Security and RPCs

Hello there!

I’ve been programming a multiplayer game, which will be only a social Game, where you run around dress up your character and such. In order to determine who the player is and what Inventory belongs to him or whatever, I have programmed a login function. to make it save, i’ve made that the Client sends his (MD5 encrypted) Login Data to the Server, then the Server calls a WWW function to a .php file, which checks, if the given login data is correct(using a mysql database).

Everything is pretty much working… Even the movement is getting updated and so do the animations.

I’m only using RPCs to comunicate between the Client and Server… I’ve now found out, that you can actually run ANY code with ANY Client on my Server with an RPC, which pretty much sucks… Somebody could disconnect the Server or do even worse things!

I’ve been searching over the Net for help, I have indeed found several things, such as using Photon, but 1. they are expensive for me 2. I dont have that much to secure after all! Something more basic should work, too! I don’t really care if anybody is running around with speed hack or is teleporting himself, as long as they can’t fool the login validation. (Which i will call again if they want to modifiy the Inventory.)

Well… then ive found this here Unity - Scripting API: MonoBehaviour.OnSerializeNetworkView(BitStream,NetworkMessageInfo)

If i understood the function right, it only sends Variables across the Network. Sounds pretty secure to me, if i would disable all any RPCs by using Network.SetReceivingEnabled = false;

SO! My question is: “Is this secure?”… I know, nothing is 100% secure, but is this secure enough to release a game, where even real money is involved? If not, please feel free to suggest anything else, that could make my game secure… I would even buy an Asset, that costs less than $50… As long as it can help me and isn’t time restricted.
Also i would always be very happy, if somebody adds me on skype and discuss it through a live chat, instead of a Forum such as this here.

This is turning out to be more of a discussion (naughty us), so it might be better to post this on the actual forums. I’ll try to have a go at your question.

RPC calls can only be used if there is the [RPC] attribute for the function. So if the server has methods no client should have access to, just leave out the [RPC], and no (knock on wood) amount of clientside hacking can be done to access that function on the server. Certainly not by using networkView.SendRPC, which you can test for yourself.

The RPC methods can be completely separated code-wise from nonRPC methods by using events, so even if somehow someone managed to get the source code from one of your RPC methods, they’d have no way of knowing where the events are received.

RPC methods are safe, even if equally slow to SendMessage (because of the reflection + network lag).

As Tarlius tells you, an efficient way to encrypt your data is by using RSA. Furthermore, if the privacy of your clients is a concern, you shouldn’t store their passwords in your database. Instead, store a hashed - or otherwise generated by your favorite one-way function - string that can’t be transformed back into the original. Then have the clients hash their password before sending it so the password never travels over the internet.