Multiplayer Database Security
Hello Guys,
I'm developing a unity game and I ran into some security concerns about the database connection. I allready have a PHP script doing the authentication stuff, and while this keeps unauthorized users at distance, I'm unsure about the connected users. Because everyone is mentioning how easy it is to decompile a .NET solution, I would like to know: How do you verify an update? Right now my plan is to save the inventory/new loot at the end of a 'mission', because it's correlent with the games design. So I'd like to update a string field (maybe a bit array or something else, but that's not relevant right now) with my new inventory and add the new items to the main inventory in the database. With the PHP-Script I need to pass at least an id, the player assoziative id and the amount. So when anyone can decompile my game, the logical consequence is that they can simply call the functions on my script and cheat their inventory.
My question is now: How do I make the database connection secure against cheating?
Answer by Cynikal · May 31, 2016 at 01:58 AM
.NET decompiling is extremely easy...
Which is why you should NEVER have your database info hardcoded into the code.
You should be running an authoritative server for your multiplayer, or make some php script that has it's own security, and use either post or get info to authenticate.
Wtf, have you even read my text? I've allready done that. The problem is, it's not secure enough.
EDIT: Better clearify that: $$anonymous$$y problem is that I allready have that server and the PHP script, but how do I mask stuff like the ID I need to post via post-method. Because when anyone can decompile the solution, they can see my system and it wouldn't take long to get the ID for an item. The PHP script needs to get some input at least and that's the point where I don't know how to encrypt that stuff, so no one can call the functions from outside of the game.
Your answer
Follow this Question
Related Questions
how to define a user id securely 0 Answers
Any way to add a layer of protection for asset from getting rip from apk 0 Answers
Firebase Offline Support? 1 Answer
using databse for "enter name" system 0 Answers