I recently played around with communication from unity and php. So basically I sent a variable via WWW and WWWForm to my php file (test.php for example). The test.php then does a mysql query to add this value into my database.
The method is POST, so for the most the info is invisble, but still you can see what will be sent via some browserplugins for debugging. A way around this would be a md5 hashcode and store a secret in the unity webplayer that the test.php compares and validates.
My question now is:
What when someone decompiles the webplayer and now knows the secret I use. They would be able to create their own form (for example in html) and send any values they like (to cheat and get some higher levels or whatever). How can I prevent this? Is there an option to only allow values sent from the same folder (the webplayer and the php file is in the same folder on my webspace) ?
I also heard something about CSRF and that a session token (placed into a hidden tag within the html form) can be used to validate. Unfortunately I couldn’t find enough information to make use of this, or how it works, because when I think of sending this session-key to unity to make use of it as validation, then somebody else could also copy this key while it was sent and use it for their own validation? I surely misunderstood anything here, hope somebody knows a solution for this
What sort of data are you sending to your server? and how often will such data be sent to your server?
The fact that you are using PHP shouldn’t make a lot of difference. Just make sure that you are properly sanitising your SQL queries so as to avoid SQL injection attacks.
I think i did most stuff covering sql injections etc. but that’s another field.
I was asking about this: I send a value of 2 to my sql database via www form so its post method. But you can see the “2” with a debug addon for any browser. So you could also create your own html form and insert a 10 and send the value to my php file, it will tell you that its a valid number and inserts it to the database. And you just skipped 8 levels with doing this… I search a way so I can only allow values coming from the unity webplayer on the same root or folder. So you can send values from another resource to fake or cheat.
A clever minded hacker is always going to be able to cheat if using a proxy. A proxy (as you may already know) is a piece of software which sits between your server and the game. This software allows the cheater to peek at and alter values.
This is a problem which all of the major games seem to suffer from. Just take a look at the high score tables on games like Angry Birds and Call of Duty and you will see that people are always changing their scores and badges.
This may (or may not!) work:
Your game sends a request to your server saying, “I want to save a score, can I have authorisation please?”
Your server responds with two unique authorisation keys.
Encrypt your score using one of the authorisation keys.
The server can decrypt the score
The second key could be used to detect whether cheating is occurring. For example, call the second key “score” (even though it doesn’t contain your score!) and if second key is tampered with, it is clear that cheating is being attempted. With regards to the second key you could use a self-checking mechanism, i.e. where the key is validated against itself (like how barcodes are checked for integrity).
I suspect that there are some better resources on the Internet regarding cheat prevention in high score tables. The above is just a crude idea that spring to mind
Well, I know that there’s always somebody that might hack the game or if you encrypt something another one is also able to decrypt it. I’m fine with that, I just want to reduce the amount of people doing this, so normal people and some advanced ones can’t do anything, except the pros, and I’m fine with that.
But imagine I use a md5 hash to send a hashed value to my database, and some1 manages to download and decompile the webplayer, then he would get the secret key I use for hashing and can spread it through forums, and a lot of people might cheat their values, getting infinite gold, level and so on and corrupt the gameplay with that. I simply want to prevent this, so if the majority have to play normally it would be perfect. When the community grows and the game makes fun, then only a few will bother to hack it and I maybe can manage to ban them or something like that. I just want some step further than hashing from unity to php as a simple decompile makes it useless. therefor I’m asking for another solution or a additional solution to make it a little harder to hack.
I don’t get the CSRF part completly, but it seems to generate a random key and uses it for the current session so the key will change everytime you log into the game and only the key will work for you. This should make it harder for other people to hack, cuz they would need to copy&paste the key everytime they want to submit something which costs lot of time and maybe the don’t want to do it for those little changes But I don’t know how to exactly implement this key accesstoken or whatever so I can make use of it. I’m also using FB, so maybe there’s another way to use the access token from there instead? and store it to make use of it as it will be generated for each player? Good idea? if so how to create such a function to check this?
Using a unique random access token is a good idea but i think it will lose some of its value when it comes to telling the client about it, because at that point a bad guy could start hacking again and you need it in order to send some kind of checksum along with your request.
I dont know, but maybe some sanitychecks will help you out. Like is he able to make 2 levels in 1 minute? Naaah i dont think so: HAAAACKZ!
But as always, the more power you give to the client, the worse it can get.
I just use the client (webplayer) to calculate stuffs and use the values it gets… everything else will be stored within the database, so the user can not manipulate it via the webplayer… But to make the db save, too I need some kinda technique to protect it a little. Mainly the sanitychecks are a good idea, but I guess it will not really work here as I have too much different values that sometimes can not be controlled by such things (like item creating, I could only limit it to x items within hour or something like that, but still he could generate a powerful item), but it would for example work for the levels as you suggested, more than one level at once is not possible, but then he just uses several steps instead of one…
How easy is it to download the webplayer file from a webspace when you would know the whole address of it? Are those flash-rip-download-thingy-programs also work for this or does a similar programm/plugin exist? If not then it might be enough (for now) to just use md5+salt when sending values to the database as you wouldnt decompile the webplayer.
So we’re still searching a way to controll the path where the values come from? There should be some thing like the path you can add within unity when you access the php file via www form, so vice versa you should be able to tell php to only accept values coming from http:///webplayer.unity3d, but there’s no such function, right?
If you want higher security you can you an RSA encryption. It’s easy to implement but i dont think its needed. If you generate the keys randomly it would be nearly impossible to hack your game even if someone decompiles your webplayer because the private key isn’t hardcoded. The most important thing is that you change the keys frequently.
You cant allow only that folder because your game is executed at the users machine not on yours so every instance of your game that is played by a user send its information from another location.
I don’t want an encryption or obfuscation thingy… I know people can decrypt stuff when I’m able to encrypt it so I won’t waste my time with this, also this is not the right thing I was looking for. I just search a method to make sure the variable I’m sending i legit, and not sent from a user itself that manipulates it, so the webplayer has to send it and the php file must know ok this is a correct information. It would work to check if the level of the player just rised by 1, and higher values are not allowed as you can only level 1 level at a time, but there’s still the option that you simple copy&paste the command and raise your level within seconds, which would mean another routine to check for this… When I would check all values I’m sending to my php files and update the database with it, I would never release that game as it takes ages to create all needed routines to sanitize my values… you get what i try to say? hope so ^^
So I’m more in a way to create some temporary keys that proof the value comes from the webplayer. As I thought about it, the hacker must try to get the sent information from another player, or? as the key will be generated for the current player, right? So hacking would be hard and annoying cuz when he got the information he needs to paste in the key everytime he tries to do something. I could even raise the level when I create such a key with every value I’m sending to the database (but would require more bandwith as the informations increases that will be send), cuz first I need to ask for a key, then use it to update the info. Should be enough to just use it for the current session (on player load).
So how would this work? generating a key on the php file (as you can’t look at it’s rawcode) with several specific player parts like their ID, or their hero level or anything else that I’m sure of that it’s “that” player… then generating an access token for it and make it unreadable via md5 or other methods. After that I just send that token to my webplayer and he uses it everytime he updates a value and contacts an php file that communicates with my database. So when the key is correct the update will be made. Am I on the right thing, or did I missed something?
edit
the only thing that actually came into my mind was that the player who’s playing could still cheat as the token that was generated will work for him. So he could send the player specific part + values + token to the php file and it would validate it as he’s the player the token was generated from. So I need to prevent actual player from cheating.
