I have a little game that sends scores to a PHP backend. I have been reading a lot of forum threads and examples that just make some hash of the score with basic data and send it to the php backend
e.g MD5(user+score+secretkey)
and then send this usign the WWW class
this is kinda useful if you don’t wanna tampered data, but I encountered a problem on these examples. It’s stupidly easy to get the generated URL/Hash from unity and run it into your browser as many times as you want.
with some program you can get this URL and paste it in your browser as many times as you want, and the PHP backend will always add the score to the database because the hash is correct.
My question is how to securely perform these actions? I’m noob at security but I have good php skills so I don’t wanna a piece of code, just the correct way to do this, thanks everyone and sorry for my bad English
There may be more secure methods around (and I’m not an expert at cryptography or anything), but an easy method of hiding your hash would be to use an HTTP POST instead of GET. You can do this in Unity using the WWWForm class to create a Key/Value dictionary of post data. Then, you can use PHP’s _POST variable instead of _GET.
For additional security, you can use an SSL connection (via HTTPS), but I seem to remember having issues using Unity over HTTPS…would require some experimenting.
There are some additional security methods that might be helpful - you could get into doing like some public/private key RSA stuff, but if your main concern is that people can see the hash in the URL, POST should fix that for you.
You could use a aes encryption. It uses a secret key to encrypt/decrypt your data. The only way to hack is decompiling your code and getting the secretKey.