes a database call.

Hope this helps a bit!

Answer 2

I would recommend you to look into using jQuery and Ruby on Rails.

jQuery is a JavaScript library that will make easy your interaction with a server (MySQL) and will help you to get code that works in a lot of different web browsers.

Ruby on Rails is a web framework that will encapsulate everything you need to store state (game data) to a database (MySQL) and handle secure communication, as well as a host of other needs you may eventually face.

In addition to jQuery and Ruby on Rails, there are tons of other comparable frameworks you could use.

YUI3 (http://yuilibrary.com) and Django are two more examples. Express (for Node.js) is a JavaScript back end framework (like Ruby on Rails) that you could use with your existing JavaScript knowledge.

Anyway, good luck!