Edit: Please read the second post, as I made some progress but have errors.
Can someone briefly explain to me how I get the username from Unity into my .php file in order to read the cards from the database?
I have the following line: $getCardData = "SELECT CardID FROM playercards WHERE username ='" . $username . "';";
This line should transmit all CardID’s that are assigned to the corresponding user name. In a later process, all of these cards should then be displayed with the corresponding data.
If no card with a matching username entry was found, the player should be asked to create a new card, which should only be possible when logging in for the first time.
Since I use PlayFab to log in, I saved the username inside Unity instead of having it in a login method in php (the username is saved in a string variable after the login).
How do I get this variable into the select query? $username = *HowToGetTheUsername?!?*
The username is saved in the commanderName string variable inside Unity / a C# script file.
In the .php file I check whether there is already a card that has the user name as an entry.
Since I made an entry manually, this should also be the case. The ID I’m querying is 1, so that should be what is returned. If there are more cards later, several IDs should also be returned:
$con = mysqli_connect('localhost', 'root', 'root', 'unityaccess');
//check connection
if (mysqli_connect_errno())
{
echo "Error #1"; // error code #1 = Connection failed!
http_response_code(400);
exit();
}
$username = $_POST["name"];
$getCardData = "SELECT CardID FROM playercards WHERE nickname ='" . $username . "';";
$getCardCheck = mysqli_query($con, $getCardData) or die("mysqli_query failed");
if (mysqli_num_rows($getCardCheck) = 0) {
echo "There is no Card with this name";
exit();
}
?>
However, in Unity I get an HTTP/1.1 500 Internal Server Error. Since the .php page also shows me an HTTP 500 error, I don’t get any feedback as to where the error is, probably in the .php file.
Can somebody help me with it?
What a good example of forgetting the simplest things…
Thanks a lot
I get the following error message: PHP Fatal error: Can’t use function return value in write context in C:\MAMP\htdocs\sqlconnect\DivisionDesigner.php on line 18 That is this code: * *if (mysqli_num_rows($getCardCheck) = 0) {* *echo "There is no Card with this name";* *exit();* *}* * Since I used a UnityWebRequest.Post(), it apparently cannot return the CardIDs it found. Now the .GET() function has no way of specifying a form, which I need for the name, which has to be matched… Do you have an idea how I can solve this?
Of course I want to prevent SQL Injection.
The username is the only thing that is given and it is read from the database when you log in. The user therefore has no opportunity for manual input. So how should I read the CardID’s and prevent this at the same time?
I will probably use a service for databases, e.g. Firebase. But I’m not quite sure what is good for what.
I used PlayFab for registration/login, but it’s not that suitable for databases, at least if I understood that correctly.
In any case, I don’t get any errors anymore. Thanks for that
What I’m currently working on is that the structure of the player’s division is created in the game based on the CardID’s found (and their content). This is mostly UI work.
How the database query is implemented at the end is of secondary importance, because I
I want to have the UI ready first and as long as I just test it myself SQL injection isn’t a problem.
But you are of course right, the question of database security will of course still arise.
Do you know any guide about that?
I use PlayFab for login but found no way of having a real database in there…
You enter your username when registering and it works via PlayFab. Login is via email and password, which means you never enter your username again. The username will be
read from the PlayFab database when you log in and is saved in a string.
However (!) PlayFab generates a random, unused ID (or something) which is then difficult to read. Therefore, the username that you would enter when registering is also saved as a DisplayName. So there is the ID, which is set by PlayFab, and the DisplayName, which you set.
Example: ID 958CE9E02D3778B8
Example: DisplayName: YourName
Theoretically, you could set the DisplayName so that you can use it for SQL injection. Since I’m currently using the DisplayName (since it’s easier to recognize), you could do a SQL injection. In the final game, however, the ID specified by PlayFab would be used instead, which should prevent this, as you do not type it in.
At least that is my level of knowledge.
The database for my game could potentially be very large.
There are 7 levels of cards and each can have up to 5 subcards. You can imagine the family tree, even if realistically it won’t be that much. And every player has its own unique cards…
Therefore I need a database that makes this possible.
In the end it should be possible to query the database
and adapt the solution used as long as the
necessary information is returned.
you’re possibly OK then… but just know anything that reads post, can be sent by other people and as a result… post could send injections so if i found your url and i was horrid (im too lazy for that) i could do a post and send it commands guessing username as a parameter. or having scraped it out your game
What should I do instead?
I have to somehow match which card belongs to which player
because they are unique.
I have no problem using something other than post, even if it makes it more difficult. There was already a similar discussion in another thread and I learned from it that…
Don’t do it yourself because it’s unsafe.
This may not apply to the creation of the UI code, but it will apply later
that I want to have a working and safe game.
So I will use a service (like Firebase), but in the end
I have to be able to access the database even there somehow
to get the information, right?
Edit:
I don’t know, but do these services have other implementation methods that make SQL injection impossible?
Because these also have to enable access to the data somehow…
post itself is fine, its how you hand it data, look up sql injection and read up on what to do, but for now, especially if its all on local servers, just go with it, till you’re a bit more ready
Things like prepared statements could help i guess, so i will take a look on it when my UI is ready. Thanks for ypu help, i will Set the thread Status to solved
I still have a small question, but I don’t want to open a separate thread.
Where is the best place to query for the username?
Previously I had: $getCardData = "SELECT CardID FROM playercards WHERE nickname ='" . $username . "';";
Now I changed the .Post() to a .Get() because the former doesn’t return any data, right?
IEnumerator CheckForExistingDivisionData()
{
WWWForm cardCheckForm = new WWWForm();
cardCheckForm.AddField("name", commanderName);
using UnityWebRequest wwwOne = UnityWebRequest.Get(DDUrl);
yield return wwwOne.SendWebRequest();
if (wwwOne.result == UnityWebRequest.Result.Success)
{
testText.text = wwwOne.downloadHandler.text;
Debug.Log("Content from playercards: " + testText.text); // Here should be the content, but it shows nothing...
Debug.Log("Connection Successful :)");
}
else
{
Debug.Log("Error in CheckForExistingDivisionData(): " + wwwOne.error);
}
}
But how do I instruct the database to only pass on the card data with a matching username if I cannot pass on that username?
.Post() does not return the data I need.
.Get() can’t receive the username information the .php file needs…
I’m still a bit confused about this, even though these are actually the basics.
Without checking the username, the .Get() would have to fetch the entire database content, or the content of the playercards table.
But that’s not how I learned it…
.Post() is used to pass data, for example if I want to change a database entry. You can’t read any data with it, so you can’t transfer any data to Unity.
.Get() is used to read data from the database, i.e
for example the data on the respective cards.
But if I give it the username it throws me
errors.
Hmmm. I just realized that what I said wasn’t true
true. I said that the .Get() method gets all the entries of the maps
but it only asks for the CardID.
So he would have to hand me a series of numbers, currently 3 numbers because of three entries.
I have to say, I can’t figure out why it doesn’t show anything.
The CardID’s are 1, 2 and 3 so he should give me 123 or something.
Either way, he shouldn’t just give nothing back…
I don’t know what’s so incomprehensible about it: "SELECT CardID FROM playercards;"
That’s not what I actually need, since the username query and the rest of the data are missing, but it should actually work…
Well, I’ll get to it, the only question is when^^
So much for that…
I don’t even know where I got that from.
Thank you for your patience
I will find out why the result is empty instead of the CardID somehow.
It’ll probably be one of those aha… ugh, how stupid of me moments…
so if i found your url and i was horrid (im too lazy for that) i could do a post and send it commands guessing username as a parameter. or having scraped it out your game
