Hello everyone!
It is currently used php / mysql and wwwform to make logging into my game and store data such as level, exp and inventory.
The game sends data via POST to a php file that decides which function to call. The result is returned in json and the game does the rest of the work.
So I have some questions:
1 - Can anyone manipulate these data by creating a form and sending the data through a web page or browser plugins?
2 - This is a correct way to do this or is there a more secure method to communicate with the database directly from the game?
I appreciate the attention and, yes, my English is very bad.
Your English seems fine to me!
You are correct, this type of system makes it relatively easy for people to cheat.
Normally an end-user won’t communicate with the database directly (and that probably wouldn’t be safe even if you could). Keep in mind that compiled C# is easy to decompile, so a dedicated cheater can probably always get around anything you try.
Depending on the structure of your game, if the server knows when to expect an update from the client, it can be helpful if the server issues a random key value which must be supplied with the next update. This just makes it harder for someone to send up falsified data, but it doesn’t actually prevent it. You could even further increase the complexity by using a the key value for simple encryption, such as SHA512 (many good, fast, simple implementations are available for free online, and it’s built into .NET), and in that case the client wouldn’t send the key with the data – but ultimately you’re still supplying the key to the client which means somebody willing to work hard could falsify data.
There are also C# obfuscators available (they make it hard to figure out what the code is doing after it is decompiled) but again these are not going to stop a dedicated cheater.
1 Like
Got it.
I just do not quite understand the logic yet.
User passwords are now stored in SHA512. And their primary key also.
Currently, when I have to send or receive any information, we send WWWform to the server with the user’s key (SHA512) and the function name to be called. As “get_life” / “set_life” for example. The server in turn returns the value in json for the game do the rest of work.
But this way, just look at the data once to be able to change them out of the game.
It would be like me send a random key to the server compare it, and if they are identical, perform the function and return the result, right?
I just do not know how to do the server know what to compare key.
That would be much easier to be done if I could use $ _sessions php.
Everything sent by the client can be modified.
The only safe method is to make your clients send only what they can do in game (like inputs).
Don’t send something like “my score is now XXX”.
Instead send : “I shot” and let the server do the rest : “He’s at this position, facing this point and shot, so the bullet path is ZZZ and the bullet killed player 2, so player 1 score is now XXX…”
Also, don’t forget to make your server check things like “Is the player really in this game ?” (depend of your game type and architecture)
It’s really easy to send a custom POST form to a webserver, so if you don’t take this seriously it will take less than 5 minutes to see players with 999999 points 
You can also see how web devs are using tokens to pre-filter invalid actions. (edit : that was in fact in MV10’s answer)
1 Like
So o’que the server sends to the game is more difficult to be modified, would it?
For example:
The game sends to the server that Player1 held X action, and then the server returns what is the current player score (already adding up the score for the submitted action).
Still, I could send numerous times to the server that the player performed the action X.
On this basis, I would have to find an effective way to validate that the user is actually in the game.
Would it be this?
And thanks for answering.
Your server needs to know your game logic.
For example, if someone sends multiple fake shots, your server will check : "Ok, his gun can shot 5 times per second, I just received 10 shots in 5 seconds so i’ll just process 5 shots.
Here in garbage pseudo code :
foreach(shots){
if(user_can_shot()){
player_shot()
}
}
user_can_shot() would just check if the time between current shot and last shot is valid.
If your game is simple, you can go on your way.
If you have a lot of rules/things to check, it’s easier to replace your web server by a unity build that would just launch the game as host. UNET helps a lot to do something like that.
I suggest you to read Valve’s paper about lag compensation, even if depending of your game you don’t need to go this way, their architecture is a good example.
To check if a player is actually in the game :
- When game start, store game_id somewhere
- When player joins, store player_id and game_id
- When player send actions, if you don’t find player_id or if player_id isn’t corresponding to game_id, ignore this action.
1 Like
Thanks for the answers, this discussion is actually being very constructive to me.
I just have the impression that a form sent by the web can always be circumvented by someone who is willing to cheat.
One might for example, observe the patterns of responses sent by the server, and modify them before they reach the game.
I’m currently using a web server (PHP / MySQL) to store things like inventory, exp, hp, stamina, hunger and thirst. The game sends requests to an input php page, which in turn calls the corresponding class, and then returns the results in JSON. I use PUN for multiplayer.
I really am new to multiplayer games, and was wondering if it really is a good idea to continue working with a web server.
I wonder how other types of games work. Perhaps an ssh connection to be more secure? When I think of ssh and make the connection within the game itself, I realize that someone could also cut the game and pick up the data connection to the ssh server.
Do any of you work with server data storage? If so, what type of server use and what safeguards have chosen?
Success to all!
Webserver is not necessarily a bad idead, if done well. It’s perfect if you don’t care about lag, like turn based games.
For security, here is what I done : Your server should be checking every user input, and send back the result.
This server then send, at the end of the game (or whenever your want), the game result/users xp/etc… to your database.
Since you know your server ip, if your web/database server is running in another machine, you just have to make sure that incoming requests are coming from your servers IPs.
Also +1 for SSH.
1 Like
Well, I’ve created a table that stores the data of each game created, such as xyz coordinates of each item in the game. When a user picks an item, the server checks whether this item actually exists in the coordinates where he picked up, and only then add to the inventory.
If the player receives damage, the server checks your hp, the type of damage and decrements the current value, then return to your new HP. At predetermined times, the server compares the HP database with the one presented in the game and, if different displays a message or the game is closed.
This would be a good way?
Given that every time you instantiate or destroy a new object in the scene, or I get an injury, realize access to the database through php, it can overload the server, even though the game running on a dedicated server?