A problem with WWW Form and PhP

Hi everyone,
So i have a game and i want to save the player data into the database
here’s a code sample

IEnumerator SetAsViewed(int Level)
    {
      
            Debug.Log(PlayerData.ID);
            WWWForm form = new WWWForm();
            form.AddField("username", PlayerData.ID);
            form.AddField("A_LVL1_EX1", PlayerData.Level1_Exercise1Opened.ToString());


            WWW www = new WWW("https://stp-climatechange.net/..../lvl1_exercise1.php", form);
            yield return www;
            if (www.text == "0")
            {
                Debug.Log("Game saved");
                // NativeUI.ShowToast("Game saved £gem");
            }
            else
            {
                Debug.Log("Save failed. Error #" + www.text);
                //NativeUI.ShowToast("Game saved £gem");

            }
       
}

and our php lvl1_exercise1.php is

<?php
$con = mysqli_connect('96.127.136.50:3306','stpclima_mnazdzal','xxxxxxx','stpclima_vexie');

if(mysqli_connect_errno()) {
echo "1";
exit();
}
$username = $_POST["username"];
$A_LVL1_EX1 = $_POST["A_LVL1_EX1"];

$namecheckquery = "SELECT username from users WHERE username = '$username' ";
$namecheck = mysqli_query($con, $namecheckquery) or die("2: Name check query failed");

if(mysqli_num_rows($namecheck) != 1) {
echo "5.1: Either no user with name or more than one";
exit();

}

$updatequery = "UPDATE users SET A_LVL1_EX1" . $A_LVL1_EX1 . "WHERE username = '" . $username . "';";
mysqli_query($con, $updatequery) or die ("7: Save query failed");

?>

For the debug log i’m getting this error
Debug.Log(“Save failed. Error #” + www.text);:wink:
Save failed. Error #5.1: Either no user with name or more than one

Here is how to debug network stuff:

Networking, UnityWebRequest, WWW, Postman, curl, WebAPI, etc:

And setting up a proxy can be very helpful too, in order to compare traffic:

1 Like

It would probably help when you either return a more specific error or include the number of rows in the error text. That way you know if the issue was that there were none or more than one results.

Apart from that, I would stongly recommend you look up a recent tutorial how to do database stuff in php. What you do here:

"SELECT username from users WHERE username = '$username' ";

is extremely dangerous as this allows sql injection attacks. Look up prepared statements. In PHP I almost always use the PDO interface. Though apart from that you should verify that the post arguments actually end up in the php script. You should start by simply returning them in the string so you can see in Unity if the value you pass to php actually comes back correctly.

2 Likes

Thank you @Bunny83 @Kurt-Dekker for your responses,
The problem has been fixed, it was the problem in this statement

where stpclima_vexie should be another database :slight_smile:

Now i’m getting another error “7: Save query failed”…
Is it possible that the problem because of conflicts of the same name of “A_LVL1_EX1” ?

Well, we don’t know what’s inside your “$A_LVL1_EX1” variable. However your sql set statement requires an equal sign to do an actual assignment, like that:

"UPDATE users SET A_LVL1_EX1 = " . $A_LVL1_EX1 . " WHERE username = '" . $username . "';";

Also the where requires a space to separate from your variable value. You’re getting a bit sloppy here ^^.

Note that this sql query also suffers from a potential sql injection attack. Even if this is somehow only used internally I would never use an API like this, let alone release this to the www. Just to make that clear: I could just call your php API, set a “special” username and I could completely drop / erase your database, probe it for all kind of data or create new tables and use / abuse it for all sorts of things.

Obligatory Bobby Tables.

https://xkcd.com/327/

1 Like

Boolean variable

I know, but this database and the game is for educational purpose only and I’m not willing to distribute it at all… but yes it’s a best practice to learn the basics of how php works in Injection attacks.

Well if some hackers find your post they can do whatever they want with your database.

  1. You should edit your post to remove the ip and the site address.
  2. You should use prepared statements to protect yourself from SQL Injection

Since it tells you that the user with name is not found just print the data you have received…

echo "5.1: Either no user with name '${username}' or more than one";

Either username is empty, or it contains garbage characters, many issues like this are encoding issues.

up

Uhm, what was the result of my suggested change? You made two replies to my posts additional points but it seems you ignored what I said about your wrong SQL set statement:

Did you actually do that?

Well, the value of "A_LVL1_EX1" certainly is not a boolean since you read it from the _POST array which contains strings. That string may contain the value “true” or “false”. Though what I said was we don’t know what it contains. Technically that variable could contain the missing equal sign as well as the space at the end in which case the query would work. Without them the query is not valid SQL. Hopefully that’s not what you’re doing :slight_smile: