- Home /
Security issues with Multi-player User Database?
Hello, I Am looking at implementing Multi-player on my FPS game. it's for Android Phones, and, well I have been looking at connecting to a MySQL Database on my Website, where Players User Names and passwords will be stored along with there Game Avatar Customisation value.
I have heard people talking about Security issues with connecting directly to the server- they said the Database should be loaded locally... What do they mean by this? Surely not to download the database to the phone?
I want to do it the right- secure way.. Some people have just implemented a PHP Function that they call from Unity with the WWW class which Decrypts and pulls the user data from the server, yet i still don't get what they mean by, "Locally"
Thanks for you time, reading, and hopefully answering my question.
Answer by Bunny83 · Jan 01, 2012 at 08:46 PM
That's what they ment ;) Usually the mysql server runs on a webserver. Only local connections should be allowed so nobody from outside can connect to your database. Since the webserver (with PHP) runs on the same computer (locally) it can connect to the database and do everything you want with the database.
PHP gives you another security layer in between the user and the database. If you connect directly to the database everyone knows your mysql password since your Unity app need it to access the database. So having the password you can change what you want on your server (of course only the tables / columns which are allowed by the used mysql account).
PHP can do the user verification and some checks of the received data to be valid to prevent cheating.
always keep in mind: Everybody* can see how you have done your game in Unity. Nobody can see what a php script does since it's located and executed exclusively on the server.
*Everybody refers to people who know about Unity and have the required skills, most likely the people on this site ;)
I would like to say that "Nobody can see what a php script does since it's located and executed exclusively on the server" is true except for edge cases where the PHP processor crashes or is otherwise broken in some way. In that case, everyone can see your PHP code, so take steps to secure that, as well.
I only mention it here because dealing with multiplayer games can bring out the edge cases in software, especially when many more users than normal are taxing hardware to its limits (which is the usual reason for a PHP processor to crash and expose code). This is an extremely rare problem, but it bears mentioning.
Answer by rabbitfang · Jan 01, 2012 at 08:35 PM
Connecting to a database directly from a program controlled by a user is a terrible idea, no matter how insignificant that database is. The "people talking about Security issues" might be referring to a recent incident that happened with the game Super Meat Boy. SMB connected directly to a MySQL database that stored user created levels. While no personal information was stored on this database, the access that was given allowed people to create a big mess on it. Someone found out that by making a certain modification, it would actually crash the clients.
In your case, it would be an even bigger security issue, because you are storing usernames and passwords on this database. By "loaded locally", they probably meant read by a trusted server (something only you and trusted users have control over). The clients would send user names and passwords (over a secure connection, preferably) and the server would then look up this information in the database to see if it is correct, and then return any information the client needs to know.
The PHP/MySQL implementation is out of the scope of Unity answers, so I won't be helping you with that.
Once again, NEVER CONNECT TO A MYSQL DATABASE WITH SOMETHING CONTROLLED BY AN UNTRUSTED PERSON.
Well, it's not completely out of scope ;) I know there is no straight border line, but even the unity docs show an example how to store highscores on a webserver ;)
Anyway, he didn't asked for code or a out-of-the-box solution so it's fine that way ;)
+1
Thanks for both your answers- between them, I think I Understand. The Player Connect to your master server then requests a log-in. your master server then Checks the user and password, if it's O$$anonymous$$ it sends back the persons profile. - Basically the master server is a relay to your Database, gotcha!
Ok this is approaching the idea from a client to server. Let’s say a virus gets hold of the users login and password from the client, then decodes the encryption. Is that just game over, lol.
Your answer
Follow this Question
Related Questions
Security and RPCs 1 Answer
Best/Cheapest Way To Have Online Accounts On PC? 1 Answer
Mysql PHP connection for a user balance and XP 0 Answers
Database entegration or data storage 0 Answers