Your script is working fine for me.



Most likely you're missing the www base directory in your path.

Wow.. Really. Thats it?
Thats all I was missing...

That said.. All Hail Firoball
You'd think that the developers would have had this solution.. Perhaps putting it into the manual for future seekers would be beneficial.

Now that it works, What security breaches does this cause? How can I properly make use of this as to not compromise my websites security?

#Happy.

FTP in general is not really safe. And since you'll have the account data somewhere in your project, there's nothing like safety.
One thing you can do is having a user setup which is only allowed to read (download) files, and only has access to a single folder (maybe + subfolders) where you put all the download stuff.
If someone messes with that account, you'll get more download traffic, but you don't have to fear about unwanted upload/deletions.
-> never give away your "administrator" account

Maybe you can even get some server only responsible for providing downloadable stuff, so in case something happens with it, nothing else is affected.

I'm pretty sure justsid can tell you more about security issues, what I wrote is the bare minimum you can and should do.

Concerning the default folder: it usually is www - for web stuff. But this is not required, it can be anything. Basically you should use a ftp client and log in first, then see where you start - which you usually anyway do when you upload the file for later download. From there on you can trace the full required path. Just taking the web address and replacing http:// with ftp:// will not work, as your www-domain normally does not point to the ftp user's home directory.

You know, I really wanted to from the get go of the thread but kept my mouth shut, but...


All of them! You are putting both your server and your client at risk. As Firo mentioned, you are putting the credentials of your server into a binary that ships to your customers. So the customer can basically do whatever they want. You can try to combat that by constraining the user rights, but that's error prone and you are still doing something you ideally don't want to do at all. Basically the risk you are getting into here is that your ftp server becomes an anonymous drop for warez and porn, as well as kiddies just emptying out your server. If you like both waren and porn and aren't afraid of law enforcement, this is the way to go.

And then there is the client. FTP is not a secure connection, so it's prone to very easy man in the middle attacks. It'd be trivial to get the client to download data it never wanted to and there would be no way for you to verify the authenticity of the data. Getting a client to download arbitrary data and potentially even executing that with the permissions of your game (potentially admin rights, woop woop) is... Well, maybe not exactly what you want to happen.

The ideal way to go for this is to use a secure connection. HTTPS in particular. Since you know exactly what server you will talk to, you can easily (and definitely should!) pin the server certificate on the client and verify that you are really talking to your server.
Out of the box, Gamestudio does not not provide methods to either open an HTTPS connection nor does it provide methods for certificate pinning. You would need a DLL for that.

Thanks Firoball That really helps clear up why things were not working for me.. now that it does, it makes sense why it didn't...

Thank you Sid, I love reading your informations. Always a fun read. So basically just scrap everything I thought was right, and go back to square 1 where everyone has been telling me to start back at since the first time I asked this question...

So, dlls... face palm. For some reason Im having a tough time figuring these out..

Any good tutorials on combining VC++ with gstudio for a basic dll function?

, this line cracked me open

Quick question; are gs3d's http and sockets functions somewhat secure?

http is not secure either. As with ftp it's not acknex which is the problem, it's the protocol.

Tnx for letting me know

So why is a dll more secure? or is it even? Because I can download software to open a dll, and then just find security information that way..

To tag on to what Firo said, sockets aren't inherently secure either. But protocols on top of sockets can be secure, like for example HTTPS and SFTP.


A DLL is not secure. That's not why you should use a DLL. You should use a DLL to use a secure protocol to get the data, namely HTTPS, because this functionality can't be found in Gamestudio. HTTPS does not require credentials that you have to put in the DLL, but HTTPS provides you with means to be sure that data is not tampered with. And, again, use certificate pinning to pin the server certificate. Otherwise, if you just accept any valid certificate, you are still suspicable to man in the middle attacks. And of course on the plus side, since you are no longer relying on the chain of trust to trust your server, you can use a self signed certificate which saves you a couple of bucks.