MySQL, PHP and Unity security question.

Unity Engine
1

Hello everyone, I’ve made a few mistakes developing, as everyone who’s just starting, until finally realizing the “most secure” way to connect my Unity game to my MySQL database to upload and download data was using PHP code stored on a secure server to manage the queries. I have made a login script using C# for the client side and PHP for the server side validations

My question is: Can someone alter the information sent, or received?

Can someone inject code on my queries from the client side? Not talking about SQL Injection, as I intend to manage those, but, for example, my Unity client queries the server, sends it the username and password and the server checks if the information received matches the information stored on the database, if it is, it should send something back, right?

Should it send an ok?
Should it send the user’s id to start managing the account?

Don’t mind the fact that I’m still not managing the inputs for SQL injection, is this secure?

Client side (Unity, C#):

// CREATE A FORM TO SEND THE USER'S INPUT
        string userName = "user";
        string password = "password";
        WWWForm form = new WWWForm();
        form.AddField("accountUser", userName);
        form.AddField("accountPwd", password);

        // CREATE A UNITYWEBREQUEST WITH THE SERVER'S URL AND THE FORM WITH THE USER'S INPUT
        using (UnityWebRequest request = UnityWebRequest.Post(url, form))
        {
            request.downloadHandler = new DownloadHandlerBuffer();
            yield return request.SendWebRequest();

            // CHECK IF UNITY CAN CONNECT WITH THE SERVER
            if (!request.isNetworkError || !request.isHttpError)
            {
                if (request.downloadHandler.text != "ERROR")
                {

                    Debug.Log($"Login successful, your ID is {request.downloadHandler.text}");
                }
                else
                {
                    Debug.Log("Check your credentials.");
                }
            }
            else
            {
                Debug.Log(request.error);
            }
        }

Server side (Server, PHP):

$server = "127.0.0.1";
    $user = "root";
    $password = "password";
    $database = "game";

    $user = $_POST["accountUser"];
    $pass = $_POST["accountPwd"];

    $conn = mysqli_connect($server,$user,$password,$database);

    if(!$conn){
        die("MySQL connection failed: " . mysqli_connect_error());
    }

    $query = "select id, password from accounts where name = '".$user."'";

    $result = mysqli_query($conn,$query);

    if(mysqli_num_rows($result) > 0){
        $row = mysqli_fetch_assoc($result);
        if($pass == $row['password']){
            echo $row['id'];
        }
        else{
            echo "ERROR";
        }
    }
    else{
        echo "ERROR";
    }

    mysqli_close($conn);

Should I be sending something other than the user’s account id back?
Can someone input incorrect information and change the server response from ‘ERROR’ to a random id and login into said player’s account?

1 Like
2

Don’t send unencrypted data. Always use https protocol. Ensure there is a php sleep command of 1 second to slow down brute force attacks. Make sure you use mysql_escape_string() and remove any non alphanumeric chars from the username and encrypted password, so there can be no injection. Put all failures into another table along with IP, so you can monitor and block IPs and/or users as required.

That would be for starters. I’m sure other people will come up with more.

3

That does not help. You can just leave the TCP connection lignering and you have bypassed it. Use rate limiting.

As for password storage, there is a reason why you shouldnt do it yourself. But if you have to, encrypting it is really stupid. You want to hash it using a really slow algo with many iterations, with salts and preferably peppers included. Bcrypt is one very common hashing algo for storing passwords.

But its always recommended to not do this yourself.

When I used to deal with passwords I ensured that it took ~800 ms to hash a password on my server machines. Thats reasonable stength given the machines are fast enough.

1 Like
4

I’m using MySQL’s hashing procedure. As far as I know I shouldn’t do one myself, since I kinda don’t know what I’m doing. I guess MySQL’s isn’t safe enough? Should I get a script to do it on the server-side and run it whenever a new account signs up?