Unity C# MySQL Issues

Archived Forums Questions & Answers
1

I got most of the things working but im a bit confused on what to do next.

I need to know how to figure out if the log in info is correct.

I followed what this guy, SixTimesNothing, did (http://forum.unity3d.com/threads/11466-Reading-database-and-or-spreadsheets) and i have no errors but im not sure how to verify if the information is correct. I have this and im trying to figure out what to do

public bool ValidInformation(string User, string Pass)
	{
		doQuery("SELECT ID FROM rz_users WHERE Username = " + User +" AND Password = " + Pass);
		
		
		return false;
		
	}

i know in php i could run a mysql_num_rows($data) and have $data equal to my doQuery
But what is c#'s version of mysql_num_rows

I'm kind of unclear on what you want to do. Do you need the number of rows that the result returns? If so, you should probably read in all the results into a generic or something similar. Also, it looks like you are trying to see if a username exists or not, so what I would first check off is that your Username field on your rz_users table is unique. Then, you could just see if the query returns 0 results to check if the username exists. That is, a simple if statement checking if the query results are null.

yeaaah do you think you could help me write that query check?

Sure. I've done something similar. Just basically run the SqlDataReader or whatever you are using, and check if the query is null. Could you clarify a bit on what doQuery is? Is this a method you've written yourself? I've never seen it.

I added everything you said and it doesnt have any errors and it connects to the database just fine but when i run the function it returns MySqlException: Unknown column 'User1' in 'where clause' MySql.Data.MySqlClient.MySqlStream.OpenPacket () MySql.Data.MySqlClient.NativeDriver.ReadResult (System.UInt64& affectedRows, System.Int64& lastInsertId) MySql.Data.MySqlClient.MySqlDataReader.GetResultSet () MySql.Data.MySqlClient.MySqlDataReader.NextResult () Where User1 is the username entered

1 Answer

1
2

Ok just some points:

  • It seems you want to create a login-system. You never ever direct connect to a database holding user records. Every client would need your database login data, so the user can access your whole database. Nothing that prevents him from doing “select * from rz_users” or “show tables”.
  • Unless you need the database for storing user related data on his own machine’s MySQL server, you never want to direct connect to a database from a client.
  • Login systems should always be implemented server-side. So you need for example a webserver with PHP.
  • You have no input validation. Even without looking at your code (which can be easily decompiled) every user could use SQL injection to change / extend the actual query.

Just think about a user typing in this password:

    "my pass;DROP DATABASE"

Your query would become:

    "SELECT ID FROM rz_users WHERE Username = username AND Password = my pass;DROP DATABASE"

which are two queries, the second would be the end of your database as long as the db user has the rights to do the drop. Even if drop isn’t allowed someone could simply read out all usernames and passwords.

Yes, please, please, please follow Bunny83's tips unless you are connecting to a local, secure database. Even then you should obscure your credentials if possible.