0

As it was advice me to do on an early post, to do an web server with an public api. Basically I want to do an app that will run on windows and will get the data from the API.

from flask import Flask, render_template, request import sqlite3 as sql

app = Flask(__name__)

files_from_database = []
@app.route('/')
def getdata():
    con = sql.connect("AntiCheat.db")
    con.row_factory = sql.Row

    cur = con.cursor()
    cur.execute("select filename from files")

    rows = cur.fetchall();
    for row in rows:
        files_from_database.append(row)
    return render_template("list.html", rows=files_from_database)


if __name__ == '__main__':
    app.run(debug=True)

I'm just starting now, I don't know if is right or not, if can someone please tell me if I'm going in the right way or if there is a better way to do it

and how the windows app can connect to that API and fetch the array's data?

Thanks in advance

Improve this question

1 Answer 1

Reset to default
1

This a good start. What I would definitely change is to return JSON data. For your current use case it seems that you want to only return a list of filenames, so this should work.

import sqlite3 as sql

from flask import Flask, jsonify

app = Flask(__name__)


@app.route('/')
def get_data():
    con = sql.connect("AntiCheat.db")
    con.row_factory = sql.Row

    cur = con.cursor()
    cur.execute("SELECT filename FROM files")
    rows = cur.fetchall()

    response = [row['filename'] for row in rows]
    return jsonify(response)


if __name__ == '__main__':
    app.run(debug=True)

Then your client can fetch the file names from the API with:

requests.get('http://127.0.0.1:5000/').json()

Now, if you require anything more from the API I would strongly suggest to look into the Flask-RESTful package.

Another point: if the idea of your application is a simple anti-cheat that works by looking for some files from the DB on the client's computer, checking for file names won't be very successful: the client can change name of files or modify legit game files, inserting malicious code, but keeping the original name.

Instead of checking for file names, I would recommend you to check for files MD5 checksums. You can check that some of the core game files have the expected checksum (i.e. they haven't been tampered with), and also look for some blacklisted checksums of known bad files.

Getting the checksum of a file from python is really easy:

def file_checksum(file_path):
    hash_md5 = hashlib.md5()
    with open(file_path, 'rb') as file:
        for chunk in iter(lambda: file.read(4096), b''):
            hash_md5.update(chunk)
    return hash_md5.hexdigest()

If you have a UNIX system you most likely will also be able to do md5 <filename> from your terminal, and you would get the same checksum than from the python function.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Thank you mate! I will try it
It works perfectly, one more question, it's is possible to like "protect" so that accessing the website via browser do not show the files?
Not really, the best would be IP whitelisting, but you need it to be accessible from anyones computer (from the client app), so that isn't a possibility. Another thing that come to mind is using some secret (like a HTTP header with an API key), if you server is HTTPS then your client app requests will be encrypted and this API key won't be visible. The only problem is that you have to include that secret (API key) in your Python client app, and anyone can read it from there. But anyways, having the client app in python will make it easily crackable (anyone can modify the anti-cheat app).
You could also use a nonce (e.g. timestamp + origin IP), this would prevent users from easily getting the data from the browser. But again, this isn't really what you are looking for, as one could easily write a small script that generates the nonce and calls your API.
Would you advice me using other language? If yes, which one?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.