I need a solution to SQL, saving and loading data and security/antipiracy

Alright well I’ve been building with unity and now I’m at a point where I would like to setup a sql database to manage my users who play the game. This sql server will maintain encrypted data about players their save states and any other important game information. The problem I’m reading about is that apparently unity games can be decompiled and all of my encryption code can be read, including login information for my sql database and any other private information I compile with unity. Is it true that I need to be concerened about people decompiling my unity game and logging into my sql database to destroy its functionality and possibly give out private information about users who play my games. I’ve literally invested hundreds of dollars/hours with the unity platform and now am I to understand that this is a very real threat to my games? Is there a solution to this seemingly massive security risk?

The way I handle it is by having Unity call on a server-side php script (via www) that does all the database work, then it sends the info I asked for back to Unity. This way all of the database connectivity stuff gets handled server-side and is secure, and the only thing Unity gets is what that secure script gives it.

If you need more info or example of how to call on a script like that, let me know and I’ll expand my answer.

You aren’t going to be able to protect against people being able to decompile or use reflection to get into your code. However, there are a couple things you can do to reduce risk.

  1. Don’t put your SQL credentials in plain text anywhere in your code. If they aren’t hardcoded, someone can’t just read them if you decompile stuff. Instead, you want your code to read them in from an encrypted file. There are tons of good encryption libraries out there that you can use to encrypt a configuration file that includes connection information. This will keep your actual credentials safe on the local PC.
  2. If you are overly freaked out about someone decompiling your stuff, you can look into code obfuscation, which just makes it a hell of a lot harder to read anything you have decompiled. Off hand, I am not sure if Unity supports any obfuscation or if you would have to hack it together. My opinion is that this is not needed.
  3. Manage your SQL server correctly. Use credentials for your game that only have access and permissions to do stuff that you want them to do. If you are not well versed in SQL, now’s the time.
  4. If you really want a solid solution for using a local fat client to access a SQL server, your best bet is to build a web service that handles all the SQL server communication. You call into the web service from your game (ie “Get rank info”) and then the web service has the credentials stored only on the server side. The web service logs into the SQL server, gets what you want and sends it back down to you.

@Ony, you’re amazing. Thank you!

Actually I could use some direction on how to setup the gateway that can connect securely to my SQL database and then send that data back to the game client. I actually just emailed my professor about this question too because I’m thinking I need to write a gateway server in php that just takes a set number of commands from the game client then in return talks to the database then sends the correct data back to the client. The concept is clear but the implementation part is a bit hairy for me. Any help you could give would be greatly appreciated! I have this all running on a home desktop just for my test purposes on the same desktop i have running my wiki for my teams development collaboration etc… But later I plan on migrating over to googles cloud sql service or perhaps something like smartfox but of course before I migrate I want to get the code running on virtual machines on my own desktop so I can work out all the kinks, again any help would be a huge help to this fledgling developer! :slight_smile: