koobas.hobune.stream
Duplicate Question
Players can decompile my game and find out the login and password to my sql server.... WHAT DO I DO??
Players can decompile my game and find out the login and password to my sql server....
WHAT DO I DO??
I know I can obfuscate my code but I also know that someone can just de-obfuscate my code which leaves me back at square one....
Can I make my sql server secure somehow even though the game knows the password and login??
This is very frustrating... damned hackers! I do need some clarification if you please :-)
Your best shots are to obfuscate as you mentioned, hash the log in credentials, and preferably get an SSL connection. You will never stop all hacking, but those steps should make it annoying enough to hack it that most wont bother. Generally you want to avoid storing any sensitive data client-side. Database log in is definitely a tricky situation though.
Can you not talk directly to the SQL but issue verifiable commands through a web interface or something?
I've never setup a webserver that is designed to just take "verifiable commands" and send it over to the real server, this seems like the obvious route to take I'm just not sure how to implement it yet... I figure I would have a server that sits there as the "gatekeeper" and the login info the client has would be linked to that, it would then parse queries from the clients and check to see if they are legal then it would pass data back and forth to the second "archive" server that would actually contain all of the other databases I keep track of, i've just never done that before so I do need some direction...
Well a PHP server would be one way to go I guess or Ruby on Rails or something. We use a Java based server that logs in to a $$anonymous$$ySQL database and verifies for no buffer overruns, issues commands based on the demands of the application etc.
Forward encrypted hashed and salted passwords log us into our own server.
Use a web server gateway and send the data (and receive it) with either XML or JSON (JSON being probably the easiest to manipulate)
You can send it something like {method => "get", what => "email", where => "users", value => {username_variable} }
then in PHP parse it to an array then
sql_query("SELECT email FROM users WHERE username = {username_variable};"); // this isn't valid, depends on database but you get the idea
then echo out the results in a JSON format like {email => "{returned value}"}
then in your game just read the output of the site and then parse the JSON and do what you need with the email variable... this keeps some of your stuff safe "you can make alias for table names and fields, etc".. then wont see your SQL username and password.. and then in your PHP script, check to see if the SQL code is valid.. make sure to do some safe code like a MySQL_real_escape_string() etc so they doon't SQL inject hack.. turn off error handling and do try/catch so they don't see any raw PHP errors exposed and get data from that.
You can try and do some sort of funky public/private key thing... though they will have access to the public key and if they know enough to decompose your c# code, they will figure out when sending fake headers and strings to your site via a GET or POST HTTP Header, they will just send that along with it.
Though if you are doing this enough, you could then just use a TCP network connection and PHP's sockets and make sure it's a valid user connection from the client that is sending the HTTP headers.
Like whydoidoit said; you should never allow your clients to directly talk to a database. Not even if it's a local database; then you'd have an interface between the database and any game logic.
What you need is a master server that clients connect to (possibly using usernames and passwords) and have the server do any database access. End result is no sensitive data on the client's computer, apart from the master server address.
This way the clients never have to even care how you store data server-side as they just tell the server: "give me this data" or "store this data". If you ever need to change databases, you can just swap the database, change the database access code on the server and be done with it. Clients never need to know.
In case you don't have a master server, I've used Smartfox. There are other server software out there too, I hear Photon works well too.
Thanks for the direction, is there a tutorial for setting up a gateway to connect to mySQL server?
You should not be connecting to the SQL server from any code the client is running!
Your client needs to send the message to a server, which should be the only thing doing tbe SQL connection.
I gave you an answer with full scripts here but now I see that you've asked this same question three times. You might want to either clarify what it is you're asking for or try to follow what people offer you. Otherwise it's just a waste of someone's time to try to help if you're not even going to try what they offer up.
Md5 hash your MD5 hased code. Then MD5 Hash it again. Then convert that to bytes. Then convert to a string. Then MD5 Hash it. TA DA
LOL that's perfect my data structures professor would be proud
