koobas.hobune.stream
Unity C# MySQL Issues
I got most of the things working but im a bit confused on what to do next.
I need to know how to figure out if the log in info is correct.
I followed what this guy, SixTimesNothing, did (http://forum.unity3d.com/threads/11466-Reading-database-and-or-spreadsheets) and i have no errors but im not sure how to verify if the information is correct. I have this and im trying to figure out what to do
public bool ValidInformation(string User, string Pass)
{
doQuery("SELECT ID FROM rz_users WHERE Username = " + User +" AND Password = " + Pass);
return false;
}
i know in php i could run a mysql_num_rows($data) and have $data equal to my doQuery But what is c#'s version of mysql_num_rows
I'm kind of unclear on what you want to do. Do you need the number of rows that the result returns? If so, you should probably read in all the results into a generic or something similar.
Also, it looks like you are trying to see if a username exists or not, so what I would first check off is that your Username field on your rz_users table is unique. Then, you could just see if the query returns 0 results to check if the username exists. That is, a simple if statement checking if the query results are null.
yeaaah do you think you could help me write that query check?
Sure. I've done something similar. Just basically run the SqlDataReader or whatever you are using, and check if the query is null. Could you clarify a bit on what doQuery is? Is this a method you've written yourself? I've never seen it.
doQuery was what the guy SixTimesNothing wrote,
// $$anonymous$$ySQL Query
public static void doQuery(string sqlQuery) {
IDbCommand dbCommand = dbConnection.CreateCommand();
dbCommand.CommandText = sqlQuery;
IDataReader reader = dbCommand.ExecuteReader();
reader.Close();
reader = null;
dbCommand.Dispose();
dbCommand = null;
}
but i figured you could probably do the same without calling it so i started to change $$anonymous$$e to look more like this
public bool ValidInformation(string User, string Pass)
{
string query = "SELECT ID FRO$$anonymous$$ rz_users WHERE Username = " + User +" AND Password = " + Pass;
IDbCommand dbCommand = dbConnection.CreateCommand();
dbCommand.CommandText = query;
IDataReader reader = dbCommand.ExecuteReader();
return true;
reader.Close();
reader = null;
dbCommand.Dispose();
dbCommand = null;
}
Thanks for all the help you've been giving
Okay, now what you need to do is make the Username field unique so only one value can occupy it in your table. Then, check if the DataReader is null. If so, it will not have received the data. You can do this by checking the HasRows property. I believe IDataReader has this property (or something similar), but I'd recommend using SqlDataReader if you don't have to use IDataReader.
if (dataReader.HasRows)
{
// There is data in the query.
// Since the Username is unique,
// you don't have to worry about more than one.
}
else
{
Debug.Log("No user with username: " + username);
}
Ok just some points:
It seems you want to create a login-system. You never ever direct connect to a database holding user records. Every client would need your database login data, so the user can access your whole database. Nothing that prevents him from doing "select * from rz_users" or "show tables".
Unless you need the database for storing user related data on his own machine's MySQL server, you never want to direct connect to a database from a client.
Login systems should always be implemented server-side. So you need for example a webserver with PHP.
You have no input validation. Even without looking at your code (which can be easily decompiled) every user could use SQL injection to change / extend the actual query.
Just think about a user typing in this password:
"my pass;DROP DATABASE"
Your query would become:
"SELECT ID FROM rz_users WHERE Username = username AND Password = my pass;DROP DATABASE"
which are two queries, the second would be the end of your database as long as the db user has the rights to do the drop. Even if drop isn't allowed someone could simply read out all usernames and passwords.
Yes, please, please, please follow Bunny83's tips unless you are connecting to a local, secure database. Even then you should obscure your credentials if possible.
