Players can decompile my game and find out the login and password to my sql server.... WHAT DO I DO??

Players can decompile my game and find out the login and password to my sql server…


I know I can obfuscate my code but I also know that someone can just de-obfuscate my code which leaves me back at square one…

Can I make my sql server secure somehow even though the game knows the password and login??

This is very frustrating… damned hackers! I do need some clarification if you please :slight_smile:

Use a web server gateway and send the data (and receive it) with either XML or JSON (JSON being probably the easiest to manipulate)

You can send it something like {method => “get”, what => “email”, where => “users”, value => {username_variable} }

then in PHP parse it to an array then

sql_query(“SELECT email FROM users WHERE username = {username_variable};”); // this isn’t valid, depends on database but you get the idea

then echo out the results in a JSON format like {email => “{returned value}”}

then in your game just read the output of the site and then parse the JSON and do what you need with the email variable… this keeps some of your stuff safe “you can make alias for table names and fields, etc”… then wont see your SQL username and password… and then in your PHP script, check to see if the SQL code is valid… make sure to do some safe code like a MySQL_real_escape_string() etc so they doon’t SQL inject hack… turn off error handling and do try/catch so they don’t see any raw PHP errors exposed and get data from that.

You can try and do some sort of funky public/private key thing… though they will have access to the public key and if they know enough to decompose your c# code, they will figure out when sending fake headers and strings to your site via a GET or POST HTTP Header, they will just send that along with it.

Though if you are doing this enough, you could then just use a TCP network connection and PHP’s sockets and make sure it’s a valid user connection from the client that is sending the HTTP headers.

Like whydoidoit said; you should never allow your clients to directly talk to a database. Not even if it’s a local database; then you’d have an interface between the database and any game logic.

What you need is a master server that clients connect to (possibly using usernames and passwords) and have the server do any database access. End result is no sensitive data on the client’s computer, apart from the master server address.

This way the clients never have to even care how you store data server-side as they just tell the server: “give me this data” or “store this data”. If you ever need to change databases, you can just swap the database, change the database access code on the server and be done with it. Clients never need to know.

In case you don’t have a master server, I’ve used Smartfox. There are other server software out there too, I hear Photon works well too.

You should not be connecting to the SQL server from any code the client is running!

Your client needs to send the message to a server, which should be the only thing doing tbe SQL connection.

I gave you an answer with full scripts here but now I see that you’ve asked this same question three times. You might want to either clarify what it is you’re asking for or try to follow what people offer you. Otherwise it’s just a waste of someone’s time to try to help if you’re not even going to try what they offer up.

Md5 hash your MD5 hased code. Then MD5 Hash it again. Then convert that to bytes. Then convert to a string. Then MD5 Hash it. TA DA