Security issues with Multi-player User Database?

Hello, I Am looking at implementing Multi-player on my FPS game.
it’s for Android Phones, and, well I have been looking at connecting to a MySQL Database on my Website, where Players User Names and passwords will be stored along with there Game Avatar Customisation value.

I have heard people talking about Security issues with connecting directly to the server- they said the Database should be loaded locally… What do they mean by this? Surely not to download the database to the phone?

I want to do it the right- secure way… Some people have just implemented a PHP Function that they call from Unity with the WWW class which Decrypts and pulls the user data from the server, yet i still don’t get what they mean by, “Locally”

Thanks for you time, reading, and hopefully answering my question.

Connecting to a database directly from a program controlled by a user is a terrible idea, no matter how insignificant that database is. The “people talking about Security issues” might be referring to a recent incident that happened with the game Super Meat Boy. SMB connected directly to a MySQL database that stored user created levels. While no personal information was stored on this database, the access that was given allowed people to create a big mess on it. Someone found out that by making a certain modification, it would actually crash the clients.

In your case, it would be an even bigger security issue, because you are storing usernames and passwords on this database. By “loaded locally”, they probably meant read by a trusted server (something only you and trusted users have control over). The clients would send user names and passwords (over a secure connection, preferably) and the server would then look up this information in the database to see if it is correct, and then return any information the client needs to know.

The PHP/MySQL implementation is out of the scope of Unity answers, so I won’t be helping you with that.


That’s what they ment :wink: Usually the mysql server runs on a webserver. Only local connections should be allowed so nobody from outside can connect to your database. Since the webserver (with PHP) runs on the same computer (locally) it can connect to the database and do everything you want with the database.

PHP gives you another security layer in between the user and the database. If you connect directly to the database everyone knows your mysql password since your Unity app need it to access the database. So having the password you can change what you want on your server (of course only the tables / columns which are allowed by the used mysql account).

PHP can do the user verification and some checks of the received data to be valid to prevent cheating.

always keep in mind: Everybody* can see how you have done your game in Unity. Nobody can see what a php script does since it’s located and executed exclusively on the server.

*Everybody refers to people who know about Unity and have the required skills, most likely the people on this site :wink: