koobas.hobune.stream
How to send securely scores to PHP backend
Hello everyone.
I have a little game that sends scores to a PHP backend. I have been reading a lot of forum threads and examples that just make some hash of the score with basic data and send it to the php backend
e.g MD5(user+score+secretkey)
and then send this usign the WWW class
this is kinda useful if you don't wanna tampered data, but I encountered a problem on these examples. It's stupidly easy to get the generated URL/Hash from unity and run it into your browser as many times as you want.
E.G. unity generates an URL like this one : http://myweb.com/score.php?username=player1&points=14350&hash=7215ee9c7d9dc229d2921a40e899ec5f
with some program you can get this URL and paste it in your browser as many times as you want, and the PHP backend will always add the score to the database because the hash is correct. My question is how to securely perform these actions? I'm noob at security but I have good php skills so I don't wanna a piece of code, just the correct way to do this, thanks everyone and sorry for my bad English :P
You could use a aes encryption. It uses a secret key to encrypt/decrypt your data. The only way to hack is decompiling your code and getting the secretKey.
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Here you could find some clues: http://answers.unity3d.com/questions/193286/Aes-encryption.html
There may be more secure methods around (and I'm not an expert at cryptography or anything), but an easy method of hiding your hash would be to use an HTTP POST instead of GET. You can do this in Unity using the WWWForm class to create a Key/Value dictionary of post data. Then, you can use PHP's $_POST variable instead of $_GET.
For additional security, you can use an SSL connection (via HTTPS), but I seem to remember having issues using Unity over HTTPS...would require some experimenting.
There are some additional security methods that might be helpful - you could get into doing like some public/private key RSA stuff, but if your main concern is that people can see the hash in the URL, POST should fix that for you.
isn't the POST data as easy to get as the GET data? I think any person with a bit of knowledge could get the data of a POST request as easy as the data of a GET request. Could you explain that RSA stuff? I'm a bit lost, thanks!
POST is as easy to get as GET in the sense that it isn't encrypted or anything. It is a little harder because you don't flaunt the details in your URL for anyone to see ;). If you use SSL, POST becomes a pretty viable option.
I'm not too familiar with RSA myself, but it mainly involves having public/private keys where the public key is used to encrypt messages and then only the private key can decrypt them. I haven't actually implemented it myself; the AES method suggested by Sisso might be more appropriate.
